0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769

General

Target

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe
Size

216KB
MD5

8a904f56600b0cd6209b25e42fe540bc
SHA1

691620d4a0903b1386a259893224e2a11c1a97ed
SHA256

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769
SHA512

f8c022a5f5d6282acffa04d4f4ac07b4031beeb0c51eaa101dea580e324904ce85728a22dc34dbba195a1ea9543accbbc0d786505a39c114d0cc47801dbed713
SSDEEP

6144:2uVmC725GHMYuXz9kXGk4rMwWK457IAhs:zkYu2ard+i

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

ovxy.exeovxy.EXE

pid process

2028 ovxy.exe
1872 ovxy.EXE
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

912 cmd.exe

pid	process
2028	ovxy.exe
1872	ovxy.EXE

pid	process
912	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE

pid	process
1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ovxy.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ovxy.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{AE2A0998-4BB7-81E4-FDF8-BA57352E2872} = "C:\\Users\\Admin\\AppData\\Roaming\\Reesny\\ovxy.exe"	ovxy.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exeovxy.exe0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE

description	pid	process	target process
PID 1912 set thread context of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 2028 set thread context of 1872	2028	ovxy.exe	ovxy.EXE
PID 1688 set thread context of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\64057976-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ovxy.EXE

pid	process
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE
1872	ovxy.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXEcmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
Token: SeSecurityPrivilege	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
Token: SeSecurityPrivilege	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
Token: SeSecurityPrivilege	912	cmd.exe
Token: SeManageVolumePrivilege	976	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

976 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

976 WinMail.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exeovxy.exeWinMail.exe

pid process

1912 0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe
2028 ovxy.exe
976 WinMail.exe

pid	process
976	WinMail.exe

pid	process
976	WinMail.exe

pid	process
1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe
2028	ovxy.exe
976	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXEovxy.exeovxy.EXE

description	pid	process	target process
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1912 wrote to memory of 1688	1912	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1688 wrote to memory of 2028	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	ovxy.exe
PID 1688 wrote to memory of 2028	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	ovxy.exe
PID 1688 wrote to memory of 2028	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	ovxy.exe
PID 1688 wrote to memory of 2028	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	ovxy.exe
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 2028 wrote to memory of 1872	2028	ovxy.exe	ovxy.EXE
PID 1872 wrote to memory of 1132	1872	ovxy.EXE	taskhost.exe
PID 1872 wrote to memory of 1132	1872	ovxy.EXE	taskhost.exe
PID 1872 wrote to memory of 1132	1872	ovxy.EXE	taskhost.exe
PID 1872 wrote to memory of 1132	1872	ovxy.EXE	taskhost.exe
PID 1872 wrote to memory of 1132	1872	ovxy.EXE	taskhost.exe
PID 1872 wrote to memory of 1200	1872	ovxy.EXE	Dwm.exe
PID 1872 wrote to memory of 1200	1872	ovxy.EXE	Dwm.exe
PID 1872 wrote to memory of 1200	1872	ovxy.EXE	Dwm.exe
PID 1872 wrote to memory of 1200	1872	ovxy.EXE	Dwm.exe
PID 1872 wrote to memory of 1200	1872	ovxy.EXE	Dwm.exe
PID 1872 wrote to memory of 1256	1872	ovxy.EXE	Explorer.EXE
PID 1872 wrote to memory of 1256	1872	ovxy.EXE	Explorer.EXE
PID 1872 wrote to memory of 1256	1872	ovxy.EXE	Explorer.EXE
PID 1872 wrote to memory of 1256	1872	ovxy.EXE	Explorer.EXE
PID 1872 wrote to memory of 1256	1872	ovxy.EXE	Explorer.EXE
PID 1872 wrote to memory of 1688	1872	ovxy.EXE	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1872 wrote to memory of 1688	1872	ovxy.EXE	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1872 wrote to memory of 1688	1872	ovxy.EXE	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1872 wrote to memory of 1688	1872	ovxy.EXE	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1872 wrote to memory of 1688	1872	ovxy.EXE	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1688 wrote to memory of 912	1688	0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE	cmd.exe
PID 1872 wrote to memory of 1984	1872	ovxy.EXE	conhost.exe
PID 1872 wrote to memory of 1984	1872	ovxy.EXE	conhost.exe
PID 1872 wrote to memory of 1984	1872	ovxy.EXE	conhost.exe
PID 1872 wrote to memory of 1984	1872	ovxy.EXE	conhost.exe
PID 1872 wrote to memory of 1984	1872	ovxy.EXE	conhost.exe
PID 1872 wrote to memory of 976	1872	ovxy.EXE	WinMail.exe
PID 1872 wrote to memory of 976	1872	ovxy.EXE	WinMail.exe
PID 1872 wrote to memory of 976	1872	ovxy.EXE	WinMail.exe
PID 1872 wrote to memory of 976	1872	ovxy.EXE	WinMail.exe
PID 1872 wrote to memory of 976	1872	ovxy.EXE	WinMail.exe
PID 1872 wrote to memory of 1224	1872	ovxy.EXE	DllHost.exe
PID 1872 wrote to memory of 1224	1872	ovxy.EXE	DllHost.exe
PID 1872 wrote to memory of 1224	1872	ovxy.EXE	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe
"C:\Users\Admin\AppData\Local\Temp\0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE
"C:\Users\Admin\AppData\Local\Temp\0dd1c1cbd7e9f24a945dba9d561bf18c3a689981abc3da44500fe8156d035769.EXE"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\Reesny\ovxy.exe
"C:\Users\Admin\AppData\Roaming\Reesny\ovxy.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Reesny\ovxy.EXE
"C:\Users\Admin\AppData\Roaming\Reesny\ovxy.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpba7f8b6b.bat"
4⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770888054612873202-901907602939310166-2047457743390157209372018021-615967886"
1⤵
PID:1984

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:896

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpba7f8b6b.bat
Filesize
307B

MD5
232975f6834ee6817252a3ffecbbd860

SHA1
863dedcc0425beb9fdcf3c8112df90e006046877

SHA256
de016bba28f0532129ebd553e5b90e2c14f0bf9c57a4c3f2928829a2eb2ce837

SHA512
29922a8c9feb73dacf47068a3dbe1e72d28475759a8c886cdd4ab356af61ecd3208bfe9d4acb3f6ccce57dc336d3866a1c279c72291c8dc59e25fd351cc4fda5

Download Submit
C:\Users\Admin\AppData\Roaming\Reesny\ovxy.EXE
Filesize
216KB

MD5
6272f4a66e4d03db0a9846885e73cb07

SHA1
6d9281677b01c42da9e0da9bbb15fd0caad87458

SHA256
9e8058c19c013c8f993c4fda6ea1a7c84fb82eaa187d8c1556500567596cc2e8

SHA512
3dc2b0236c126ec6e587274e52754e61702cf87f74cc6ca694d31379b813e01a0db2d0b6d3d9c3c5acde9a655a7708288b3084c112acc719c621901856febf69

Download Submit
C:\Users\Admin\AppData\Roaming\Reesny\ovxy.exe
Filesize
216KB

MD5
6272f4a66e4d03db0a9846885e73cb07

SHA1
6d9281677b01c42da9e0da9bbb15fd0caad87458

SHA256
9e8058c19c013c8f993c4fda6ea1a7c84fb82eaa187d8c1556500567596cc2e8

SHA512
3dc2b0236c126ec6e587274e52754e61702cf87f74cc6ca694d31379b813e01a0db2d0b6d3d9c3c5acde9a655a7708288b3084c112acc719c621901856febf69

Download Submit
C:\Users\Admin\AppData\Roaming\Reesny\ovxy.exe
Filesize
216KB

MD5
6272f4a66e4d03db0a9846885e73cb07

SHA1
6d9281677b01c42da9e0da9bbb15fd0caad87458

SHA256
9e8058c19c013c8f993c4fda6ea1a7c84fb82eaa187d8c1556500567596cc2e8

SHA512
3dc2b0236c126ec6e587274e52754e61702cf87f74cc6ca694d31379b813e01a0db2d0b6d3d9c3c5acde9a655a7708288b3084c112acc719c621901856febf69

Download Submit
C:\Users\Admin\AppData\Roaming\Zido\xyury.abs
Filesize
398B

MD5
6e3d5dc37b687e9f21cafdca8027aaee

SHA1
0f5a34f9ee1ebea7e3ef2a6742ecd13761128f5f

SHA256
5edd3815e5407b26af50544e10ec60c5b6bc474629e503d8904fe1797b7b8f6a

SHA512
41d178b9834e9e17e96b5afbd196466129c4fcaf8bc0118ed818f1a3e125830f6accccf053054d55feefd4f0419531d804b41c32f5ccca9688a9e986d34980c8

Download Submit
\Users\Admin\AppData\Roaming\Reesny\ovxy.exe
Filesize
216KB

MD5
6272f4a66e4d03db0a9846885e73cb07

SHA1
6d9281677b01c42da9e0da9bbb15fd0caad87458

SHA256
9e8058c19c013c8f993c4fda6ea1a7c84fb82eaa187d8c1556500567596cc2e8

SHA512
3dc2b0236c126ec6e587274e52754e61702cf87f74cc6ca694d31379b813e01a0db2d0b6d3d9c3c5acde9a655a7708288b3084c112acc719c621901856febf69

Download Submit
\Users\Admin\AppData\Roaming\Reesny\ovxy.exe
Filesize
216KB

MD5
6272f4a66e4d03db0a9846885e73cb07

SHA1
6d9281677b01c42da9e0da9bbb15fd0caad87458

SHA256
9e8058c19c013c8f993c4fda6ea1a7c84fb82eaa187d8c1556500567596cc2e8

SHA512
3dc2b0236c126ec6e587274e52754e61702cf87f74cc6ca694d31379b813e01a0db2d0b6d3d9c3c5acde9a655a7708288b3084c112acc719c621901856febf69

Download Submit
memory/912-112-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/912-114-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/912-119-0x0000000000062CBA-mapping.dmp

Download
memory/912-116-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/912-115-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/912-130-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/976-131-0x000007FEF6C11000-0x000007FEF6C13000-memory.dmp

Filesize
8KB

Download
memory/976-129-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/976-132-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/1132-88-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1132-89-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1132-90-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1132-91-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1200-94-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1200-95-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1200-96-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1200-97-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/1256-100-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1256-101-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1256-102-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1256-103-0x0000000001C30000-0x0000000001C57000-memory.dmp

Filesize
156KB

Download
memory/1688-118-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1688-65-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1688-108-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1688-109-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1688-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-63-0x0000000000413048-mapping.dmp

Download
memory/1688-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-106-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1688-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-60-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1688-107-0x0000000000340000-0x0000000000367000-memory.dmp

Filesize
156KB

Download
memory/1872-117-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1872-82-0x0000000000413048-mapping.dmp

Download
memory/1872-163-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1984-126-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1984-125-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1984-124-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/1984-123-0x0000000000030000-0x0000000000057000-memory.dmp

Filesize
156KB

Download
memory/2028-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads