92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9

General

Target

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
Size

236KB
MD5

484818589983a671d34b7d29dd87e69e
SHA1

53fa624a1c2f94bc6c4f82762a4dc25883baf920
SHA256

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9
SHA512

f73d7f3bf0e9d6a22333aeea1c9d8fba60f62793c4aae761f8a35f0735a96168b6838823d03bd3e54325b2f6f34cfec5016cf1f82427457baa6311357d284205
SSDEEP

3072:oDid9+z7kPAeTVYIVGWjW/BbIP0BI0+5Fo6/889cqeuj7wh6TuE2nvoUBT35SkHk:oWEYPlYIV96tIPiIrJ73NTXGBD5rH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

amafi.exeamafi.exe

pid process

1480 amafi.exe
1048 amafi.exe

pid	process
1480	amafi.exe
1048	amafi.exe

Loads dropped DLL 2 IoCs

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe

pid	process
1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amafi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	amafi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\{2057956B-BB8B-6D58-498A-4751FC5B1F3E} = "C:\\Users\\Admin\\AppData\\Roaming\\Avlo\\amafi.exe"	amafi.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exeamafi.exe92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe

description	pid	process	target process
PID 2028 set thread context of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1480 set thread context of 1048	1480	amafi.exe	amafi.exe
PID 1520 set thread context of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3EFB7068-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

amafi.exe

pid	process
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe
1048	amafi.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
Token: SeSecurityPrivilege	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
Token: SeSecurityPrivilege	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
Token: SeSecurityPrivilege	924	cmd.exe
Token: SeSecurityPrivilege	924	cmd.exe
Token: SeManageVolumePrivilege	1940	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exeamafi.exeWinMail.exe

pid process

2028 92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
1480 amafi.exe
1940 WinMail.exe

pid	process
2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
1480	amafi.exe
1940	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exeamafi.exeamafi.exe

description	pid	process	target process
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 2028 wrote to memory of 1520	2028	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1520 wrote to memory of 1480	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	amafi.exe
PID 1520 wrote to memory of 1480	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	amafi.exe
PID 1520 wrote to memory of 1480	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	amafi.exe
PID 1520 wrote to memory of 1480	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1480 wrote to memory of 1048	1480	amafi.exe	amafi.exe
PID 1048 wrote to memory of 1120	1048	amafi.exe	taskhost.exe
PID 1048 wrote to memory of 1120	1048	amafi.exe	taskhost.exe
PID 1048 wrote to memory of 1120	1048	amafi.exe	taskhost.exe
PID 1048 wrote to memory of 1120	1048	amafi.exe	taskhost.exe
PID 1048 wrote to memory of 1120	1048	amafi.exe	taskhost.exe
PID 1048 wrote to memory of 1184	1048	amafi.exe	Dwm.exe
PID 1048 wrote to memory of 1184	1048	amafi.exe	Dwm.exe
PID 1048 wrote to memory of 1184	1048	amafi.exe	Dwm.exe
PID 1048 wrote to memory of 1184	1048	amafi.exe	Dwm.exe
PID 1048 wrote to memory of 1184	1048	amafi.exe	Dwm.exe
PID 1048 wrote to memory of 1244	1048	amafi.exe	Explorer.EXE
PID 1048 wrote to memory of 1244	1048	amafi.exe	Explorer.EXE
PID 1048 wrote to memory of 1244	1048	amafi.exe	Explorer.EXE
PID 1048 wrote to memory of 1244	1048	amafi.exe	Explorer.EXE
PID 1048 wrote to memory of 1244	1048	amafi.exe	Explorer.EXE
PID 1048 wrote to memory of 1520	1048	amafi.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1048 wrote to memory of 1520	1048	amafi.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1048 wrote to memory of 1520	1048	amafi.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1048 wrote to memory of 1520	1048	amafi.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1048 wrote to memory of 1520	1048	amafi.exe	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1520 wrote to memory of 924	1520	92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe	cmd.exe
PID 1048 wrote to memory of 1084	1048	amafi.exe	conhost.exe
PID 1048 wrote to memory of 1084	1048	amafi.exe	conhost.exe
PID 1048 wrote to memory of 1084	1048	amafi.exe	conhost.exe
PID 1048 wrote to memory of 1084	1048	amafi.exe	conhost.exe
PID 1048 wrote to memory of 1084	1048	amafi.exe	conhost.exe
PID 1048 wrote to memory of 1940	1048	amafi.exe	WinMail.exe
PID 1048 wrote to memory of 1940	1048	amafi.exe	WinMail.exe
PID 1048 wrote to memory of 1940	1048	amafi.exe	WinMail.exe
PID 1048 wrote to memory of 1940	1048	amafi.exe	WinMail.exe
PID 1048 wrote to memory of 1940	1048	amafi.exe	WinMail.exe
PID 1048 wrote to memory of 1712	1048	amafi.exe	DllHost.exe
PID 1048 wrote to memory of 1712	1048	amafi.exe	DllHost.exe
PID 1048 wrote to memory of 1712	1048	amafi.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
"C:\Users\Admin\AppData\Local\Temp\92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe
"C:\Users\Admin\AppData\Local\Temp\92a92f662edf70a5284037d267de6f50d6deca99bc50d9af96709d817cb105e9.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe
"C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe
"C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd7bd1810.bat"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1686566939-77338058795054122-366015484-751357877-1372214028-10161642471723591472"
1⤵
PID:1084

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe
Filesize
236KB

MD5
7bb2ef6349e686f815ca9746dc21447f

SHA1
a72cccc1a8cf5b94de91d4e4b52adfb0bc4bdfd2

SHA256
393b4ff98fac6beffee29b5e37327eb75287ea6f604618efd98981337ccd7d28

SHA512
a3c34b96ce234522194b3455883f42189e6ef7bb900e1bf9a24de15d35eb51e2eee08ea0c34aa3ffe01e9bc48c0c836b185734fdf61c44779dbd8f88d223ead4

Download Submit
C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe
Filesize
236KB

MD5
7bb2ef6349e686f815ca9746dc21447f

SHA1
a72cccc1a8cf5b94de91d4e4b52adfb0bc4bdfd2

SHA256
393b4ff98fac6beffee29b5e37327eb75287ea6f604618efd98981337ccd7d28

SHA512
a3c34b96ce234522194b3455883f42189e6ef7bb900e1bf9a24de15d35eb51e2eee08ea0c34aa3ffe01e9bc48c0c836b185734fdf61c44779dbd8f88d223ead4

Download Submit
C:\Users\Admin\AppData\Roaming\Avlo\amafi.exe
Filesize
236KB

MD5
7bb2ef6349e686f815ca9746dc21447f

SHA1
a72cccc1a8cf5b94de91d4e4b52adfb0bc4bdfd2

SHA256
393b4ff98fac6beffee29b5e37327eb75287ea6f604618efd98981337ccd7d28

SHA512
a3c34b96ce234522194b3455883f42189e6ef7bb900e1bf9a24de15d35eb51e2eee08ea0c34aa3ffe01e9bc48c0c836b185734fdf61c44779dbd8f88d223ead4

Download Submit
C:\Users\Admin\AppData\Roaming\Hivie\alna.idw
Filesize
398B

MD5
d1e9f7d19038fdc3f509d46c4ac96fcd

SHA1
d8ac65ed17978acc05a8f296756b32ec421bb56c

SHA256
b6196cd425cbbd025629d22bc1b14c171593bf634710f3df8618cf7056840385

SHA512
b1544133b7b57d3beab9e85a65a2ad3e2738938fd85636a48f41f233e96d4bfd8786e117ccb7e04ffab8edfbed5287e2a5feb11eee4f146def288abb52647b92

Download Submit
\Users\Admin\AppData\Roaming\Avlo\amafi.exe
Filesize
236KB

MD5
7bb2ef6349e686f815ca9746dc21447f

SHA1
a72cccc1a8cf5b94de91d4e4b52adfb0bc4bdfd2

SHA256
393b4ff98fac6beffee29b5e37327eb75287ea6f604618efd98981337ccd7d28

SHA512
a3c34b96ce234522194b3455883f42189e6ef7bb900e1bf9a24de15d35eb51e2eee08ea0c34aa3ffe01e9bc48c0c836b185734fdf61c44779dbd8f88d223ead4

Download Submit
\Users\Admin\AppData\Roaming\Avlo\amafi.exe
Filesize
236KB

MD5
7bb2ef6349e686f815ca9746dc21447f

SHA1
a72cccc1a8cf5b94de91d4e4b52adfb0bc4bdfd2

SHA256
393b4ff98fac6beffee29b5e37327eb75287ea6f604618efd98981337ccd7d28

SHA512
a3c34b96ce234522194b3455883f42189e6ef7bb900e1bf9a24de15d35eb51e2eee08ea0c34aa3ffe01e9bc48c0c836b185734fdf61c44779dbd8f88d223ead4

Download Submit
memory/924-107-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/924-106-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/924-104-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/924-109-0x0000000000062CBA-mapping.dmp

Download
memory/924-120-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/924-108-0x0000000000050000-0x0000000000077000-memory.dmp

Filesize
156KB

Download
memory/1048-72-0x0000000000413048-mapping.dmp

Download
memory/1048-100-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1048-141-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1084-118-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1084-117-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1084-116-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1084-119-0x0000000001B50000-0x0000000001B77000-memory.dmp

Filesize
156KB

Download
memory/1120-76-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1120-78-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1120-79-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1120-80-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1120-81-0x0000000001D90000-0x0000000001DB7000-memory.dmp

Filesize
156KB

Download
memory/1184-84-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1184-86-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1184-85-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1184-87-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1244-93-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1244-92-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1244-91-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1244-90-0x00000000021C0000-0x00000000021E7000-memory.dmp

Filesize
156KB

Download
memory/1480-69-0x00000000005D7000-0x00000000005D9000-memory.dmp

Filesize
8KB

Download
memory/1480-65-0x0000000000000000-mapping.dmp

Download
memory/1520-96-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1520-58-0x0000000000413048-mapping.dmp

Download
memory/1520-99-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1520-98-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1520-111-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1520-113-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1520-97-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1520-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1520-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1520-60-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1520-57-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1520-101-0x0000000000300000-0x0000000000327000-memory.dmp

Filesize
156KB

Download
memory/1940-121-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1940-123-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/1940-129-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/1940-138-0x00000000040C0000-0x00000000040E7000-memory.dmp

Filesize
156KB

Download
memory/1940-137-0x00000000040C0000-0x00000000040E7000-memory.dmp

Filesize
156KB

Download
memory/1940-140-0x00000000040C0000-0x00000000040E7000-memory.dmp

Filesize
156KB

Download
memory/1940-139-0x00000000040C0000-0x00000000040E7000-memory.dmp

Filesize
156KB

Download
memory/1940-122-0x000007FEF62A1000-0x000007FEF62A3000-memory.dmp

Filesize
8KB

Download
memory/2028-56-0x00000000005F7000-0x00000000005F9000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads