xloader | edf47643570963890ad63265b1884882a471f000ce9d4a681dd5cdfb8efdc53b

General

Target

purchase order RYP-210720.xlsx
Size

1.4MB
MD5

4ddcef3dc2b64260444ea0d7eab89ff6
SHA1

0c8b18807dc813333c7f3ed420044a5b52798060
SHA256

edf47643570963890ad63265b1884882a471f000ce9d4a681dd5cdfb8efdc53b
SHA512

d809a8c7be2c0f718df8121f57f51adeb3de4ff5e764c1470efeb85882098ba93510ea9c041ca45c826de3c9411346caad0e6773d381c28e6ce6b6d9819bbbea

Score

10^/10

xloader ecuu loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ecuu

C2

http://www.polaritelibrairie.com/ecuu/

Decoy

buoy8boats.com

tomrings.com

o-distribs.com

majesticgroupinc.com

tehridam.com

yzwjtoys.com

castro-online.run

aquarius-twins.com

jamesrrossfineart.com

pavarasupatthonkol.com

rivermarketdentistry.com

gyiblrjd.icu

redcountrypodcast.com

youngbrotherspharmacyga.com

betsysobiech.com

neocleanpro.com

ingpatrimoine.com

mustangsallytransportation.com

jsvfcxzn.com

krsfpjuoekcd.info

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2344-84-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/2344-86-0x0000000010430000-0x0000000010459000-memory.dmp	xloader
behavioral1/memory/2416-95-0x00000000000D0000-0x00000000000F9000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1588 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1096 vbc.exe
1548 vbc.exe
Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1588 EQNEDT32.EXE
1588 EQNEDT32.EXE
1588 EQNEDT32.EXE
1588 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	1588	EQNEDT32.EXE

pid	process
1096	vbc.exe
1548	vbc.exe

pid	process
1588	EQNEDT32.EXE
1588	EQNEDT32.EXE
1588	EQNEDT32.EXE
1588	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zbgpobu = "C:\\Users\\Public\\Libraries\\ubopgbZ.url"	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

logagent.execmstp.exe

description	pid	process	target process
PID 2344 set thread context of 1272	2344	logagent.exe	Explorer.EXE
PID 2344 set thread context of 1272	2344	logagent.exe	Explorer.EXE
PID 2416 set thread context of 1272	2416	cmstp.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1588 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1588	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1844 EXCEL.EXE

pid	process
1844	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

logagent.execmstp.exe

pid	process
2344	logagent.exe
2344	logagent.exe
2344	logagent.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe
2416	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

logagent.execmstp.exe

pid process

2344 logagent.exe
2344 logagent.exe
2344 logagent.exe
2344 logagent.exe
2416 cmstp.exe
2416 cmstp.exe

pid	process
1272	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

logagent.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	2344	logagent.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	2416	cmstp.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1844 EXCEL.EXE
1844 EXCEL.EXE
1844 EXCEL.EXE
1844 EXCEL.EXE
1844 EXCEL.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1844	EXCEL.EXE
1844	EXCEL.EXE
1844	EXCEL.EXE
1844	EXCEL.EXE
1844	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1588 wrote to memory of 1096	1588	EQNEDT32.EXE	vbc.exe
PID 1588 wrote to memory of 1096	1588	EQNEDT32.EXE	vbc.exe
PID 1588 wrote to memory of 1096	1588	EQNEDT32.EXE	vbc.exe
PID 1588 wrote to memory of 1096	1588	EQNEDT32.EXE	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe
PID 1096 wrote to memory of 1548	1096	vbc.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\purchase order RYP-210720.xlsx"
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:2456

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Public\vbc.exe
C:\Users\Public\vbc.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
C:\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
C:\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
\Users\Public\vbc.exe
MD5
aca08c69a22e6f4f07cb44a74e7b9dac

SHA1
4bc60c4b13744c992e0a52e295bafc031791ae70

SHA256
8a4f2595fd06f95e90671af95430b5473d27a50097eaf3d2719de076748e1d85

SHA512
bf00facdba3c7de28034a6506cecc9509dc59957127c6a82ca3f13e8f4a9ecc4546802bf43d6267c4a88f2e8f01554d5fc3182db89beeb13a2bcb93376a5165e

Download Submit
memory/1096-68-0x0000000000000000-mapping.dmp

Download
memory/1096-70-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1096-75-0x0000000010410000-0x000000001042B000-memory.dmp

Filesize
108KB

Download
memory/1272-89-0x0000000006B50000-0x0000000006CC3000-memory.dmp

Filesize
1.4MB

Download
memory/1272-102-0x000007FE81A10000-0x000007FE81A1A000-memory.dmp

Filesize
40KB

Download
memory/1272-101-0x000007FEF5970000-0x000007FEF5AB3000-memory.dmp

Filesize
1.3MB

Download
memory/1272-99-0x0000000004AE0000-0x0000000004C59000-memory.dmp

Filesize
1.5MB

Download
memory/1272-91-0x0000000007410000-0x00000000075A5000-memory.dmp

Filesize
1.6MB

Download
memory/1548-73-0x0000000000000000-mapping.dmp

Download
memory/1548-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1548-79-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1588-63-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1844-81-0x00000000061B3000-0x00000000061B5000-memory.dmp

Filesize
8KB

Download
memory/1844-60-0x000000002FE61000-0x000000002FE64000-memory.dmp

Filesize
12KB

Download
memory/1844-61-0x00000000714E1000-0x00000000714E3000-memory.dmp

Filesize
8KB

Download
memory/1844-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1844-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1844-80-0x00000000061B0000-0x00000000061B3000-memory.dmp

Filesize
12KB

Download
memory/1844-82-0x00000000061B5000-0x00000000061B7000-memory.dmp

Filesize
8KB

Download
memory/1844-83-0x00000000061B5000-0x00000000061B7000-memory.dmp

Filesize
8KB

Download
memory/2344-90-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2344-88-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/2344-87-0x00000000022D0000-0x00000000025D3000-memory.dmp

Filesize
3.0MB

Download
memory/2344-86-0x0000000010430000-0x0000000010459000-memory.dmp

Filesize
164KB

Download
memory/2344-85-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2344-84-0x0000000000000000-mapping.dmp

Download
memory/2416-92-0x0000000000000000-mapping.dmp

Download
memory/2416-94-0x00000000002F0000-0x0000000000308000-memory.dmp

Filesize
96KB

Download
memory/2416-95-0x00000000000D0000-0x00000000000F9000-memory.dmp

Filesize
164KB

Download
memory/2416-97-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/2416-98-0x00000000004E0000-0x000000000056F000-memory.dmp

Filesize
572KB

Download
memory/2456-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads