formbook | 12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

General

Target

Nuevo Pago 15.10.2021.exe
Size

247KB
MD5

b50f2ee58a34c1e367450e1e2bc107bf
SHA1

9a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA256

12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512

fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Score

10^/10

formbook xloader u9xn loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u9xn

C2

http://www.crisisinterventionadvocates.com/u9xn/

Decoy

lifeguardingcoursenearme.com

bolsaspapelcdmx.com

parsleypkllqu.xyz

68134.online

shopthatlookboutique.com

canlibahisportal.com

oligopoly.city

srchwithus.online

151motors.com

17yue.info

auntmarysnj.com

hanansalman.com

heyunshangcheng.info

doorslamersplus.com

sfcn-dng.com

highvizpeople.com

seoexpertinbangladesh.com

christinegagnonjewellery.com

artifactorie.biz

mre3.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-55-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/524-56-0x000000000041D4F0-mapping.dmp	xloader
behavioral1/memory/524-61-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1176-67-0x0000000000100000-0x0000000000129000-memory.dmp	xloader
behavioral1/memory/1836-79-0x000000000041D4F0-mapping.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J0HTELEPOVE = "C:\\Program Files (x86)\\Xgbcpjfbp\\vgaohl8x6.exe"	ipconfig.exe

Executes dropped EXE 2 IoCs

Processes:

vgaohl8x6.exevgaohl8x6.exe

pid process

1724 vgaohl8x6.exe
1836 vgaohl8x6.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1304 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

Nuevo Pago 15.10.2021.exevgaohl8x6.exe

pid process

1464 Nuevo Pago 15.10.2021.exe
1724 vgaohl8x6.exe

pid	process
1724	vgaohl8x6.exe
1836	vgaohl8x6.exe

pid	process
1304	cmd.exe

pid	process
1464	Nuevo Pago 15.10.2021.exe
1724	vgaohl8x6.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Nuevo Pago 15.10.2021.exeNuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exe

description	pid	process	target process
PID 1464 set thread context of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 524 set thread context of 1388	524	Nuevo Pago 15.10.2021.exe	Explorer.EXE
PID 524 set thread context of 1388	524	Nuevo Pago 15.10.2021.exe	Explorer.EXE
PID 1176 set thread context of 1388	1176	ipconfig.exe	Explorer.EXE
PID 1724 set thread context of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe

Drops file in Program Files directory 2 IoCs

Processes:

ipconfig.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	ipconfig.exe
File created	C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_1
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_2
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_1
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_2
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_1
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe	nsis_installer_2

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1176 ipconfig.exe

pid	process
1176	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Nuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exe

pid	process
524	Nuevo Pago 15.10.2021.exe
524	Nuevo Pago 15.10.2021.exe
524	Nuevo Pago 15.10.2021.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1836	vgaohl8x6.exe
1176	ipconfig.exe
1176	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE

pid	process
1388	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Nuevo Pago 15.10.2021.exeipconfig.exe

pid	process
524	Nuevo Pago 15.10.2021.exe
524	Nuevo Pago 15.10.2021.exe
524	Nuevo Pago 15.10.2021.exe
524	Nuevo Pago 15.10.2021.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe
1176	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Nuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exe

description	pid	process
Token: SeDebugPrivilege	524	Nuevo Pago 15.10.2021.exe
Token: SeDebugPrivilege	1176	ipconfig.exe
Token: SeDebugPrivilege	1836	vgaohl8x6.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE
1388 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1388 Explorer.EXE
1388 Explorer.EXE

pid	process
1388	Explorer.EXE
1388	Explorer.EXE

pid	process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

Nuevo Pago 15.10.2021.exeExplorer.EXEipconfig.exevgaohl8x6.exe

description	pid	process	target process
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1464 wrote to memory of 524	1464	Nuevo Pago 15.10.2021.exe	Nuevo Pago 15.10.2021.exe
PID 1388 wrote to memory of 1176	1388	Explorer.EXE	ipconfig.exe
PID 1388 wrote to memory of 1176	1388	Explorer.EXE	ipconfig.exe
PID 1388 wrote to memory of 1176	1388	Explorer.EXE	ipconfig.exe
PID 1388 wrote to memory of 1176	1388	Explorer.EXE	ipconfig.exe
PID 1176 wrote to memory of 1304	1176	ipconfig.exe	cmd.exe
PID 1176 wrote to memory of 1304	1176	ipconfig.exe	cmd.exe
PID 1176 wrote to memory of 1304	1176	ipconfig.exe	cmd.exe
PID 1176 wrote to memory of 1304	1176	ipconfig.exe	cmd.exe
PID 1176 wrote to memory of 868	1176	ipconfig.exe	Firefox.exe
PID 1176 wrote to memory of 868	1176	ipconfig.exe	Firefox.exe
PID 1176 wrote to memory of 868	1176	ipconfig.exe	Firefox.exe
PID 1176 wrote to memory of 868	1176	ipconfig.exe	Firefox.exe
PID 1388 wrote to memory of 1724	1388	Explorer.EXE	vgaohl8x6.exe
PID 1388 wrote to memory of 1724	1388	Explorer.EXE	vgaohl8x6.exe
PID 1388 wrote to memory of 1724	1388	Explorer.EXE	vgaohl8x6.exe
PID 1388 wrote to memory of 1724	1388	Explorer.EXE	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1724 wrote to memory of 1836	1724	vgaohl8x6.exe	vgaohl8x6.exe
PID 1176 wrote to memory of 868	1176	ipconfig.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1280

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:868

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1452

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1248

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:940

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:584

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:548

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:836

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1400

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1460

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2020

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1260

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1288

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1792

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1544

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1076

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:612

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:984

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1160

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1128

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1816

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1156

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1052

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1324

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1484

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1884

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1284

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1644

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1092

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:632

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:840

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1480

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1532

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"
3⤵
- Deletes itself
PID:1304

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:868

C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe
"C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe
"C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe
MD5
b50f2ee58a34c1e367450e1e2bc107bf

SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070

SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Download Submit
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe
MD5
b50f2ee58a34c1e367450e1e2bc107bf

SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070

SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Download Submit
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe
MD5
b50f2ee58a34c1e367450e1e2bc107bf

SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070

SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a

SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntgda9u5r81z
MD5
c8454c5a4e451f0b25b3ee8d33395505

SHA1
4c7e0cd3fcba769745df36d779b1bc38097fb8c4

SHA256
403c9e6c9e00c83c4564bf71813d564711a72fe4d30ba53ea604a0670ecc8ca8

SHA512
e831414daf7e9def23d66c715b6ae51904879c1e24c08333ccd2da75f7d4ee5e1585430488b38bc519450f07bdd5c72f20fc3803c0c6de6a27ef4408e110bcf1

Download Submit
\Users\Admin\AppData\Local\Temp\nsiC19B.tmp\gibh.dll
MD5
6a6e5ce1da420ef522bed80375260881

SHA1
acc4a1f85c397d6b93ba69f43182cbaf8d9cd768

SHA256
829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1

SHA512
1f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102

Download Submit
\Users\Admin\AppData\Local\Temp\nsuE3DB.tmp\gibh.dll
MD5
6a6e5ce1da420ef522bed80375260881

SHA1
acc4a1f85c397d6b93ba69f43182cbaf8d9cd768

SHA256
829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1

SHA512
1f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102

Download Submit
memory/524-58-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/524-59-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/524-62-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/524-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/524-56-0x000000000041D4F0-mapping.dmp

Download
memory/524-61-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1176-66-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/1176-69-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1176-70-0x00000000009C0000-0x0000000000A50000-memory.dmp

Filesize
576KB

Download
memory/1176-67-0x0000000000100000-0x0000000000129000-memory.dmp

Filesize
164KB

Download
memory/1176-64-0x0000000000000000-mapping.dmp

Download
memory/1304-68-0x0000000000000000-mapping.dmp

Download
memory/1388-71-0x0000000003C50000-0x0000000003CF7000-memory.dmp

Filesize
668KB

Download
memory/1388-60-0x0000000006090000-0x000000000618A000-memory.dmp

Filesize
1000KB

Download
memory/1388-63-0x0000000006B80000-0x0000000006CEE000-memory.dmp

Filesize
1.4MB

Download
memory/1464-53-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1724-72-0x0000000000000000-mapping.dmp

Download
memory/1836-79-0x000000000041D4F0-mapping.dmp

Download
memory/1836-81-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads