latentbot | 6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b

General

Target

bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
Size

253KB
MD5

bce37dd072dc0eeeba64a67f92e9e7c3
SHA1

a04ad84a2dabb2271c94faced586a90f4a460584
SHA256

6be45f6054be1bcd7e91aab715f3e4342c3ad988d4f53ebb41cb79caea1da70b
SHA512

fcaa1eb9f77a8bf3018454a9d0117c70c58d0f6e332cfb674bafd752a2a823d63081b2a0116c45caeda5bb44ffd3ef1372fd8f23014db6c3f39061ee85c69947
SSDEEP

6144:iz+92mhAMJ/cPl3i+eLbbIv2fbj+ufiTiONUXHH/wlTekOehkQ:iK2mhAMJ/cPlQbF/XfbJX/wl/OvQ

Score

10^/10

latentbot plugx trojan

Malware Config

Extracted

Family

latentbot

C2

jinyuan2012.zapto.org

Signatures

Detects PlugX payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2920-27-0x00000000002A0000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2596-46-0x0000000000410000-0x000000000043C000-memory.dmp	family_plugx
behavioral1/memory/2448-51-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2552-59-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2552-75-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2552-76-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2552-73-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2920-74-0x00000000002A0000-0x00000000002CC000-memory.dmp	family_plugx
behavioral1/memory/2552-72-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2448-58-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2552-57-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2552-77-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2552-81-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2596-82-0x0000000000410000-0x000000000043C000-memory.dmp	family_plugx
behavioral1/memory/2552-83-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx
behavioral1/memory/2344-92-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2344-91-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2344-89-0x0000000000280000-0x00000000002AC000-memory.dmp	family_plugx
behavioral1/memory/2552-93-0x00000000001B0000-0x00000000001DC000-memory.dmp	family_plugx

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Deletes itself 1 IoCs

Processes:

Nv.exe

pid process

2920 Nv.exe
Executes dropped EXE 3 IoCs

Processes:

Nv.exeNv.exeNv.exe

pid process

2920 Nv.exe
2596 Nv.exe
2448 Nv.exe

Loads dropped DLL 8 IoCs

Processes:

bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exeNv.exeNv.exeNv.exe

pid	process
1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
2920	Nv.exe
2596	Nv.exe
2448	Nv.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 33 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\ca-a5-a2-dd-a4-f4	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionTime = f04e92809cc1da01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-a5-a2-dd-a4-f4\WpadDecisionTime = f04e92809cc1da01	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8658B825-23D2-4B4C-9ED0-991047320AEB}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe

Modifies registry class 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45003700460037003200420042004200350034004500350045004400310045000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Nv.exesvchost.exemsiexec.exe

pid	process
2920	Nv.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2552	svchost.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2552	svchost.exe
2552	svchost.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2552	svchost.exe
2552	svchost.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2552	svchost.exe
2552	svchost.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2552	svchost.exe
2552	svchost.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2344	msiexec.exe
2552	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exemsiexec.exe

pid process

2552 svchost.exe
2344 msiexec.exe

pid	process
2552	svchost.exe
2344	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Nv.exeNv.exeNv.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2920	Nv.exe
Token: SeTcbPrivilege	2920	Nv.exe
Token: SeDebugPrivilege	2596	Nv.exe
Token: SeTcbPrivilege	2596	Nv.exe
Token: SeDebugPrivilege	2448	Nv.exe
Token: SeTcbPrivilege	2448	Nv.exe
Token: SeDebugPrivilege	2552	svchost.exe
Token: SeTcbPrivilege	2552	svchost.exe
Token: SeDebugPrivilege	2344	msiexec.exe
Token: SeTcbPrivilege	2344	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exeNv.exesvchost.exe

description	pid	process	target process
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 1868 wrote to memory of 2920	1868	bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe	Nv.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2448 wrote to memory of 2552	2448	Nv.exe	svchost.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe
PID 2552 wrote to memory of 2344	2552	svchost.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bce37dd072dc0eeeba64a67f92e9e7c3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 2920
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 2552
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

Filesize
48KB

MD5
d659d95d46f71f172cd4f2aca9532949

SHA1
13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

SHA256
9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

SHA512
ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

Filesize
110KB

MD5
c889dc4f6294e882c8ce08f1f9a0aa12

SHA1
2522d785f2f78d0bb2841723695e1ab55afa1313

SHA256
d6ad656de945a3e4a8179bae85173bcdf986c85d8328d5e788a8a695faf1576b

SHA512
44d16808678fcbd5936e1a22f715865c948026fdf283b121f3ae17e8f40809f4d75e055b84daf60808a5a9f59f585402b4ce73d9dac0d86524baf207226c6662

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

Filesize
46KB

MD5
09b8b54f78a10c435cd319070aa13c28

SHA1
6474d0369f97e72e01e4971128d1062f5c2b3656

SHA256
523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

SHA512
c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

Download Submit
memory/2344-92-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2344-89-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2344-91-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2344-90-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2448-51-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2448-58-0x0000000000280000-0x00000000002AC000-memory.dmp

Filesize
176KB

Download
memory/2552-59-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-71-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2552-75-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-76-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-73-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-55-0x00000000000A0000-0x00000000000BA000-memory.dmp

Filesize
104KB

Download
memory/2552-72-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-52-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2552-56-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2552-57-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-77-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-81-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-93-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2552-83-0x00000000001B0000-0x00000000001DC000-memory.dmp

Filesize
176KB

Download
memory/2596-82-0x0000000000410000-0x000000000043C000-memory.dmp

Filesize
176KB

Download
memory/2596-46-0x0000000000410000-0x000000000043C000-memory.dmp

Filesize
176KB

Download
memory/2920-74-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/2920-27-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/2920-25-0x0000000001C60000-0x0000000001D60000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads