pandastealer | b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31

General

Target

767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
Size

25.9MB
MD5

767db863164ec054813a61fc1c469b60
SHA1

cf1f5541ea6fcd245d725b89e4e2309b895ab4f7
SHA256

b13330d8e458c80c87cc8420ee96d9b1bc0e62db607c569fbe5ef7f1abd9bc31
SHA512

c723996862f4368555af5cd3435ffc7207e9b7f945369ff543b1de5e527a26bed0cd18389ca64bb95085426b9d7f7d2753b8995de2bcfd02b882ac3f4a4f16ed
SSDEEP

786432:zfzDs7aZXBWhs6cets5XOjehnRLy3f3xfDcgH:zffYavetwmehntyJff

Score

10^/10

pandastealer shurk credential_access discovery infostealer stealer vmprotect

Malware Config

Signatures

Panda Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2684-87-0x0000000000400000-0x000000000047F000-memory.dmp	family_pandastealer
behavioral1/memory/2684-86-0x0000000000400000-0x000000000047F000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2684-87-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer
behavioral1/memory/2684-86-0x0000000000400000-0x000000000047F000-memory.dmp	shurk_stealer

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 5 IoCs

Processes:

start.exeChanger.exeallSkinsData.exeInventoryChangerLoader.exe

pid process

2528 start.exe
2208 Changer.exe
2848 allSkinsData.exe
1532 InventoryChangerLoader.exe
1272

pid	process
2528	start.exe
2208	Changer.exe
2848	allSkinsData.exe
1532	InventoryChangerLoader.exe
1272

Loads dropped DLL 9 IoCs

Processes:

767db863164ec054813a61fc1c469b60_JaffaCakes118.exeChanger.exe

pid	process
1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
2208	Changer.exe
2208	Changer.exe
2208	Changer.exe
2208	Changer.exe
2208	Changer.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\ProgramData\InventoryChangerLoader.exe	vmprotect
behavioral1/memory/1532-50-0x00000000009C0000-0x000000000260A000-memory.dmp	vmprotect

Suspicious use of SetThreadContext 1 IoCs

Processes:

allSkinsData.exe

description pid process target process

PID 2848 set thread context of 2684 2848 allSkinsData.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2848 set thread context of 2684	2848	allSkinsData.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

allSkinsData.exeAddInProcess32.exe767db863164ec054813a61fc1c469b60_JaffaCakes118.exestart.exeChanger.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	allSkinsData.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Changer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

InventoryChangerLoader.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	InventoryChangerLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	InventoryChangerLoader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	InventoryChangerLoader.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

Changer.exe

pid process

2208 Changer.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AddInProcess32.exe

pid process

2684 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

InventoryChangerLoader.exeallSkinsData.exe

description pid process

Token: SeDebugPrivilege 1532 InventoryChangerLoader.exe
Token: SeDebugPrivilege 2848 allSkinsData.exe

pid	process
2208	Changer.exe

pid	process
2684	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1532	InventoryChangerLoader.exe
Token: SeDebugPrivilege	2848	allSkinsData.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

767db863164ec054813a61fc1c469b60_JaffaCakes118.exestart.execmd.exeChanger.exeallSkinsData.exe

description	pid	process	target process
PID 1908 wrote to memory of 2528	1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe	start.exe
PID 1908 wrote to memory of 2528	1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe	start.exe
PID 1908 wrote to memory of 2528	1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe	start.exe
PID 1908 wrote to memory of 2528	1908	767db863164ec054813a61fc1c469b60_JaffaCakes118.exe	start.exe
PID 2528 wrote to memory of 2676	2528	start.exe	cmd.exe
PID 2528 wrote to memory of 2676	2528	start.exe	cmd.exe
PID 2528 wrote to memory of 2676	2528	start.exe	cmd.exe
PID 2528 wrote to memory of 2676	2528	start.exe	cmd.exe
PID 2676 wrote to memory of 2208	2676	cmd.exe	Changer.exe
PID 2676 wrote to memory of 2208	2676	cmd.exe	Changer.exe
PID 2676 wrote to memory of 2208	2676	cmd.exe	Changer.exe
PID 2676 wrote to memory of 2208	2676	cmd.exe	Changer.exe
PID 2208 wrote to memory of 2848	2208	Changer.exe	allSkinsData.exe
PID 2208 wrote to memory of 2848	2208	Changer.exe	allSkinsData.exe
PID 2208 wrote to memory of 2848	2208	Changer.exe	allSkinsData.exe
PID 2208 wrote to memory of 2848	2208	Changer.exe	allSkinsData.exe
PID 2208 wrote to memory of 1532	2208	Changer.exe	InventoryChangerLoader.exe
PID 2208 wrote to memory of 1532	2208	Changer.exe	InventoryChangerLoader.exe
PID 2208 wrote to memory of 1532	2208	Changer.exe	InventoryChangerLoader.exe
PID 2208 wrote to memory of 1532	2208	Changer.exe	InventoryChangerLoader.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe
PID 2848 wrote to memory of 2684	2848	allSkinsData.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\767db863164ec054813a61fc1c469b60_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908

C:\ProgramData\start.exe
"C:\ProgramData\start.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F4CA.tmp\F4CB.tmp\F4CC.bat C:\ProgramData\start.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\ProgramData\Changer.exe
Changer.exe -pskxLL0100xKKsjXJ19289 -dc:/ProgramData
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2208

C:\ProgramData\allSkinsData.exe
"C:\ProgramData\allSkinsData.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\ProgramData\InventoryChangerLoader.exe
"C:\ProgramData\InventoryChangerLoader.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Changer.exe
Filesize
25.6MB

MD5
432498138f372d6f58fb1ce3838eaab9

SHA1
74e5cd939cf140d9ed37ee901d68b2a51e49aa33

SHA256
47d02c42b8460c5c7031a32add3cb69ac6950f8f8f613e93a2e956721f42bdd7

SHA512
98fbcf36196d41289579aa6383593d85080bfd2e3095c75dcd645aa59a911e3a6ac3f638fa9e0b5649b2d16ed9db29e0f2c3bf9c640838792e63c4ffb14372a0

Download Submit
C:\ProgramData\InventoryChangerLoader.exe
Filesize
14.2MB

MD5
3dd6cc2610355bbd373e371bf73a00e8

SHA1
2fbaaa9fbbcffe14ce59ff76d3dc362bfb8b3acf

SHA256
0b1673433abfcb1257ff9db3c6f4d84cd3637ba9351fdabd889209798da2b228

SHA512
eb44ac42d55fddfc1a93f82c8cbf577c7fdef65b2938e0cbcf58630c92cb7b073916906d096970a3a3271a0fcf20fd32c3c9c10788f12820d79a2d28abeafba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab19BA.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4CA.tmp\F4CB.tmp\F4CC.bat
Filesize
74B

MD5
ad1338af912f600aacea8967b518c5cf

SHA1
e1a44e009c1f925bce69d423949d1e27670b21f2

SHA256
3407436e93523047a207cc6ae8d4eb17cc578b7687e41601b0347e7e42d3ba26

SHA512
68147c07bef9aa52bd88375e96cb07984f851cfd31a08e85eb6fa818bc10a6d38c392b4afe02ec25317f5d2d54873ded12dff6a6faf0a24b769db736e3190875

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A0B.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\allSkinsData.exe
Filesize
1.4MB

MD5
9e964d0100dde88172f64ecef8e49299

SHA1
e65910e0c60e1c728f59a2004ba2f0d44eb56da9

SHA256
22fc083a0dc3b0b7f2275a8097e3a7c60fa6ebdd00ad80a90dcfc03f90e50644

SHA512
63c56cdec6bfe0f02bc495cf4636cbb5524affc0af7f3b7802cd90aa59d8eba57eaeb55c6fe0f312e4d61d069c9f3ff0207dca14a60f71dad0f6874464868b49

Download Submit
\ProgramData\start.exe
Filesize
88KB

MD5
9590a44fb19cef257378efe5697e8b0b

SHA1
7c6bec1a118adcb4fc2dad41512b94b2577a5a48

SHA256
1270bb6be5ccb0754ac42b7362e93de56e10cae6e6ddaa60a77faf63696c5853

SHA512
421f80702314165eb1e68dc0698533b9f6b91bdaa2ea8488f6812e84731599d4cb8b80469c962681ea58d20dd46ef34e7efbb1f7badfb0bd3e68cd876d3c2247

Download Submit
memory/1532-58-0x0000000002720000-0x000000000275A000-memory.dmp

Filesize
232KB

Download
memory/1532-56-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/1532-52-0x000000001EB50000-0x000000001F23E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-54-0x0000000000990000-0x00000000009BE000-memory.dmp

Filesize
184KB

Download
memory/1532-53-0x0000000004060000-0x00000000040B0000-memory.dmp

Filesize
320KB

Download
memory/1532-55-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/1532-57-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/1532-51-0x000000001E460000-0x000000001EB4A000-memory.dmp

Filesize
6.9MB

Download
memory/1532-50-0x00000000009C0000-0x000000000260A000-memory.dmp

Filesize
28.3MB

Download
memory/1532-59-0x000000001DE70000-0x000000001DF20000-memory.dmp

Filesize
704KB

Download
memory/1532-132-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/2684-87-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2684-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2848-48-0x0000000000AE0000-0x0000000000C54000-memory.dmp

Filesize
1.5MB

Download
memory/2848-49-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads