neshta | 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea

General

Target

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
Size

1023KB
MD5

34c80f81e518370f859cc9f2454e6d83
SHA1

dbb94e0f0a99558b8786a2c2ce3322ba281e7f9c
SHA256

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea
SHA512

6d458b21e8beb210a3a385a56fba3c362e9e74d1005a59a2a735ab593c8a298559b7fc96c32dc6e4659a64c3010c19436af6f499ad5ced84322ecbfa17222a8c

Score

10^/10

neshta xloader rqan loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rqan

C2

http://www.cardboutiqueapp.com/rqan/

Decoy

panda.wiki

gailkannamassage.com

ungravitystudio.com

coraggiomusicschool.com

51walkerstreetrippleside.com

infemax.store

mapara-foundation.net

elitespeedwaxs.com

manateeprint.com

thelocksmithtradeshow.com

phoenix-out-of-ashes.com

marionkgregory.store

abasketofwords.com

century21nokta.com

anthonyaarnold.com

forevermyanmar.com

ramashi.com

uniquecarbonbrush.com

packecco.com

appelnacrtl.quest

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4524-120-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/4524-122-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral1/memory/4688-129-0x0000000000900000-0x0000000000929000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

pid process

3804 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pgkbuilv = "C:\\Users\\Public\\\\vliubkgP.url"	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

logagent.exehelp.exe

description	pid	process	target process
PID 4524 set thread context of 2872	4524	logagent.exe	Explorer.EXE
PID 4688 set thread context of 2872	4688	help.exe	Explorer.EXE

Drops file in Program Files directory 53 IoCs

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Drops file in Windows directory 1 IoCs

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

description ioc process

File opened for modification C:\Windows\svchost.com 9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Modifies registry class 1 IoCs

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

logagent.exehelp.exe

pid	process
4524	logagent.exe
4524	logagent.exe
4524	logagent.exe
4524	logagent.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe
4688	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2872 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

logagent.exehelp.exe

pid process

4524 logagent.exe
4524 logagent.exe
4524 logagent.exe
4688 help.exe
4688 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

logagent.exehelp.exe

description pid process

Token: SeDebugPrivilege 4524 logagent.exe
Token: SeDebugPrivilege 4688 help.exe

pid	process
2872	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4524	logagent.exe
Token: SeDebugPrivilege	4688	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exeExplorer.EXE

description	pid	process	target process
PID 4384 wrote to memory of 3804	4384	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
PID 4384 wrote to memory of 3804	4384	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
PID 4384 wrote to memory of 3804	4384	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 3804 wrote to memory of 4524	3804	9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe	logagent.exe
PID 2872 wrote to memory of 4688	2872	Explorer.EXE	help.exe
PID 2872 wrote to memory of 4688	2872	Explorer.EXE	help.exe
PID 2872 wrote to memory of 4688	2872	Explorer.EXE	help.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
"C:\Users\Admin\AppData\Local\Temp\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"
2⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
MD5
a928d1866afcb0696d4ac43ceec12128

SHA1
55edbb8f5334194ab0345bd72b9cf58ddb384579

SHA256
1aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721

SHA512
74c394e9dacf213a4ae81f7267c7979aad0e95c60affc50fd51a8c1d7edf8345444a2e8a6e6aaf9fe3d37a47a7e104158b8ae54eaa38aa4f29370d63e743594f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\9f71ef7a27369674f7f5bb4f6203358a6485fcbd0c25f0c80272364716a73dea.exe
MD5
a928d1866afcb0696d4ac43ceec12128

SHA1
55edbb8f5334194ab0345bd72b9cf58ddb384579

SHA256
1aa28435e63887b1ee372f54ce2e926888d19f5d3d3ab4d35d39da4b5272d721

SHA512
74c394e9dacf213a4ae81f7267c7979aad0e95c60affc50fd51a8c1d7edf8345444a2e8a6e6aaf9fe3d37a47a7e104158b8ae54eaa38aa4f29370d63e743594f

Download Submit
memory/2872-132-0x0000000005BC0000-0x0000000005D22000-memory.dmp

Filesize
1.4MB

Download
memory/2872-126-0x0000000005A70000-0x0000000005B73000-memory.dmp

Filesize
1.0MB

Download
memory/3804-115-0x0000000000000000-mapping.dmp

Download
memory/3804-118-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3804-119-0x00000000025A1000-0x00000000025B5000-memory.dmp

Filesize
80KB

Download
memory/4524-124-0x0000000004EE0000-0x0000000005200000-memory.dmp

Filesize
3.1MB

Download
memory/4524-121-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/4524-122-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/4524-125-0x0000000004CB0000-0x0000000004CC1000-memory.dmp

Filesize
68KB

Download
memory/4524-120-0x0000000000000000-mapping.dmp

Download
memory/4688-127-0x0000000000000000-mapping.dmp

Download
memory/4688-128-0x00000000012E0000-0x00000000012E7000-memory.dmp

Filesize
28KB

Download
memory/4688-129-0x0000000000900000-0x0000000000929000-memory.dmp

Filesize
164KB

Download
memory/4688-130-0x00000000032F0000-0x0000000003610000-memory.dmp

Filesize
3.1MB

Download
memory/4688-131-0x0000000000E30000-0x0000000000EC0000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads