purecrypter | a0a8abebf8f15ff4162fb6ead5b86f41e3c271fa9639a184f14112bc8185fd72

General

Target

CRM_chat/CRM_chat_laucnher.exe
Size

677.7MB
MD5

e0e15d15df5f199a4a598179ef38efc4
SHA1

c8f9954db05274eb0efc97a9bc6d062abba4bbbe
SHA256

8a1e48fb5bdf53c3ad86c7c2adaacfce682c6088b00af99558601e7cd1e08766
SHA512

59f03df492b6b93ecf97361e34eeae6f17e25dc3cc348667a72c87e56e65bebb1fbd6a20c7c9fc92e6f30bd73ecae3f5b71c8884837785208d54d8c13600d56b
SSDEEP

1536:Krae78zjORCDGwfdCSog01313Vs5gChkD7OMYVG:CahKyd2n31S5veOK

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

C2

https://knickglobal.com/wp-admin/images/css/design/fabric/bo/Odcny.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

47 3240 rundll32.exe
48 1332 rundll32.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup_ov2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation setup_ov2.exe
Executes dropped EXE 2 IoCs

Processes:

setup_ov2.exesetup_ov2.exe

pid process

5064 setup_ov2.exe
4876 setup_ov2.exe

flow	pid	process
47	3240	rundll32.exe
48	1332	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	setup_ov2.exe

pid	process
5064	setup_ov2.exe
4876	setup_ov2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CRM_chat_laucnher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	CRM_chat_laucnher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CRM_chat_laucnher.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup_ov2.exesetup_ov2.exe

description	pid	process	target process
PID 5064 set thread context of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 4876 set thread context of 1332	4876	setup_ov2.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesetup_ov2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	setup_ov2.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	setup_ov2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exerundll32.exe

pid process

4672 powershell.exe
4672 powershell.exe
1808 powershell.exe
1808 powershell.exe
1332 rundll32.exe
1332 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

setup_ov2.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5064 setup_ov2.exe
Token: SeDebugPrivilege 4672 powershell.exe
Token: SeDebugPrivilege 1808 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1332 rundll32.exe

pid	process
4672	powershell.exe
4672	powershell.exe
1808	powershell.exe
1808	powershell.exe
1332	rundll32.exe
1332	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5064	setup_ov2.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe

pid	process
1332	rundll32.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

CRM_chat_laucnher.exesetup_ov2.execmd.exesetup_ov2.exe

description	pid	process	target process
PID 3672 wrote to memory of 5064	3672	CRM_chat_laucnher.exe	setup_ov2.exe
PID 3672 wrote to memory of 5064	3672	CRM_chat_laucnher.exe	setup_ov2.exe
PID 3672 wrote to memory of 5064	3672	CRM_chat_laucnher.exe	setup_ov2.exe
PID 5064 wrote to memory of 4672	5064	setup_ov2.exe	powershell.exe
PID 5064 wrote to memory of 4672	5064	setup_ov2.exe	powershell.exe
PID 5064 wrote to memory of 4672	5064	setup_ov2.exe	powershell.exe
PID 5064 wrote to memory of 3124	5064	setup_ov2.exe	cmd.exe
PID 5064 wrote to memory of 3124	5064	setup_ov2.exe	cmd.exe
PID 5064 wrote to memory of 3124	5064	setup_ov2.exe	cmd.exe
PID 3124 wrote to memory of 1808	3124	cmd.exe	powershell.exe
PID 3124 wrote to memory of 1808	3124	cmd.exe	powershell.exe
PID 3124 wrote to memory of 1808	3124	cmd.exe	powershell.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 5064 wrote to memory of 4876	5064	setup_ov2.exe	setup_ov2.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 3240	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 1332	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 1332	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 1332	4876	setup_ov2.exe	rundll32.exe
PID 4876 wrote to memory of 1332	4876	setup_ov2.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\CRM_chat\CRM_chat_laucnher.exe
"C:\Users\Admin\AppData\Local\Temp\CRM_chat\CRM_chat_laucnher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:3240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a8e98e1f71466fcc8c79a7e78870520c

SHA1
c40ee49085b4943cf29d8d38f00fd93b60da2b8a

SHA256
415bdc85421a592df15f1990239a79674a5b9d0ff56fa2ab3924ecdf7ee06a67

SHA512
86810991485502d088505b3248df4986ef1780437e4ba39c63ed0b6b8ffbf9b0632a2481ebea882874efd6e39cf4b9b9a5a04acdcc9b8e58f5340fbfac0be1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tperiuiu.tmp
Filesize
3.5MB

MD5
552c24c5983c8624f49cedd2695b43d7

SHA1
f86503b92829adf9c262172690000f06171ee253

SHA256
30d0e2421c18b22ff2d9128f0607043650a33f3ad7ac8d9a52578b914d4ad1f3

SHA512
986528217392730a66440fbef5a90dad4f2982445b7a2a8f15a8d73cc607633af0ec1b665101d2eddb3764fc9e53e625008d6bf1ec89d7bf54b9aa9de583ec62

Download Submit
memory/1332-184-0x0000000003700000-0x0000000003840000-memory.dmp

Filesize
1.2MB

Download
memory/1332-183-0x0000000000B50000-0x0000000001589000-memory.dmp

Filesize
10.2MB

Download
memory/1332-182-0x0000000002BA0000-0x00000000036F9000-memory.dmp

Filesize
11.3MB

Download
memory/1332-186-0x0000000002BA0000-0x00000000036F9000-memory.dmp

Filesize
11.3MB

Download
memory/1332-181-0x0000000000000000-mapping.dmp

Download
memory/1332-185-0x0000000003700000-0x0000000003840000-memory.dmp

Filesize
1.2MB

Download
memory/1808-167-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/1808-146-0x0000000000000000-mapping.dmp

Download
memory/1808-163-0x0000000007660000-0x00000000076F6000-memory.dmp

Filesize
600KB

Download
memory/1808-162-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/1808-166-0x0000000005F00000-0x0000000005F0E000-memory.dmp

Filesize
56KB

Download
memory/1808-161-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1808-159-0x0000000070F20000-0x0000000070F6C000-memory.dmp

Filesize
304KB

Download
memory/1808-158-0x0000000006680000-0x00000000066B2000-memory.dmp

Filesize
200KB

Download
memory/1808-168-0x0000000007460000-0x0000000007468000-memory.dmp

Filesize
32KB

Download
memory/3124-145-0x0000000000000000-mapping.dmp

Download
memory/3240-160-0x0000000000000000-mapping.dmp

Download
memory/4672-144-0x0000000006080000-0x000000000609A000-memory.dmp

Filesize
104KB

Download
memory/4672-137-0x0000000000000000-mapping.dmp

Download
memory/4672-138-0x0000000002520000-0x0000000002556000-memory.dmp

Filesize
216KB

Download
memory/4672-139-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/4672-140-0x0000000004C70000-0x0000000004CD6000-memory.dmp

Filesize
408KB

Download
memory/4672-141-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/4672-142-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/4672-143-0x00000000071F0000-0x000000000786A000-memory.dmp

Filesize
6.5MB

Download
memory/4876-179-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-175-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-165-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/4876-155-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/4876-149-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/4876-151-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/4876-170-0x00000000033B0000-0x0000000003F09000-memory.dmp

Filesize
11.3MB

Download
memory/4876-171-0x00000000033B0000-0x0000000003F09000-memory.dmp

Filesize
11.3MB

Download
memory/4876-172-0x00000000033B0000-0x0000000003F09000-memory.dmp

Filesize
11.3MB

Download
memory/4876-173-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-174-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-164-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/4876-176-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-177-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-178-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-156-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/4876-180-0x0000000004210000-0x0000000004350000-memory.dmp

Filesize
1.2MB

Download
memory/4876-148-0x0000000000000000-mapping.dmp

Download
memory/4876-152-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/4876-153-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/5064-132-0x0000000000000000-mapping.dmp

Download
memory/5064-136-0x0000000008140000-0x0000000008162000-memory.dmp

Filesize
136KB

Download
memory/5064-135-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads