e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95

General

Target

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
Size

284KB
MD5

73d05d023ab5f49ee2000db0f7e0d8d6
SHA1

a2d9d2a85eae686d298e52e3d066a5fe1f5b1003
SHA256

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95
SHA512

2491bf9c402e2fcb16bdad7eff664d0bde37ea9761002fefcd17980b74da6e025ce0b3dd57dc4b81ff650e2ab343ef3e302befbccb9751aec0a18d3de5171719
SSDEEP

6144:bsWxkEzhZ27XWd53WvjBgSB7Vsm5e4KHvA:g2m2lWBB7Vs4Qv

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

rouxw.exerouxw.exe

pid process

1240 rouxw.exe
336 rouxw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe

pid	process
1240	rouxw.exe
336	rouxw.exe

pid	process
1560	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe

pid	process
968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rouxw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	rouxw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{F362C86B-C310-6D58-F6A9-C69E59ED9EF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Zeef\\rouxw.exe"	rouxw.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exerouxw.exee054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe

description	pid	process	target process
PID 1732 set thread context of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1240 set thread context of 336	1240	rouxw.exe	rouxw.exe
PID 968 set thread context of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\660F50D6-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

rouxw.exe

pid	process
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe
336	rouxw.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
Token: SeSecurityPrivilege	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
Token: SeSecurityPrivilege	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
Token: SeSecurityPrivilege	1560	cmd.exe
Token: SeSecurityPrivilege	1560	cmd.exe
Token: SeManageVolumePrivilege	564	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

564 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

564 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exerouxw.exeWinMail.exe

pid process

1732 e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
1240 rouxw.exe
564 WinMail.exe

pid	process
564	WinMail.exe

pid	process
564	WinMail.exe

pid	process
1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
1240	rouxw.exe
564	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exee054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exerouxw.exerouxw.exe

description	pid	process	target process
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 1732 wrote to memory of 968	1732	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 968 wrote to memory of 1240	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	rouxw.exe
PID 968 wrote to memory of 1240	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	rouxw.exe
PID 968 wrote to memory of 1240	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	rouxw.exe
PID 968 wrote to memory of 1240	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 1240 wrote to memory of 336	1240	rouxw.exe	rouxw.exe
PID 336 wrote to memory of 1128	336	rouxw.exe	taskhost.exe
PID 336 wrote to memory of 1128	336	rouxw.exe	taskhost.exe
PID 336 wrote to memory of 1128	336	rouxw.exe	taskhost.exe
PID 336 wrote to memory of 1128	336	rouxw.exe	taskhost.exe
PID 336 wrote to memory of 1128	336	rouxw.exe	taskhost.exe
PID 336 wrote to memory of 1204	336	rouxw.exe	Dwm.exe
PID 336 wrote to memory of 1204	336	rouxw.exe	Dwm.exe
PID 336 wrote to memory of 1204	336	rouxw.exe	Dwm.exe
PID 336 wrote to memory of 1204	336	rouxw.exe	Dwm.exe
PID 336 wrote to memory of 1204	336	rouxw.exe	Dwm.exe
PID 336 wrote to memory of 1268	336	rouxw.exe	Explorer.EXE
PID 336 wrote to memory of 1268	336	rouxw.exe	Explorer.EXE
PID 336 wrote to memory of 1268	336	rouxw.exe	Explorer.EXE
PID 336 wrote to memory of 1268	336	rouxw.exe	Explorer.EXE
PID 336 wrote to memory of 1268	336	rouxw.exe	Explorer.EXE
PID 336 wrote to memory of 968	336	rouxw.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 336 wrote to memory of 968	336	rouxw.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 336 wrote to memory of 968	336	rouxw.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 336 wrote to memory of 968	336	rouxw.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 336 wrote to memory of 968	336	rouxw.exe	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 968 wrote to memory of 1560	968	e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe	cmd.exe
PID 336 wrote to memory of 1348	336	rouxw.exe	conhost.exe
PID 336 wrote to memory of 1348	336	rouxw.exe	conhost.exe
PID 336 wrote to memory of 1348	336	rouxw.exe	conhost.exe
PID 336 wrote to memory of 1348	336	rouxw.exe	conhost.exe
PID 336 wrote to memory of 1348	336	rouxw.exe	conhost.exe
PID 336 wrote to memory of 564	336	rouxw.exe	WinMail.exe
PID 336 wrote to memory of 564	336	rouxw.exe	WinMail.exe
PID 336 wrote to memory of 564	336	rouxw.exe	WinMail.exe
PID 336 wrote to memory of 564	336	rouxw.exe	WinMail.exe
PID 336 wrote to memory of 564	336	rouxw.exe	WinMail.exe
PID 336 wrote to memory of 1656	336	rouxw.exe	DllHost.exe
PID 336 wrote to memory of 1656	336	rouxw.exe	DllHost.exe
PID 336 wrote to memory of 1656	336	rouxw.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
"C:\Users\Admin\AppData\Local\Temp\e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe
"C:\Users\Admin\AppData\Local\Temp\e054139ab45a294dbf1646fa2bae4b3c6499b1786ec020841b8ef22d2235cc95.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
"C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
"C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4138b52a.bat"
4⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-614539738-14984774061632288113-636241726-1492203388-1621562806-347098863594002799"
1⤵
PID:1348

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4138b52a.bat
Filesize
307B

MD5
dab359114f7e1ad6ef90f1275e5da2dc

SHA1
cf7c61dc539401b2bc7f691f149f03f5bd899308

SHA256
cc96467164647f623624e28aca9681347040c6e3bfecf82b36f42600f6ea56bc

SHA512
1b800b4abca81d29d4373e903392e936ed8337c9c88c347a503a69170d614ad2a0ec000823faefce967004ad3060ee78d7787d4b6029495e593356691914c37e

Download Submit
C:\Users\Admin\AppData\Roaming\Uveqba\togal.vyo
Filesize
721B

MD5
bff51a4ab54ddf3fedb15420cca3bbe5

SHA1
e677fbb5fb0030ba8c001ee539747391215e94fc

SHA256
26b1645ab1e686a9e0df2680de1ce984d84c230c50b2e8a0972c9bfd0d82b008

SHA512
91d915338ca60271c18b47e7a9eec195a31d8497a4a9e5070841d75a518d936a8981c821b18cc4f5292bcf813d7d579f44bf1aad43aa490952af8bb5b65ffe27

Download Submit
C:\Users\Admin\AppData\Roaming\Uveqba\togal.vyo
Filesize
721B

MD5
bff51a4ab54ddf3fedb15420cca3bbe5

SHA1
e677fbb5fb0030ba8c001ee539747391215e94fc

SHA256
26b1645ab1e686a9e0df2680de1ce984d84c230c50b2e8a0972c9bfd0d82b008

SHA512
91d915338ca60271c18b47e7a9eec195a31d8497a4a9e5070841d75a518d936a8981c821b18cc4f5292bcf813d7d579f44bf1aad43aa490952af8bb5b65ffe27

Download Submit
C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
Filesize
284KB

MD5
6534432b4f6ddaa28312c0930be69ce9

SHA1
b1cdb8abac31653ff03b84793f10ae13f8d6b926

SHA256
e531830034f5d53b3322aa3a6c8108622b443e2572d9c7f1c7e5c082fd50b4f0

SHA512
7474e44913ff502b3835458cec582847936991237cc7bf2b374d5e9c060d4f03f10663b92284893369a055bde0c95dccb153e780a8f572031ac2d31c8c802a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
Filesize
284KB

MD5
6534432b4f6ddaa28312c0930be69ce9

SHA1
b1cdb8abac31653ff03b84793f10ae13f8d6b926

SHA256
e531830034f5d53b3322aa3a6c8108622b443e2572d9c7f1c7e5c082fd50b4f0

SHA512
7474e44913ff502b3835458cec582847936991237cc7bf2b374d5e9c060d4f03f10663b92284893369a055bde0c95dccb153e780a8f572031ac2d31c8c802a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
Filesize
284KB

MD5
6534432b4f6ddaa28312c0930be69ce9

SHA1
b1cdb8abac31653ff03b84793f10ae13f8d6b926

SHA256
e531830034f5d53b3322aa3a6c8108622b443e2572d9c7f1c7e5c082fd50b4f0

SHA512
7474e44913ff502b3835458cec582847936991237cc7bf2b374d5e9c060d4f03f10663b92284893369a055bde0c95dccb153e780a8f572031ac2d31c8c802a7f

Download Submit
\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
Filesize
284KB

MD5
6534432b4f6ddaa28312c0930be69ce9

SHA1
b1cdb8abac31653ff03b84793f10ae13f8d6b926

SHA256
e531830034f5d53b3322aa3a6c8108622b443e2572d9c7f1c7e5c082fd50b4f0

SHA512
7474e44913ff502b3835458cec582847936991237cc7bf2b374d5e9c060d4f03f10663b92284893369a055bde0c95dccb153e780a8f572031ac2d31c8c802a7f

Download Submit
\Users\Admin\AppData\Roaming\Zeef\rouxw.exe
Filesize
284KB

MD5
6534432b4f6ddaa28312c0930be69ce9

SHA1
b1cdb8abac31653ff03b84793f10ae13f8d6b926

SHA256
e531830034f5d53b3322aa3a6c8108622b443e2572d9c7f1c7e5c082fd50b4f0

SHA512
7474e44913ff502b3835458cec582847936991237cc7bf2b374d5e9c060d4f03f10663b92284893369a055bde0c95dccb153e780a8f572031ac2d31c8c802a7f

Download Submit
memory/336-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/336-72-0x0000000000413048-mapping.dmp

Download
memory/336-142-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/564-141-0x0000000003E30000-0x0000000003E57000-memory.dmp

Filesize
156KB

Download
memory/564-123-0x000007FEF60A1000-0x000007FEF60A3000-memory.dmp

Filesize
8KB

Download
memory/564-122-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/564-124-0x0000000001F70000-0x0000000001F80000-memory.dmp

Filesize
64KB

Download
memory/564-140-0x0000000003E30000-0x0000000003E57000-memory.dmp

Filesize
156KB

Download
memory/564-139-0x0000000003E30000-0x0000000003E57000-memory.dmp

Filesize
156KB

Download
memory/564-138-0x0000000003E30000-0x0000000003E57000-memory.dmp

Filesize
156KB

Download
memory/564-130-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/968-60-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/968-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/968-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/968-58-0x0000000000413048-mapping.dmp

Download
memory/968-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/968-116-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/968-113-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/968-101-0x0000000000470000-0x00000000004BB000-memory.dmp

Filesize
300KB

Download
memory/968-96-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/968-97-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/968-98-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/968-99-0x0000000000470000-0x0000000000497000-memory.dmp

Filesize
156KB

Download
memory/1128-76-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1128-78-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1128-79-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1128-80-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1128-81-0x0000000001E60000-0x0000000001E87000-memory.dmp

Filesize
156KB

Download
memory/1204-87-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1204-84-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1204-85-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1204-86-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1240-69-0x00000000004FE000-0x0000000000500000-memory.dmp

Filesize
8KB

Download
memory/1240-65-0x0000000000000000-mapping.dmp

Download
memory/1268-92-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1268-91-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1268-93-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1268-90-0x0000000001DF0000-0x0000000001E17000-memory.dmp

Filesize
156KB

Download
memory/1348-120-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1348-119-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1348-118-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1348-117-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1560-111-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1560-109-0x0000000000062CBA-mapping.dmp

Download
memory/1560-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1560-107-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1560-104-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1560-155-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1560-106-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1732-56-0x000000000061E000-0x0000000000620000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads