f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47

Analysis

max time kernel
103s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 14:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe
Size

3.6MB
MD5

2b14529c5b131e6c3c481ea9dab2b770
SHA1

e0171f802883de1ab81507e67d6d5fafeb304857
SHA256

f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47
SHA512

60971ae003e88e29fa8bdff62a5e8f165ec108c3a60382cc46495b1002c7930eed253d684d58d5872fb023fccf12719ae0b8f44d313b077cddec540a36d5e2d1
SSDEEP

98304:DzTBOuIGRtM7jKjqjt5xjNUoox21aXLYj:HTgtGRw1RhUooE1GY

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	AUSzBbM3G0JY6OK.exe

Executes dropped EXE 3 IoCs

pid	Process
4236	AUSzBbM3G0JY6OK.exe
3588	CTS.exe
392	vs_setup_bootstrapper.exe

Loads dropped DLL 19 IoCs

pid	Process
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe
392	vs_setup_bootstrapper.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe
File created	C:\Windows\CTS.exe	CTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AUSzBbM3G0JY6OK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe
Token: SeDebugPrivilege	3588	CTS.exe
Token: SeDebugPrivilege	392	vs_setup_bootstrapper.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 4236	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	82
PID 4508 wrote to memory of 4236	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	82
PID 4508 wrote to memory of 4236	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	82
PID 4508 wrote to memory of 3588	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	83
PID 4508 wrote to memory of 3588	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	83
PID 4508 wrote to memory of 3588	4508	f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe	83
PID 4236 wrote to memory of 392	4236	AUSzBbM3G0JY6OK.exe	84
PID 4236 wrote to memory of 392	4236	AUSzBbM3G0JY6OK.exe	84
PID 4236 wrote to memory of 392	4236	AUSzBbM3G0JY6OK.exe	84
PID 392 wrote to memory of 3708	392	vs_setup_bootstrapper.exe	85
PID 392 wrote to memory of 3708	392	vs_setup_bootstrapper.exe	85
PID 392 wrote to memory of 3708	392	vs_setup_bootstrapper.exe	85

C:\Users\Admin\AppData\Local\Temp\f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe
"C:\Users\Admin\AppData\Local\Temp\f240c82422f372d743f07ece7ef785c9198709445ed2ac3734d9d8b996ca9d47N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\AUSzBbM3G0JY6OK.exe
  C:\Users\Admin\AppData\Local\Temp\AUSzBbM3G0JY6OK.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\AUSzBbM3G0JY6OK.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\getmac.exe
      "getmac"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3708
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
394KB

MD5
96527f8abc9df77eb20b1e76e5b37d7b

SHA1
933590b1af05abb1de071b412a4c4b3273e5b2eb

SHA256
82725f0c688a5cb1e100949d32aada1d80c5a08960cf1f624e0a060b09fb41fe

SHA512
a1c3230b48dad3e5b1010b02b7cb17726d7027948ad16f95bf8636c687a6b971b373512f5d9e6a988614017f1067a9e16e368bd3df5bed26f23960c8bbbc45f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUSzBbM3G0JY6OK.exe

Filesize
3.5MB

MD5
f32908d4944949b7c026a0421ce04879

SHA1
54f01696973eb9cc63c5a0a08812c188dd5150df

SHA256
2cd59d39d80de8823851ede07d0ddba1f283b0fae86060441f748b11e6e31f4f

SHA512
8d2ad3ea536a84320da3cbe874aca227329069624f2606767adc335ded18fd6f0646d74d7169179bebb1fce7bc4687f2164a0f23dd50d251a392bf4eea7d36c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll

Filesize
18KB

MD5
7ef638cbd3200605fc15e7be7ea9fcb5

SHA1
534f6176f10bc79b2655e535b7ac6a4df9f67855

SHA256
467df0856c41d9b37e6c55ae1b82edcca60f4c7847f93b7f24ca6543b675ad8a

SHA512
c145576d119e2053c0cbffb910f63003d42c2af320ba410f6e81da9e40cc337000d8ad733778873bd2700e366f5672c311d69b4b2391564fe19fa6e48c1cb373

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll

Filesize
113KB

MD5
ed2315668a0dda422f463d27c8110838

SHA1
ce17813ccc0cd968d9fb3d01e7b7ffbf3b05cebe

SHA256
0ce6da02115192a688359299b1a47ce9e6b2a8adf3dfcd92a2467b55d5f3c0aa

SHA512
e9a47c030fa20a8d36f0c47293e547de0e7d978813ebde64f181d76d8606cf629846075ecb5e3a0b9d262a6fba7aeb0caa8fe3006c018de3c2c2ecdbf31c1eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll

Filesize
44KB

MD5
2338953ae2ab47de1703f27e872e84ba

SHA1
2765b2f2cd04a0e1df7556da551ce9d763bc5c4d

SHA256
bfc4890087c01f629fa09e744e5a861f9f68b504100cbcf805855fa5906d61c7

SHA512
417ce0ef8344409ebd05b8c52b58a3960489fe810b95af31e72430690ffb8258042a73e205fc27396731113ad84302ff898821b4f2db2b9d4fa2b2293ccca872

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll

Filesize
401KB

MD5
d4fa5e438ff243a1da462726fb4ea164

SHA1
7effd06f4eaa0a5d701ea4162dce55cbfeb4c0cd

SHA256
fa9d5c116363ccc82f92767bbb36d154f8903b861a9de65a01fd7824a566b4b0

SHA512
8dbfc97abb5eb4363a1c896a4d276630a502354ed144e60dfb0ffbc1245486003d8af49443fd4baa70541114b50764467caed709cc416f60eaf33fd0f6fcee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll

Filesize
133KB

MD5
a6076a6e981bc6c29f270d3919e722e8

SHA1
739c1b7fe6ade740cd87aeb84a4ac10720b14a2a

SHA256
460bed22e1f7148209901da0eb97fd8d83fef8f1404e3fb82219c90ae2876710

SHA512
064f5a4756b3a0b8f8017e892ab85e0340d9f60fd1c03f2250cc24bdb0d650edaae873c8dcf543af31e027ac5eaa1bfeda99099286de71332eced742c78d6720

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll

Filesize
1.2MB

MD5
fc32f39277ebbe48d976c9970cdab5dd

SHA1
2d2e6eafd0d16ec8f577293f4903f2ae3453752f

SHA256
7dd27a5ca48c16725e3a3ec9b18b1e198390e4c5f62af9a5c2489b27e3f871f8

SHA512
30f99c799d2f88fc5cd66593435f851410e9cbafb10ad435c57a85a7eb86a4cf7179937b2da2597dab77da3b04d9770331ea776053d02af08ad4f6c7abbc45ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll

Filesize
919KB

MD5
015ef51b3e50cc182b323524e5296172

SHA1
f5e8cb54340c3f6f0c4876348193afd04bb10323

SHA256
289200599446f28664d3a44774ec076061fab75fa7307637284bf50231d25c0b

SHA512
8c69cbaee9e9d4c526fd5f5db5a1d5030821f1ce79e7a4698bb2ef9617e81832528130a485c09bfd24b63202e5c91ba03accdbe53f0be9a3bcb11e16b12097e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll

Filesize
41KB

MD5
c510b1756eac53c62ba8c7279609357f

SHA1
953ee732da8c49d2ef97711f5b7220d5e2cea8d6

SHA256
188f3af3e336a5bf1dc82007fa4b96522b3ed946326a65b93dbeb0e24356f642

SHA512
61ebf783d156733cbcf654a73bb73a67e63bc544376154b86f8c418a9ffaced9dfb7a0eea1b36d2622f7990539b078064cabe5d26976124a18e6aba580be2b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\Newtonsoft.Json.dll

Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll

Filesize
16KB

MD5
9a341540899dcc5630886f2d921be78f

SHA1
bab44612721c3dc91ac3d9dfca7c961a3a511508

SHA256
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5

SHA512
066984c83de975df03eee1c2b5150c6b9b2e852d9caf90cfd956e9f0f7bd5a956b96ea961b26f7cd14c089bc8a27f868b225167020c5eb6318f66e58113efa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\detection.json

Filesize
8KB

MD5
782f4beae90d11351db508f38271eb26

SHA1
f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c

SHA256
c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9

SHA512
0a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.config

Filesize
618B

MD5
0e4ebc00f6099b2e065d9015fb53977d

SHA1
7542e6ecbd4fe9c018f1875126f72159a14369d8

SHA256
2f2975da8453485ddf84221e1e3d6823dcba996a4ce44cd6391cf4d2dd18e828

SHA512
2937e89aad01ca30f9aff99f84c33083c7a32ce8534e98a0c5acd8ab3edfeb23d2f6d9d99902ea34857c187ec093f18e833a192f71d29d18a7e378ecf351923e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.exe

Filesize
398KB

MD5
d6baac92ade6ade86ac8b33179c13db8

SHA1
c2dfc428a02ffc2c3cc293423d38037ea75cfade

SHA256
eafadec2a23db1e659ecec552971b847eaa78b5e665db8984e456e159715ec10

SHA512
7577167f2954402ffa642e1705acacc49e577268c102f00685cf5968c669d16e2925db39650882054b6e812433c98c916f737f7bacdb94ce8c37277a7585ec45

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config

Filesize
2KB

MD5
010d94408fd5432563d51e416ba346b3

SHA1
0041f1989b67b666ec0f0581f9e6ce0e94b55c55

SHA256
0472025ac139903fead459c4c173364f128f68f015d0299fb0ddd835f7437d5d

SHA512
d3252d2f2e07ca2e29c26894400690a0698a8cfcaefc3dd7f7c5020193725e331833fe997b8889807900e08d5c9b09ce69e803d64452b297385713f0e3a325f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2e19bf3b77f5fd971486c\vs_bootstrapper_d15\vs_setup_bootstrapper.json

Filesize
163B

MD5
ecd028adc95c8ae1a92db26c5fdedb09

SHA1
a0b505a8ba954147e33542de25fdbd54ef3c5304

SHA256
94cdbb8cd5b9fd5e44858efe36e25994c56848fa0e77920c08253f3e3063a2e3

SHA512
0df8ace311c4bb75e4e036857828a57a1f76d075fe2056ef44fd9f3d865ab7dbc686c01274627b418a530ba0e761673d29c3f0ee3432887df7465ecfd167b7f6

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
memory/392-160-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/392-148-0x0000000004BD0000-0x0000000004D12000-memory.dmp

Filesize
1.3MB

Download
memory/392-177-0x0000000005510000-0x0000000005518000-memory.dmp

Filesize
32KB

Download
memory/392-173-0x0000000005120000-0x000000000512E000-memory.dmp

Filesize
56KB

Download
memory/392-169-0x00000000055B0000-0x0000000005660000-memory.dmp

Filesize
704KB

Download
memory/392-189-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/392-165-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/392-156-0x0000000005130000-0x000000000521A000-memory.dmp

Filesize
936KB

Download
memory/392-164-0x0000000005040000-0x0000000005066000-memory.dmp

Filesize
152KB

Download
memory/392-152-0x0000000004FD0000-0x0000000005038000-memory.dmp

Filesize
416KB

Download
memory/392-144-0x0000000000110000-0x0000000000176000-memory.dmp

Filesize
408KB

Download
memory/392-181-0x00000000058A0000-0x00000000058AE000-memory.dmp

Filesize
56KB

Download
memory/392-190-0x0000000005AC0000-0x0000000005E14000-memory.dmp

Filesize
3.3MB

Download
memory/392-191-0x00000000064C0000-0x0000000006526000-memory.dmp

Filesize
408KB

Download
memory/392-192-0x0000000006770000-0x000000000682A000-memory.dmp

Filesize
744KB

Download
memory/392-142-0x000000007367E000-0x000000007367F000-memory.dmp

Filesize
4KB

Download
memory/392-194-0x0000000006D50000-0x0000000006DE2000-memory.dmp

Filesize
584KB

Download
memory/392-195-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/392-196-0x00000000071F0000-0x00000000071F8000-memory.dmp

Filesize
32KB

Download
memory/392-199-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/392-201-0x0000000009FF0000-0x0000000009FFE000-memory.dmp

Filesize
56KB

Download
memory/392-200-0x000000000A740000-0x000000000A778000-memory.dmp

Filesize
224KB

Download
memory/392-207-0x000000007367E000-0x000000007367F000-memory.dmp

Filesize
4KB

Download
memory/392-208-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads