pony | a153fd22bd65af6bba8e32115945a02306e0c0d878bfba25915c5f4bc385583f

Reason

Machine shutdown

General

Target

047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
Size

2.2MB
MD5

047f37facd431e3010b629abd50f7883
SHA1

0ed04a75a2dd155b4013aa1100f526d74cf15708
SHA256

a153fd22bd65af6bba8e32115945a02306e0c0d878bfba25915c5f4bc385583f
SHA512

cbc533282b9021023cc52101fa25df49f96017f9aa692a843b02c198421bcfc47281459e1c8c3a533b883935d7b389995d5a9a19ee668510b6953758e7ba7a28
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZm:0UzeyQMS4DqodCnoe+iitjWwwC

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

047f37facd431e3010b629abd50f7883_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe

Executes dropped EXE 19 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4840	explorer.exe
3644	explorer.exe
1376	spoolsv.exe
4616	spoolsv.exe
3156	spoolsv.exe
960	spoolsv.exe
4840	spoolsv.exe
440	spoolsv.exe
2100	spoolsv.exe
3812	spoolsv.exe
2204	spoolsv.exe
3724	spoolsv.exe
4140	spoolsv.exe
3908	spoolsv.exe
1624	spoolsv.exe
2652	spoolsv.exe
1660	spoolsv.exe
3104	spoolsv.exe
5100	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

047f37facd431e3010b629abd50f7883_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 4624 set thread context of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 4840 set thread context of 3644	4840	explorer.exe	explorer.exe

Drops file in Windows directory 21 IoCs

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe047f37facd431e3010b629abd50f7883_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe047f37facd431e3010b629abd50f7883_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

047f37facd431e3010b629abd50f7883_JaffaCakes118.exeexplorer.exe

pid	process
2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

047f37facd431e3010b629abd50f7883_JaffaCakes118.exeexplorer.exe

pid	process
2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe
3644	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

047f37facd431e3010b629abd50f7883_JaffaCakes118.exe047f37facd431e3010b629abd50f7883_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4624 wrote to memory of 5048	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	splwow64.exe
PID 4624 wrote to memory of 5048	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	splwow64.exe
PID 4624 wrote to memory of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 4624 wrote to memory of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 4624 wrote to memory of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 4624 wrote to memory of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 4624 wrote to memory of 2224	4624	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
PID 2224 wrote to memory of 4840	2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	explorer.exe
PID 2224 wrote to memory of 4840	2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	explorer.exe
PID 2224 wrote to memory of 4840	2224	047f37facd431e3010b629abd50f7883_JaffaCakes118.exe	explorer.exe
PID 4840 wrote to memory of 3644	4840	explorer.exe	explorer.exe
PID 4840 wrote to memory of 3644	4840	explorer.exe	explorer.exe
PID 4840 wrote to memory of 3644	4840	explorer.exe	explorer.exe
PID 4840 wrote to memory of 3644	4840	explorer.exe	explorer.exe
PID 4840 wrote to memory of 3644	4840	explorer.exe	explorer.exe
PID 3644 wrote to memory of 1376	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1376	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1376	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4616	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4616	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4616	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3156	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3156	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3156	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 960	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 960	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 960	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4840	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4840	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4840	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 440	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 440	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 440	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2100	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2100	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2100	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3812	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3812	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3812	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2204	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2204	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2204	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3724	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3724	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3724	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4140	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4140	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 4140	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3908	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3908	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3908	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1624	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1624	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1624	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2652	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2652	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 2652	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1660	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1660	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 1660	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3104	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3104	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 3104	3644	explorer.exe	spoolsv.exe
PID 3644 wrote to memory of 5100	3644	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\047f37facd431e3010b629abd50f7883_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4840

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
c95df27badca693f1c61aa8074d16b5b

SHA1
1bb013d2d6c85cf59dc4b0bce99e8fd78d4e7075

SHA256
055ccd36fecb08c8c56e9b977e7c4b21779f2b80444c8c94fd653cd4ed014a8f

SHA512
6910484773786ff2a7fe5d38b160479a2e41ed27f5c84a145a4e8c2ffd1c0684b1cd43958fa9d3215326b9fcc4570d3ca1407e2005f7c21800100d50784edce0

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
8d475f4da95e5d43924d89fb8d1c6c95

SHA1
2966fc835e63c9e8e5dc4a38d231751355d980ac

SHA256
ddea36d71faffe9cd38825cea64b84c5ba55bb48b06a5cb1c2c8e5fcd90ebabd

SHA512
c75fb0c1bd630474ae3ad0330a9007ea316ccd1045467031b50d07eff25351e2ce97b02a4f30475234f94ee1ae813f164d640470190b160b4bf3fe1a5f501eff

Download Submit
memory/960-966-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1376-798-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2224-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-63-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3156-965-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3644-797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3644-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-964-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-23-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4624-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-0-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4840-77-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4840-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads