87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce

General

Target

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
Size

154KB
MD5

9c7796ff737b2a894d41b2d17888b762
SHA1

88fd00e03931ec0c6caceb15541ce77610472b8c
SHA256

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce
SHA512

638526c820a2fb3555ccc479ea70f3b1cc6f9e1f92f03ccf5e8f9be8bed9e1d1148252634f550902af3e40b8f90c3ffc4ad16bbe90a9a853377c6f26494a79f6
SSDEEP

3072:8YSxpPRGkYzL3PwIDJS7H29JWI3Wa3BaTAnaaPTZWout5S:8fRGkYHPwIwDg0rmB0zWFWoSw

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

moyfur.exe

pid process

1988 moyfur.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

944 netsh.exe

pid	process
944	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe	upx
\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe	upx
C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe	upx
C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2028 cmd.exe

pid	process
2028	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe

pid	process
1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

moyfur.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	moyfur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{06183838-E8D8-80A5-60D8-2A2D97CB5578} = "C:\\Users\\Admin\\AppData\\Roaming\\Ylmoni\\moyfur.exe"	moyfur.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe

description	pid	process	target process
PID 1572 set thread context of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\16451BF1-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

moyfur.exe

pid	process
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe
1988	moyfur.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exeWinMail.execmd.exe

description	pid	process
Token: SeSecurityPrivilege	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
Token: SeSecurityPrivilege	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
Token: SeSecurityPrivilege	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
Token: SeManageVolumePrivilege	1048	WinMail.exe
Token: SeSecurityPrivilege	2028	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1048 WinMail.exe

pid	process
1048	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.execmd.exemoyfur.exe

description	pid	process	target process
PID 1572 wrote to memory of 1968	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 1968	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 1968	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 1968	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 1988	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	moyfur.exe
PID 1572 wrote to memory of 1988	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	moyfur.exe
PID 1572 wrote to memory of 1988	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	moyfur.exe
PID 1572 wrote to memory of 1988	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	moyfur.exe
PID 1968 wrote to memory of 944	1968	cmd.exe	netsh.exe
PID 1968 wrote to memory of 944	1968	cmd.exe	netsh.exe
PID 1968 wrote to memory of 944	1968	cmd.exe	netsh.exe
PID 1968 wrote to memory of 944	1968	cmd.exe	netsh.exe
PID 1988 wrote to memory of 1260	1988	moyfur.exe	taskhost.exe
PID 1988 wrote to memory of 1260	1988	moyfur.exe	taskhost.exe
PID 1988 wrote to memory of 1260	1988	moyfur.exe	taskhost.exe
PID 1988 wrote to memory of 1260	1988	moyfur.exe	taskhost.exe
PID 1988 wrote to memory of 1260	1988	moyfur.exe	taskhost.exe
PID 1988 wrote to memory of 1364	1988	moyfur.exe	Dwm.exe
PID 1988 wrote to memory of 1364	1988	moyfur.exe	Dwm.exe
PID 1988 wrote to memory of 1364	1988	moyfur.exe	Dwm.exe
PID 1988 wrote to memory of 1364	1988	moyfur.exe	Dwm.exe
PID 1988 wrote to memory of 1364	1988	moyfur.exe	Dwm.exe
PID 1988 wrote to memory of 1420	1988	moyfur.exe	Explorer.EXE
PID 1988 wrote to memory of 1420	1988	moyfur.exe	Explorer.EXE
PID 1988 wrote to memory of 1420	1988	moyfur.exe	Explorer.EXE
PID 1988 wrote to memory of 1420	1988	moyfur.exe	Explorer.EXE
PID 1988 wrote to memory of 1420	1988	moyfur.exe	Explorer.EXE
PID 1988 wrote to memory of 1572	1988	moyfur.exe	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
PID 1988 wrote to memory of 1572	1988	moyfur.exe	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
PID 1988 wrote to memory of 1572	1988	moyfur.exe	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
PID 1988 wrote to memory of 1572	1988	moyfur.exe	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
PID 1988 wrote to memory of 1572	1988	moyfur.exe	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
PID 1988 wrote to memory of 1048	1988	moyfur.exe	WinMail.exe
PID 1988 wrote to memory of 1048	1988	moyfur.exe	WinMail.exe
PID 1988 wrote to memory of 1048	1988	moyfur.exe	WinMail.exe
PID 1988 wrote to memory of 1048	1988	moyfur.exe	WinMail.exe
PID 1988 wrote to memory of 1048	1988	moyfur.exe	WinMail.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1572 wrote to memory of 2028	1572	87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe	cmd.exe
PID 1988 wrote to memory of 556	1988	moyfur.exe	conhost.exe
PID 1988 wrote to memory of 556	1988	moyfur.exe	conhost.exe
PID 1988 wrote to memory of 556	1988	moyfur.exe	conhost.exe
PID 1988 wrote to memory of 556	1988	moyfur.exe	conhost.exe
PID 1988 wrote to memory of 556	1988	moyfur.exe	conhost.exe
PID 1988 wrote to memory of 1464	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1464	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1464	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1464	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1464	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1716	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1716	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1716	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1716	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1716	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1652	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1652	1988	moyfur.exe	DllHost.exe
PID 1988 wrote to memory of 1652	1988	moyfur.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1260

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe
"C:\Users\Admin\AppData\Local\Temp\87438b9c03188b2a968bb059d36c888849d2ee1811384c42975ee068eb7df4ce.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd70f7e9d.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe"
4⤵
- Modifies Windows Firewall
PID:944

C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe
"C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9b31c1e4.bat"
3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16523771971296969567-52205361638635029-15944151421048875863-1787615734-1843480749"
1⤵
PID:556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9b31c1e4.bat
Filesize
307B

MD5
1773c9e0d678faeb4f4248efbcef228d

SHA1
14c558b5c09f49c745bb2759627534335f6481a8

SHA256
2ece7fe151d71fa33f1f43068dd363d133d1df0dd52d11e8dc434a17bce52245

SHA512
84aeb21dfd488ff33022238397f35d6d07333c5ad4ba066f6452da9a2d27a532dce38db2325d622d330b40425728d89e9e7e69bf3d70444ea86296b204bb9447

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpd70f7e9d.bat
Filesize
202B

MD5
1ce19ec848e472c0c628048b1b07fff0

SHA1
6b3f7b6d45d52ed533442617a8b1c263af963b72

SHA256
68f727db801a69ef3adf7e8fbe0f44ac22038e0916f038d1793e01ab3bc26844

SHA512
e18173ce5419e89789d74c60b04021eb7e15a6fc07b47a796c9d2ed8e2bac5752aefce53d390b801944544a5855c4c8b887d4b070174835228b50509b932b4c1

Download Submit
C:\Users\Admin\AppData\Roaming\Hiobyfx\vocofoa.ecg
Filesize
398B

MD5
866de627077725eae918ec95407388ee

SHA1
4e0ba1d46c94568344292def950e720c7fc70bbf

SHA256
246890ec5518573c08fbdac812580eee0337cbcdf2864bb2371b316554a3a87c

SHA512
ca6cf89c7575c3d85e037113f733bafafb1454132323b052702319715512ed9352ba369d09ed0b72b759dd165608822e74aca92952a30ab079168d3d81b4d85c

Download Submit
C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe
Filesize
154KB

MD5
350a19461b0709136b5b885323b86691

SHA1
582a4e9e888e1827458bad51424bfcbbf67a7523

SHA256
1f3471eb32210fca35c58d8a36b5b3da86b12a23c47c7e869e19286f48524f1b

SHA512
8993d60c391266d522a8a4d07b48c56e3f20b7bf6dc00944c9dc498d40273f0196669102c3395cf1405548889b06abcd71bb44c36b5439b6cc80fa956fe1e8b3

Download Submit
C:\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe
Filesize
154KB

MD5
350a19461b0709136b5b885323b86691

SHA1
582a4e9e888e1827458bad51424bfcbbf67a7523

SHA256
1f3471eb32210fca35c58d8a36b5b3da86b12a23c47c7e869e19286f48524f1b

SHA512
8993d60c391266d522a8a4d07b48c56e3f20b7bf6dc00944c9dc498d40273f0196669102c3395cf1405548889b06abcd71bb44c36b5439b6cc80fa956fe1e8b3

Download Submit
\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe
Filesize
154KB

MD5
350a19461b0709136b5b885323b86691

SHA1
582a4e9e888e1827458bad51424bfcbbf67a7523

SHA256
1f3471eb32210fca35c58d8a36b5b3da86b12a23c47c7e869e19286f48524f1b

SHA512
8993d60c391266d522a8a4d07b48c56e3f20b7bf6dc00944c9dc498d40273f0196669102c3395cf1405548889b06abcd71bb44c36b5439b6cc80fa956fe1e8b3

Download Submit
\Users\Admin\AppData\Roaming\Ylmoni\moyfur.exe
Filesize
154KB

MD5
350a19461b0709136b5b885323b86691

SHA1
582a4e9e888e1827458bad51424bfcbbf67a7523

SHA256
1f3471eb32210fca35c58d8a36b5b3da86b12a23c47c7e869e19286f48524f1b

SHA512
8993d60c391266d522a8a4d07b48c56e3f20b7bf6dc00944c9dc498d40273f0196669102c3395cf1405548889b06abcd71bb44c36b5439b6cc80fa956fe1e8b3

Download Submit
memory/556-132-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/556-133-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/556-134-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/556-135-0x0000000000160000-0x0000000000187000-memory.dmp

Filesize
156KB

Download
memory/944-65-0x0000000000000000-mapping.dmp

Download
memory/1048-98-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1048-117-0x0000000003D10000-0x0000000003D37000-memory.dmp

Filesize
156KB

Download
memory/1048-116-0x0000000003D10000-0x0000000003D37000-memory.dmp

Filesize
156KB

Download
memory/1048-115-0x0000000003D10000-0x0000000003D37000-memory.dmp

Filesize
156KB

Download
memory/1048-114-0x0000000003D10000-0x0000000003D37000-memory.dmp

Filesize
156KB

Download
memory/1048-106-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/1048-100-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/1048-99-0x000007FEF67A1000-0x000007FEF67A3000-memory.dmp

Filesize
8KB

Download
memory/1260-72-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1260-69-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1260-73-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1260-71-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1260-74-0x0000000001D30000-0x0000000001D57000-memory.dmp

Filesize
156KB

Download
memory/1364-79-0x0000000001AE0000-0x0000000001B07000-memory.dmp

Filesize
156KB

Download
memory/1364-77-0x0000000001AE0000-0x0000000001B07000-memory.dmp

Filesize
156KB

Download
memory/1364-78-0x0000000001AE0000-0x0000000001B07000-memory.dmp

Filesize
156KB

Download
memory/1364-80-0x0000000001AE0000-0x0000000001B07000-memory.dmp

Filesize
156KB

Download
memory/1420-84-0x0000000002270000-0x0000000002297000-memory.dmp

Filesize
156KB

Download
memory/1420-83-0x0000000002270000-0x0000000002297000-memory.dmp

Filesize
156KB

Download
memory/1420-85-0x0000000002270000-0x0000000002297000-memory.dmp

Filesize
156KB

Download
memory/1420-86-0x0000000002270000-0x0000000002297000-memory.dmp

Filesize
156KB

Download
memory/1572-92-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1572-56-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1572-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1572-94-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1572-93-0x0000000000560000-0x00000000005B4000-memory.dmp

Filesize
336KB

Download
memory/1572-90-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1572-91-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1572-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1572-89-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1572-128-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1572-55-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1572-96-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1572-57-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1968-59-0x0000000000000000-mapping.dmp

Download
memory/1988-142-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1988-62-0x0000000000000000-mapping.dmp

Download
memory/1988-95-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2028-123-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2028-129-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2028-126-0x000000000005DD63-mapping.dmp

Download
memory/2028-125-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2028-124-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2028-121-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads