79f6be6f4baba3ee46d4ff04c887641bc85a12a216c7da809093c89d9cafe247

Analysis

max time kernel
145s
max time network
130s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c8cbf9615eb6474b6e6e41855c79471.exe
Size

608KB
MD5

0c8cbf9615eb6474b6e6e41855c79471
SHA1

77d74ba97f85ab6bcad4aa9c6903feabf70800a1
SHA256

79f6be6f4baba3ee46d4ff04c887641bc85a12a216c7da809093c89d9cafe247
SHA512

459f5a939a3998ab61b80192a47eb2f607a80557130d982060d413242c7edcc7a72ca104ef8c7f86bab2fc4fd82922ae9caa66473e8d5191c29d28c919c7f261
SSDEEP

12288:yq5HmlhBno1zmdp5tKTcGDNsWXBqzfYuATpU/rLXirvXbR+CXon:N5Gb61zy5AcuOCixAAC6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
2360	server.exe
2784	ka.exe
2652	ka.exe
2888	ka.exe
364	ka.exe
1100	ka.exe
1768	ka.exe
2364	ka.exe
2140	ka.exe
1816	ka.exe
1160	ka.exe
2196	ka.exe
1560	ka.exe
2940	ka.exe
1084	ka.exe
2560	ka.exe
3004	ka.exe
1212	ka.exe
1500	ka.exe

Loads dropped DLL 4 IoCs

pid	Process
2656	0c8cbf9615eb6474b6e6e41855c79471.exe
2656	0c8cbf9615eb6474b6e6e41855c79471.exe
2360	server.exe
2360	server.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	server.exe

Suspicious use of SetThreadContext 17 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2652	2784	ka.exe	31
PID 2652 set thread context of 2888	2652	ka.exe	32
PID 2888 set thread context of 364	2888	ka.exe	33
PID 364 set thread context of 1100	364	ka.exe	34
PID 1100 set thread context of 1768	1100	ka.exe	35
PID 1768 set thread context of 2364	1768	ka.exe	36
PID 2364 set thread context of 2140	2364	ka.exe	37
PID 2140 set thread context of 1816	2140	ka.exe	38
PID 1816 set thread context of 1160	1816	ka.exe	39
PID 1160 set thread context of 2196	1160	ka.exe	40
PID 2196 set thread context of 1560	2196	ka.exe	41
PID 1560 set thread context of 2940	1560	ka.exe	42
PID 2940 set thread context of 1084	2940	ka.exe	43
PID 1084 set thread context of 2560	1084	ka.exe	44
PID 2560 set thread context of 3004	2560	ka.exe	45
PID 3004 set thread context of 1212	3004	ka.exe	46
PID 1212 set thread context of 1500	1212	ka.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3048	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	vlc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	ka.exe
Token: SeDebugPrivilege	2652	ka.exe
Token: SeDebugPrivilege	2888	ka.exe
Token: 33	3048	vlc.exe
Token: SeIncBasePriorityPrivilege	3048	vlc.exe
Token: SeDebugPrivilege	364	ka.exe
Token: SeDebugPrivilege	1100	ka.exe
Token: SeDebugPrivilege	1768	ka.exe
Token: SeDebugPrivilege	2364	ka.exe
Token: SeDebugPrivilege	2140	ka.exe
Token: SeDebugPrivilege	1816	ka.exe
Token: SeDebugPrivilege	1160	ka.exe
Token: SeDebugPrivilege	2196	ka.exe
Token: SeDebugPrivilege	1560	ka.exe
Token: SeDebugPrivilege	2940	ka.exe
Token: SeDebugPrivilege	1084	ka.exe
Token: SeDebugPrivilege	2560	ka.exe
Token: SeDebugPrivilege	3004	ka.exe
Token: SeDebugPrivilege	1212	ka.exe
Token: SeDebugPrivilege	1500	ka.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe
3048	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 3048	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	28
PID 2656 wrote to memory of 3048	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	28
PID 2656 wrote to memory of 3048	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	28
PID 2656 wrote to memory of 3048	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	28
PID 2656 wrote to memory of 2360	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	29
PID 2656 wrote to memory of 2360	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	29
PID 2656 wrote to memory of 2360	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	29
PID 2656 wrote to memory of 2360	2656	0c8cbf9615eb6474b6e6e41855c79471.exe	29
PID 2360 wrote to memory of 2784	2360	server.exe	30
PID 2360 wrote to memory of 2784	2360	server.exe	30
PID 2360 wrote to memory of 2784	2360	server.exe	30
PID 2360 wrote to memory of 2784	2360	server.exe	30
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2784 wrote to memory of 2652	2784	ka.exe	31
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2652 wrote to memory of 2888	2652	ka.exe	32
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 2888 wrote to memory of 364	2888	ka.exe	33
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 364 wrote to memory of 1100	364	ka.exe	34
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1100 wrote to memory of 1768	1100	ka.exe	35
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 1768 wrote to memory of 2364	1768	ka.exe	36
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2364 wrote to memory of 2140	2364	ka.exe	37
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 2140 wrote to memory of 1816	2140	ka.exe	38
PID 1816 wrote to memory of 1160	1816	ka.exe	39
PID 1816 wrote to memory of 1160	1816	ka.exe	39
PID 1816 wrote to memory of 1160	1816	ka.exe	39
PID 1816 wrote to memory of 1160	1816	ka.exe	39

C:\Users\Admin\AppData\Local\Temp\0c8cbf9615eb6474b6e6e41855c79471.exe
"C:\Users\Admin\AppData\Local\Temp\0c8cbf9615eb6474b6e6e41855c79471.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Facebook +183.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe
        21⤵
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Facebook +183.mp4

Filesize
359KB

MD5
14ff0c63f931f1dcd4e2389fc6057b1a

SHA1
13042bdd6aeec0b9d867dcbfc1a6cc243fc4b893

SHA256
aeda391c44f9ba1e6111756404d16fe1c926b877d03769208a6f3133cd6a56ae

SHA512
af6a8ceb4103ebb2d9b3f025cc5e36addd5e0f78ac5cf868b1b5e4ac98831931a6ae45108ab9c503d06647c7ef87e38d4256b428f6a614089dd14927d0d72d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe

Filesize
64KB

MD5
f3dcd70c81614573e59c81a2b3da3e4a

SHA1
d8eadf8436f0190752b0c5095678eec0f3b8d7eb

SHA256
a51215c157b86c8028e069422af22cb89eb2c6d41caf69d5124d0cfa4b6b34a4

SHA512
e6968ea2c13985f331cd66cca160d5bd255196bfb84316b700595ee38a4ef00a230417e7ff8b3d4fc92593fa9a8713e9dad3469ca8d01b4b11a5591b7f5aa0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe

Filesize
8KB

MD5
c8e5e6a047dce17af5af5662e7075fba

SHA1
362387dd42c4e84278ecc103befe7178efcb7685

SHA256
a7a4ab612bd91a468064f17886f2a68185d7fc7bb5988590cee6305b632b5b75

SHA512
58cb23c357e8e40bb6e553943cfdba8d0015d234ae36d59b927e312b6aa2a9d4adcf722a1f1da4f3e4656e7e96e80aac5c26fc1d6a1e9daf59130d1e68641ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe

Filesize
2KB

MD5
0d51e1b98dfc318edf5524131274f16f

SHA1
f6d4be190c57eded84c1d07ec0dd219ec23b1d11

SHA256
a48efa710727e98ae988b0f5ac3e0ca277fcf24fb514eed050a294ddfcc8af83

SHA512
ddb208609830e28b497aee9d70c12bc10b4a8a0653ffc0996660d48d87f25c02d78ac705e1fcb49a4d620948d2b84422e20102c6048dacc321476d06154f8f14

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ka.exe

Filesize
342KB

MD5
518bea93002f03577d5b54727a89f8b5

SHA1
fcce2a89994003bcc2c65cfa3bfc65185b79ca3d

SHA256
75d5f7c4233d61aa36c5ad2a5cf356611b3740ce1b69dc077c9dc0729803ad17

SHA512
51b68689d132b20300f06fed4f33296085c5eaf0b765a4e9c9b2968a36fc0cf2b922cc475f5a99c7a799b0ebdecdc0bf6bd7c044515ea9253dc84e45097e454d

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
244KB

MD5
315a6bcbab69e31731f6587c4a493194

SHA1
411a7bcdb152c40feb82823fe84553a73ec3a145

SHA256
8935bff6c881d2608af1dc332f29141334c233090d5b76aafc281f596707cbc2

SHA512
926116d9c1a0e41c547ecacd8ac4f0a86cc4e0cd48997cbe61bc338fe51e2d19645d50c15e2fe22a02db9c66b37f65986c477720d5e33e6cf67feaf3aaec1311

Download Submit
memory/364-62-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/364-64-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/364-73-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/364-65-0x0000000002090000-0x0000000002110000-memory.dmp

Filesize
512KB

Download
memory/364-61-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1084-328-0x0000000001EB6000-0x0000000001F1D000-memory.dmp

Filesize
412KB

Download
memory/1084-332-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-85-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-74-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-75-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/1100-76-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1100-77-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/1160-179-0x0000000001F06000-0x0000000001F6D000-memory.dmp

Filesize
412KB

Download
memory/1160-177-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-360-0x0000000002030000-0x00000000020B0000-memory.dmp

Filesize
512KB

Download
memory/1212-400-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-359-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1212-406-0x0000000002036000-0x000000000209D000-memory.dmp

Filesize
412KB

Download
memory/1500-459-0x00000000006A0000-0x0000000000720000-memory.dmp

Filesize
512KB

Download
memory/1560-282-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1560-227-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/1768-97-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-86-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-89-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/1768-88-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1768-87-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/1816-159-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-156-0x0000000001F36000-0x0000000001F9D000-memory.dmp

Filesize
412KB

Download
memory/2140-129-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2140-138-0x0000000001FD6000-0x000000000203D000-memory.dmp

Filesize
412KB

Download
memory/2196-230-0x0000000000536000-0x000000000059D000-memory.dmp

Filesize
412KB

Download
memory/2196-226-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-100-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-101-0x0000000001F10000-0x0000000001F90000-memory.dmp

Filesize
512KB

Download
memory/2364-98-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-110-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2364-99-0x0000000001F10000-0x0000000001F90000-memory.dmp

Filesize
512KB

Download
memory/2560-342-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-349-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-337-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2560-339-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/2652-49-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-41-0x0000000001E90000-0x0000000001F10000-memory.dmp

Filesize
512KB

Download
memory/2652-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2652-40-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-38-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2652-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2652-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2784-22-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-25-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2784-21-0x0000000001EA0000-0x0000000001F20000-memory.dmp

Filesize
512KB

Download
memory/2784-20-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-39-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2784-19-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2784-23-0x000000001AE50000-0x000000001AEAE000-memory.dmp

Filesize
376KB

Download
memory/2888-50-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-51-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/2888-63-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-53-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download
memory/2888-52-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-300-0x0000000001FF6000-0x000000000205D000-memory.dmp

Filesize
412KB

Download
memory/2940-302-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-348-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/3004-347-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-361-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-351-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/3004-350-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-127-0x000007FEEDC90000-0x000007FEEED3B000-memory.dmp

Filesize
16.7MB

Download
memory/3048-109-0x000000013F900000-0x000000013F9F8000-memory.dmp

Filesize
992KB

Download
memory/3048-115-0x000007FEFB080000-0x000007FEFB097000-memory.dmp

Filesize
92KB

Download
memory/3048-113-0x000007FEFB380000-0x000007FEFB398000-memory.dmp

Filesize
96KB

Download
memory/3048-112-0x000007FEF6230000-0x000007FEF64E4000-memory.dmp

Filesize
2.7MB

Download
memory/3048-130-0x000007FEF6BB0000-0x000007FEF6BEF000-memory.dmp

Filesize
252KB

Download
memory/3048-121-0x000007FEF7740000-0x000007FEF7751000-memory.dmp

Filesize
68KB

Download
memory/3048-117-0x000007FEF7780000-0x000007FEF7791000-memory.dmp

Filesize
68KB

Download
memory/3048-125-0x000007FEF6BF0000-0x000007FEF6C01000-memory.dmp

Filesize
68KB

Download
memory/3048-123-0x000007FEF6C10000-0x000007FEF6C2D000-memory.dmp

Filesize
116KB

Download
memory/3048-111-0x000007FEFB330000-0x000007FEFB364000-memory.dmp

Filesize
208KB

Download
memory/3048-131-0x000007FEF2630000-0x000007FEF2651000-memory.dmp

Filesize
132KB

Download
memory/3048-119-0x000007FEF7760000-0x000007FEF7777000-memory.dmp

Filesize
92KB

Download
memory/3048-132-0x000007FEF2610000-0x000007FEF2628000-memory.dmp

Filesize
96KB

Download
memory/3048-133-0x000007FEF25F0000-0x000007FEF2601000-memory.dmp

Filesize
68KB

Download
memory/3048-128-0x000007FEF2660000-0x000007FEF2860000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads