6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491

General

Target

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
Size

224KB
MD5

55f5aa7e46081e5c6ec989c47c951acc
SHA1

1d0d159c0a672c118070bb6e1362ec172d9876eb
SHA256

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491
SHA512

bde1aa5de6dafe651d1f4e8120fa3a41bccb2ade64f70f633151cd3a0ce59769aa1a52242faf191dd9d1902813410f0d3a5f04b226dff3c609dfcedc0fe9919f
SSDEEP

3072:ts5r7sy9mkRkwuWBpYBcOQxqnYaeonhTmwYfxRv3Wt3j5kgk5RLg:tsi+my4nEehCwYfxRvGt3j6VRE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

lyiz.exelyiz.exe

pid process

1680 lyiz.exe
1376 lyiz.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2032 cmd.exe

pid	process
1680	lyiz.exe
1376	lyiz.exe

pid	process
2032	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe

pid	process
1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lyiz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	lyiz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{47D5DCD8-9317-693A-8813-09A43F140867} = "C:\\Users\\Admin\\AppData\\Roaming\\Vagaiv\\lyiz.exe"	lyiz.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exelyiz.exe6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe

description	pid	process	target process
PID 588 set thread context of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1680 set thread context of 1376	1680	lyiz.exe	lyiz.exe
PID 1428 set thread context of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4DBA38F2-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

lyiz.exe

pid	process
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe
1376	lyiz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
Token: SeSecurityPrivilege	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
Token: SeSecurityPrivilege	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
Token: SeSecurityPrivilege	2032	cmd.exe
Token: SeSecurityPrivilege	2032	cmd.exe
Token: SeManageVolumePrivilege	1880	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1880 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1880 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exelyiz.exeWinMail.exe

pid process

588 6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
1680 lyiz.exe
1880 WinMail.exe

pid	process
1880	WinMail.exe

pid	process
1880	WinMail.exe

pid	process
588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
1680	lyiz.exe
1880	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exelyiz.exelyiz.exe

description	pid	process	target process
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 588 wrote to memory of 1428	588	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1428 wrote to memory of 1680	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	lyiz.exe
PID 1428 wrote to memory of 1680	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	lyiz.exe
PID 1428 wrote to memory of 1680	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	lyiz.exe
PID 1428 wrote to memory of 1680	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1680 wrote to memory of 1376	1680	lyiz.exe	lyiz.exe
PID 1376 wrote to memory of 1140	1376	lyiz.exe	taskhost.exe
PID 1376 wrote to memory of 1140	1376	lyiz.exe	taskhost.exe
PID 1376 wrote to memory of 1140	1376	lyiz.exe	taskhost.exe
PID 1376 wrote to memory of 1140	1376	lyiz.exe	taskhost.exe
PID 1376 wrote to memory of 1140	1376	lyiz.exe	taskhost.exe
PID 1376 wrote to memory of 1240	1376	lyiz.exe	Dwm.exe
PID 1376 wrote to memory of 1240	1376	lyiz.exe	Dwm.exe
PID 1376 wrote to memory of 1240	1376	lyiz.exe	Dwm.exe
PID 1376 wrote to memory of 1240	1376	lyiz.exe	Dwm.exe
PID 1376 wrote to memory of 1240	1376	lyiz.exe	Dwm.exe
PID 1376 wrote to memory of 1272	1376	lyiz.exe	Explorer.EXE
PID 1376 wrote to memory of 1272	1376	lyiz.exe	Explorer.EXE
PID 1376 wrote to memory of 1272	1376	lyiz.exe	Explorer.EXE
PID 1376 wrote to memory of 1272	1376	lyiz.exe	Explorer.EXE
PID 1376 wrote to memory of 1272	1376	lyiz.exe	Explorer.EXE
PID 1376 wrote to memory of 1428	1376	lyiz.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1376 wrote to memory of 1428	1376	lyiz.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1376 wrote to memory of 1428	1376	lyiz.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1376 wrote to memory of 1428	1376	lyiz.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1376 wrote to memory of 1428	1376	lyiz.exe	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1428 wrote to memory of 2032	1428	6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe	cmd.exe
PID 1376 wrote to memory of 1060	1376	lyiz.exe	conhost.exe
PID 1376 wrote to memory of 1060	1376	lyiz.exe	conhost.exe
PID 1376 wrote to memory of 1060	1376	lyiz.exe	conhost.exe
PID 1376 wrote to memory of 1060	1376	lyiz.exe	conhost.exe
PID 1376 wrote to memory of 1060	1376	lyiz.exe	conhost.exe
PID 1376 wrote to memory of 1880	1376	lyiz.exe	WinMail.exe
PID 1376 wrote to memory of 1880	1376	lyiz.exe	WinMail.exe
PID 1376 wrote to memory of 1880	1376	lyiz.exe	WinMail.exe
PID 1376 wrote to memory of 1880	1376	lyiz.exe	WinMail.exe
PID 1376 wrote to memory of 1880	1376	lyiz.exe	WinMail.exe
PID 1376 wrote to memory of 1920	1376	lyiz.exe	DllHost.exe
PID 1376 wrote to memory of 1920	1376	lyiz.exe	DllHost.exe
PID 1376 wrote to memory of 1920	1376	lyiz.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
"C:\Users\Admin\AppData\Local\Temp\6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe
"C:\Users\Admin\AppData\Local\Temp\6f4335d847fe775d1bbf227b5ca270da18f80eeab9726e8ede068c5d88443491.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
"C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
"C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe76c194b.bat"
4⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-728384917761883586841861277223535049-5377057561785085638-1943288879-76051827"
1⤵
PID:1060

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe76c194b.bat
Filesize
307B

MD5
ee5ec22635bde2080d6d37645ccebce4

SHA1
3acbea23d624994fe379a3f7769770d8e8835094

SHA256
daf7ad79d8f56579b7e768ecfcd415ac077ac79c7872e6f688d4864cc2e9a76f

SHA512
e928e976fc0be0a03d305eb3eaac4dd4795afb14f2e3db7bdd99c252a89cd31633662c27a3800b7cad523766e4da55cbc8701048bb10d155c97c8b8c81200fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Vaequd\horew.afo
Filesize
398B

MD5
062732f7f94a21675fc015c2fdc1aa91

SHA1
4c0225f197f0881884c8cd08f6e580146b8072c2

SHA256
18b8789f42221667e5084792accaff34954287164931afd8f7ef637f4d73c0da

SHA512
c5873e30cf84773e2ab3e842c2ac8686a8d94c84f4b652738c56bc2a3afe651a83f8504c904ff07e90ec7200feadbedc3239f628a05d1643c97b3911d5d3a06d

Download Submit
C:\Users\Admin\AppData\Roaming\Vaequd\horew.afo
Filesize
721B

MD5
eda8cd5bac753b6dda810366256a26f7

SHA1
9dd0c0c7bd324c3966073fd116aaf16182de2836

SHA256
521bf2aef37e4076cd67d4123bbfeece1c72a0d523adad02157609d22351d1ac

SHA512
79d1b3b6a9c2a8f21eacd194885e5e35325874d616735dabeff8d86ea0e665d75db0ae5754d9f6b5f2551796d56669e8dc958b32b11441d0626cb044b5f33bff

Download Submit
C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
Filesize
224KB

MD5
ec8668ec9022beda22ce1584118b8a05

SHA1
fa71a5a0463aa51ed84df53bc97f3cd96b967a66

SHA256
59c5063dfd4df59dea91bc8f026150fe3bd0cf814b95a5b5f5508def4b19a246

SHA512
f68f0635fa3805da3a00d96777c736800798f9f1ad53f45558e5053d67ce07c5427e7761cdfc1535536431c587ea2e165a811eb20c5c78b9687ae8c6f5735083

Download Submit
C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
Filesize
224KB

MD5
ec8668ec9022beda22ce1584118b8a05

SHA1
fa71a5a0463aa51ed84df53bc97f3cd96b967a66

SHA256
59c5063dfd4df59dea91bc8f026150fe3bd0cf814b95a5b5f5508def4b19a246

SHA512
f68f0635fa3805da3a00d96777c736800798f9f1ad53f45558e5053d67ce07c5427e7761cdfc1535536431c587ea2e165a811eb20c5c78b9687ae8c6f5735083

Download Submit
C:\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
Filesize
224KB

MD5
ec8668ec9022beda22ce1584118b8a05

SHA1
fa71a5a0463aa51ed84df53bc97f3cd96b967a66

SHA256
59c5063dfd4df59dea91bc8f026150fe3bd0cf814b95a5b5f5508def4b19a246

SHA512
f68f0635fa3805da3a00d96777c736800798f9f1ad53f45558e5053d67ce07c5427e7761cdfc1535536431c587ea2e165a811eb20c5c78b9687ae8c6f5735083

Download Submit
\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
Filesize
224KB

MD5
ec8668ec9022beda22ce1584118b8a05

SHA1
fa71a5a0463aa51ed84df53bc97f3cd96b967a66

SHA256
59c5063dfd4df59dea91bc8f026150fe3bd0cf814b95a5b5f5508def4b19a246

SHA512
f68f0635fa3805da3a00d96777c736800798f9f1ad53f45558e5053d67ce07c5427e7761cdfc1535536431c587ea2e165a811eb20c5c78b9687ae8c6f5735083

Download Submit
\Users\Admin\AppData\Roaming\Vagaiv\lyiz.exe
Filesize
224KB

MD5
ec8668ec9022beda22ce1584118b8a05

SHA1
fa71a5a0463aa51ed84df53bc97f3cd96b967a66

SHA256
59c5063dfd4df59dea91bc8f026150fe3bd0cf814b95a5b5f5508def4b19a246

SHA512
f68f0635fa3805da3a00d96777c736800798f9f1ad53f45558e5053d67ce07c5427e7761cdfc1535536431c587ea2e165a811eb20c5c78b9687ae8c6f5735083

Download Submit
memory/1060-112-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/1060-115-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/1060-114-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/1060-113-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/1140-76-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-74-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-77-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-78-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1140-79-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1240-84-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-83-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-85-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1240-82-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1272-88-0x0000000002B80000-0x0000000002BA7000-memory.dmp

Filesize
156KB

Download
memory/1272-89-0x0000000002B80000-0x0000000002BA7000-memory.dmp

Filesize
156KB

Download
memory/1272-90-0x0000000002B80000-0x0000000002BA7000-memory.dmp

Filesize
156KB

Download
memory/1272-91-0x0000000002B80000-0x0000000002BA7000-memory.dmp

Filesize
156KB

Download
memory/1376-98-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1376-116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1376-70-0x0000000000413048-mapping.dmp

Download
memory/1428-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1428-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1428-99-0x0000000001F90000-0x0000000001FCB000-memory.dmp

Filesize
236KB

Download
memory/1428-57-0x0000000000413048-mapping.dmp

Download
memory/1428-97-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1428-59-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1428-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1428-94-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1428-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1428-109-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1428-96-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1428-95-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/1680-64-0x0000000000000000-mapping.dmp

Download
memory/1880-122-0x000007FEF6001000-0x000007FEF6003000-memory.dmp

Filesize
8KB

Download
memory/1880-138-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1880-140-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1880-139-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1880-137-0x00000000042B0000-0x00000000042D7000-memory.dmp

Filesize
156KB

Download
memory/1880-121-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1880-129-0x0000000002130000-0x0000000002140000-memory.dmp

Filesize
64KB

Download
memory/1880-123-0x0000000001E60000-0x0000000001E70000-memory.dmp

Filesize
64KB

Download
memory/2032-104-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2032-105-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2032-107-0x0000000000062CBA-mapping.dmp

Download
memory/2032-119-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2032-106-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/2032-102-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads