blustealer | 3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0

Analysis

max time kernel
156s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2022 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG50063065.pif.exe
Size

1.2MB
MD5

b1ebf9a17fd043323203f7b7ce7b5723
SHA1

6b8111febaa3376fa44e6ed415dc947884e57b34
SHA256

3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0
SHA512

f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a
SSDEEP

24576:HmeNfdhdkhFXFQRUDcgvhdaMPe858oN357XOf3z3woEY:HPfKHFQCDZnag58ohxXo3zw

Score

10^/10

blustealer netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

augtolife.serveftp.com:500

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
sep
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral2/memory/3700-137-0x0000000000400000-0x00000000004E7000-memory.dmp	netwire
behavioral2/memory/3700-140-0x0000000000400000-0x00000000004E7000-memory.dmp	netwire
behavioral2/memory/3700-143-0x0000000000400000-0x00000000004E7000-memory.dmp	netwire
behavioral2/files/0x000a000000022e2f-146.dat	netwire
behavioral2/files/0x000a000000022e2f-147.dat	netwire
behavioral2/files/0x0006000000022e53-152.dat	netwire
behavioral2/files/0x0006000000022e53-153.dat	netwire
behavioral2/files/0x0008000000022e4a-179.dat	netwire
behavioral2/files/0x0008000000022e4a-180.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 7 IoCs

pid	Process
4696	FB_9AF8.tmp.exe
3808	FB_BEAD.tmp.exe
2580	Host.exe
320	docuone.exe
2740	docuone.exe
4284	FB_86DA.tmp.exe
4088	FB_960D.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	FB_9AF8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ˆ¥Ï³§çïË)«>–š = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 424 set thread context of 3700	424	IMG50063065.pif.exe	81
PID 320 set thread context of 1724	320	docuone.exe	110
PID 2740 set thread context of 2256	2740	docuone.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3972	schtasks.exe
4068	schtasks.exe
1988	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	424	IMG50063065.pif.exe
Token: SeDebugPrivilege	320	docuone.exe
Token: SeDebugPrivilege	2740	docuone.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3808	FB_BEAD.tmp.exe
4088	FB_960D.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3700	424	IMG50063065.pif.exe	81
PID 424 wrote to memory of 3428	424	IMG50063065.pif.exe	82
PID 424 wrote to memory of 3428	424	IMG50063065.pif.exe	82
PID 424 wrote to memory of 3428	424	IMG50063065.pif.exe	82
PID 424 wrote to memory of 3680	424	IMG50063065.pif.exe	83
PID 424 wrote to memory of 3680	424	IMG50063065.pif.exe	83
PID 424 wrote to memory of 3680	424	IMG50063065.pif.exe	83
PID 424 wrote to memory of 1432	424	IMG50063065.pif.exe	85
PID 424 wrote to memory of 1432	424	IMG50063065.pif.exe	85
PID 424 wrote to memory of 1432	424	IMG50063065.pif.exe	85
PID 3680 wrote to memory of 1988	3680	cmd.exe	88
PID 3680 wrote to memory of 1988	3680	cmd.exe	88
PID 3680 wrote to memory of 1988	3680	cmd.exe	88
PID 3700 wrote to memory of 4696	3700	vbc.exe	89
PID 3700 wrote to memory of 4696	3700	vbc.exe	89
PID 3700 wrote to memory of 4696	3700	vbc.exe	89
PID 3700 wrote to memory of 3808	3700	vbc.exe	90
PID 3700 wrote to memory of 3808	3700	vbc.exe	90
PID 3700 wrote to memory of 3808	3700	vbc.exe	90
PID 4696 wrote to memory of 2580	4696	FB_9AF8.tmp.exe	91
PID 4696 wrote to memory of 2580	4696	FB_9AF8.tmp.exe	91
PID 4696 wrote to memory of 2580	4696	FB_9AF8.tmp.exe	91
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1724	320	docuone.exe	110
PID 320 wrote to memory of 1392	320	docuone.exe	111
PID 320 wrote to memory of 1392	320	docuone.exe	111
PID 320 wrote to memory of 1392	320	docuone.exe	111
PID 320 wrote to memory of 4652	320	docuone.exe	113
PID 320 wrote to memory of 4652	320	docuone.exe	113
PID 320 wrote to memory of 4652	320	docuone.exe	113
PID 320 wrote to memory of 2776	320	docuone.exe	114
PID 320 wrote to memory of 2776	320	docuone.exe	114
PID 320 wrote to memory of 2776	320	docuone.exe	114
PID 4652 wrote to memory of 3972	4652	cmd.exe	117
PID 4652 wrote to memory of 3972	4652	cmd.exe	117
PID 4652 wrote to memory of 3972	4652	cmd.exe	117
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 2256	2740	docuone.exe	120
PID 2740 wrote to memory of 3332	2740	docuone.exe	121
PID 2740 wrote to memory of 3332	2740	docuone.exe	121
PID 2740 wrote to memory of 3332	2740	docuone.exe	121
PID 2740 wrote to memory of 988	2740	docuone.exe	122

C:\Users\Admin\AppData\Local\Temp\IMG50063065.pif.exe
"C:\Users\Admin\AppData\Local\Temp\IMG50063065.pif.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\FB_9AF8.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_9AF8.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2580
- - C:\Users\Admin\AppData\Local\Temp\FB_BEAD.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_BEAD.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\docuone"
  2⤵
  PID:3428
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\IMG50063065.pif.exe" "C:\Users\Admin\AppData\Roaming\docuone\docuone.exe"
  2⤵
  PID:1432

C:\Users\Admin\AppData\Roaming\docuone\docuone.exe
C:\Users\Admin\AppData\Roaming\docuone\docuone.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\docuone"
  2⤵
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\docuone\docuone.exe" "C:\Users\Admin\AppData\Roaming\docuone\docuone.exe"
  2⤵
  PID:2776

C:\Users\Admin\AppData\Roaming\docuone\docuone.exe
C:\Users\Admin\AppData\Roaming\docuone\docuone.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\FB_86DA.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_86DA.tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\FB_960D.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\FB_960D.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\docuone"
  2⤵
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
  2⤵
  PID:988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\docuone\docuone.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\docuone\docuone.exe" "C:\Users\Admin\AppData\Roaming\docuone\docuone.exe"
  2⤵
  PID:2448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\docuone.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_86DA.tmp.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_86DA.tmp.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_960D.tmp.exe

Filesize
632KB

MD5
43fad29e3e0cdba820580d0910c3cfdc

SHA1
939cdf1bb52f4e49192f9959bf539c644796b097

SHA256
edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e

SHA512
2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_960D.tmp.exe

Filesize
632KB

MD5
43fad29e3e0cdba820580d0910c3cfdc

SHA1
939cdf1bb52f4e49192f9959bf539c644796b097

SHA256
edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e

SHA512
2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_9AF8.tmp.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_9AF8.tmp.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BEAD.tmp.exe

Filesize
632KB

MD5
43fad29e3e0cdba820580d0910c3cfdc

SHA1
939cdf1bb52f4e49192f9959bf539c644796b097

SHA256
edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e

SHA512
2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_BEAD.tmp.exe

Filesize
632KB

MD5
43fad29e3e0cdba820580d0910c3cfdc

SHA1
939cdf1bb52f4e49192f9959bf539c644796b097

SHA256
edf7d6b1c9104b00cb08e9c1948d80de71bc275094b4deb08e472d67a1887d2e

SHA512
2d6246a4d2129136df7fe6e93dfc988c2de2abf27d368790271a8903e1638f74005e0b64a37a858b92ea9d64f74741801651cd42761ad89dddae578d19cd0c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
273KB

MD5
425a1e0963fb8ee810a30a3f879274ba

SHA1
01b5a89e274e6b0f9f85d3816ead5923029290dc

SHA256
3b66ca07eff688da68408f4068e013aeb5ae1e274a823fa31f3459280ba32ac3

SHA512
f81c9b24946cd6c312344cac11752144545a64a37af221335b6dbc0d0cb71768905cccefee63287cddffd319f8c8d3cc4a38dca6f2557f0d1d2ad316ba6d081d

Download Submit
C:\Users\Admin\AppData\Roaming\docuone\docuone.exe

Filesize
1.2MB

MD5
b1ebf9a17fd043323203f7b7ce7b5723

SHA1
6b8111febaa3376fa44e6ed415dc947884e57b34

SHA256
3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0

SHA512
f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a

Download Submit
C:\Users\Admin\AppData\Roaming\docuone\docuone.exe

Filesize
1.2MB

MD5
b1ebf9a17fd043323203f7b7ce7b5723

SHA1
6b8111febaa3376fa44e6ed415dc947884e57b34

SHA256
3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0

SHA512
f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a

Download Submit
C:\Users\Admin\AppData\Roaming\docuone\docuone.exe

Filesize
1.2MB

MD5
b1ebf9a17fd043323203f7b7ce7b5723

SHA1
6b8111febaa3376fa44e6ed415dc947884e57b34

SHA256
3322b19106784923e2ddca902b4dbcb5b45724df974cccfd943c435b778c1cc0

SHA512
f1151a2888b0841d981f9a540a4863ccc54de24039a9bcdfc439986722a57e020f8d0b559d713d5ab3e836ed8a93651d83dc8fe7f1420e497444f490e36bc30a

Download Submit
memory/320-158-0x0000000000900000-0x0000000000A3C000-memory.dmp

Filesize
1.2MB

Download
memory/424-135-0x0000000000320000-0x000000000045C000-memory.dmp

Filesize
1.2MB

Download
memory/3700-140-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3700-143-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3700-137-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads