neshta | d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290

General

Target

61d62155465f85f8fc4d44a89e7ae831.exe
Size

907KB
MD5

61d62155465f85f8fc4d44a89e7ae831
SHA1

10e1e0c049b58ff662f960a3e5270bfb97c9868b
SHA256

d6742c917817f02e01ba40c61606b3707f373bb8d1f525b75b72b1802cd9b290
SHA512

b77514d0de8c8582a3773fd76b82049bdc8dbba090827531ff1452d6729bc74eeb389f69701bf38b8b45a7fcebec62d12c26d5abab7e0516bb5cf78dc7dbeb24

Score

10^/10

neshta xloader rqan loader persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rqan

C2

http://www.cardboutiqueapp.com/rqan/

Decoy

panda.wiki

gailkannamassage.com

ungravitystudio.com

coraggiomusicschool.com

51walkerstreetrippleside.com

infemax.store

mapara-foundation.net

elitespeedwaxs.com

manateeprint.com

thelocksmithtradeshow.com

phoenix-out-of-ashes.com

marionkgregory.store

abasketofwords.com

century21nokta.com

anthonyaarnold.com

forevermyanmar.com

ramashi.com

uniquecarbonbrush.com

packecco.com

appelnacrtl.quest

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	61d62155465f85f8fc4d44a89e7ae831.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/736-68-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/736-71-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral1/memory/1640-78-0x0000000000080000-0x00000000000A9000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

pid process

1076 61d62155465f85f8fc4d44a89e7ae831.exe
Loads dropped DLL 3 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

pid process

1240 61d62155465f85f8fc4d44a89e7ae831.exe
1240 61d62155465f85f8fc4d44a89e7ae831.exe
1240 61d62155465f85f8fc4d44a89e7ae831.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1076	61d62155465f85f8fc4d44a89e7ae831.exe

pid	process
1240	61d62155465f85f8fc4d44a89e7ae831.exe
1240	61d62155465f85f8fc4d44a89e7ae831.exe
1240	61d62155465f85f8fc4d44a89e7ae831.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ounanmse = "C:\\Users\\Public\\Libraries\\esmnanuO.url"	61d62155465f85f8fc4d44a89e7ae831.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

mobsync.execmd.exe

description	pid	process	target process
PID 736 set thread context of 1268	736	mobsync.exe	Explorer.EXE
PID 1640 set thread context of 1268	1640	cmd.exe	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	61d62155465f85f8fc4d44a89e7ae831.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	61d62155465f85f8fc4d44a89e7ae831.exe

Drops file in Windows directory 1 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

description ioc process

File opened for modification C:\Windows\svchost.com 61d62155465f85f8fc4d44a89e7ae831.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	61d62155465f85f8fc4d44a89e7ae831.exe

Modifies registry class 1 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	61d62155465f85f8fc4d44a89e7ae831.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

mobsync.execmd.exe

pid	process
736	mobsync.exe
736	mobsync.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe
1640	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mobsync.execmd.exe

pid process

736 mobsync.exe
736 mobsync.exe
736 mobsync.exe
1640 cmd.exe
1640 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mobsync.execmd.exe

description pid process

Token: SeDebugPrivilege 736 mobsync.exe
Token: SeDebugPrivilege 1640 cmd.exe

description	pid	process
Token: SeDebugPrivilege	736	mobsync.exe
Token: SeDebugPrivilege	1640	cmd.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

61d62155465f85f8fc4d44a89e7ae831.exe61d62155465f85f8fc4d44a89e7ae831.exeExplorer.EXE

description	pid	process	target process
PID 1240 wrote to memory of 1076	1240	61d62155465f85f8fc4d44a89e7ae831.exe	61d62155465f85f8fc4d44a89e7ae831.exe
PID 1240 wrote to memory of 1076	1240	61d62155465f85f8fc4d44a89e7ae831.exe	61d62155465f85f8fc4d44a89e7ae831.exe
PID 1240 wrote to memory of 1076	1240	61d62155465f85f8fc4d44a89e7ae831.exe	61d62155465f85f8fc4d44a89e7ae831.exe
PID 1240 wrote to memory of 1076	1240	61d62155465f85f8fc4d44a89e7ae831.exe	61d62155465f85f8fc4d44a89e7ae831.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1076 wrote to memory of 736	1076	61d62155465f85f8fc4d44a89e7ae831.exe	mobsync.exe
PID 1268 wrote to memory of 1640	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1640	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1640	1268	Explorer.EXE	cmd.exe
PID 1268 wrote to memory of 1640	1268	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\61d62155465f85f8fc4d44a89e7ae831.exe
"C:\Users\Admin\AppData\Local\Temp\61d62155465f85f8fc4d44a89e7ae831.exe"
2⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\mobsync.exe
C:\Windows\System32\mobsync.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe
MD5
c5cfef9b7b6b39513f276093d7ef2157

SHA1
9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec

SHA256
22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

SHA512
4cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe
MD5
c5cfef9b7b6b39513f276093d7ef2157

SHA1
9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec

SHA256
22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

SHA512
4cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe
MD5
c5cfef9b7b6b39513f276093d7ef2157

SHA1
9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec

SHA256
22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

SHA512
4cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\61d62155465f85f8fc4d44a89e7ae831.exe
MD5
c5cfef9b7b6b39513f276093d7ef2157

SHA1
9c2d4c4ac1017ac91a5bd956e6864cefcd0f2bec

SHA256
22a943a5c28c80163c59b4a42923050c5af77fe9cc919aee6d1aab569d684dc6

SHA512
4cb21736b9622ae2f6ed96ebb3d0e455253d1a61ebe428c464cd9e60bfb11dbcaf05a96a9c070dc4b012624e1fd2e333d518a704d3e15196938eb3143d556284

Download Submit
memory/736-74-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/736-73-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/736-71-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/736-70-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/736-66-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/736-65-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/736-68-0x0000000000000000-mapping.dmp

Download
memory/1076-58-0x0000000000000000-mapping.dmp

Download
memory/1076-63-0x0000000000281000-0x0000000000295000-memory.dmp

Filesize
80KB

Download
memory/1076-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1240-55-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1268-75-0x0000000006E30000-0x0000000006F6B000-memory.dmp

Filesize
1.2MB

Download
memory/1268-81-0x00000000067F0000-0x00000000068F7000-memory.dmp

Filesize
1.0MB

Download
memory/1640-76-0x0000000000000000-mapping.dmp

Download
memory/1640-77-0x000000004A6C0000-0x000000004A70C000-memory.dmp

Filesize
304KB

Download
memory/1640-78-0x0000000000080000-0x00000000000A9000-memory.dmp

Filesize
164KB

Download
memory/1640-79-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/1640-80-0x00000000004A0000-0x0000000000530000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads