danabot | 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc

General

Target

284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Size

1.0MB
MD5

ba55442cdf361e070f7ca8a07046cd38
SHA1

e61d143672c9bad99472aa885003a20574eddf32
SHA256

284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc
SHA512

a6e1669bf9a159d3d36aa24e7210854667c144f0f34c7d38fb6c2848d1687964c7d48d7760f99898eb4eb8d8eebf1be595890e80273c7d4326069c2a9d13feff

Score

10^/10

danabot 3829762824 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

C2

100.0.0.0:5148

58.50.42.34:13886

26.18.10.2:5662

60.52.44.36:14400

Attributes

embedded_hash
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
type
loader

Extracted

Family

danabot

Botnet

3829762824

C2

0.0.233.180:63873

0.0.0.235:0

115.139.85.12:17803

51.201.138.10:3141

Attributes

embedded_hash
s�t�e�m�.�I�d�e�n�t�i�t�y�M�o�d�
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

8 1548 rundll32.exe
9 1548 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
8	1548	rundll32.exe
9	1548	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

Processes:

284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe

description	pid	process	target process
PID 1388 set thread context of 1592	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2852	1388	WerFault.exe	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
4756	1388	WerFault.exe	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
4812	1388	WerFault.exe	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
4588	1388	WerFault.exe	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe

Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1592 rundll32.exe
1592 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1592 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1592 rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	rundll32.exe

pid	process
1592	rundll32.exe
1592	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1592	rundll32.exe

pid	process
1592	rundll32.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe

description	pid	process	target process
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1548	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1592	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1592	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1592	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe
PID 1388 wrote to memory of 1592	1388	284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe	rundll32.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
"C:\Users\Admin\AppData\Local\Temp\284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 620
2⤵
- Program crash
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 872
2⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 936
2⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1016
2⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1388 -ip 1388
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1388 -ip 1388
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1388 -ip 1388
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1388 -ip 1388
1⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ouuorspuqqpf.tmp
Filesize
3.1MB

MD5
89704d53dd9ad75a12c7e8c75f98c78e

SHA1
4515d539f7813726592c940386c5553185ea18b0

SHA256
9a9aced19fc12d0d7542d37f4429196318d1a85c7843b6f6704c3a318f80319b

SHA512
7a1a446e21dbcaf73371e234721dcdf21e485744d1814d74702de14a9c758b874a2cb166a20230df2604271bf3121b00498df7d85641c02dd81bc14335b3b75e

Download Submit
memory/1388-142-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-133-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1388-143-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-145-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-144-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-136-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1388-130-0x0000000002471000-0x0000000002553000-memory.dmp

Filesize
904KB

Download
memory/1388-138-0x0000000003130000-0x0000000003B8A000-memory.dmp

Filesize
10.4MB

Download
memory/1388-139-0x0000000003130000-0x0000000003B8A000-memory.dmp

Filesize
10.4MB

Download
memory/1388-140-0x0000000003130000-0x0000000003B8A000-memory.dmp

Filesize
10.4MB

Download
memory/1388-141-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-131-0x0000000002840000-0x0000000002A70000-memory.dmp

Filesize
2.2MB

Download
memory/1388-156-0x0000000003130000-0x0000000003B8A000-memory.dmp

Filesize
10.4MB

Download
memory/1388-132-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1388-134-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1388-146-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-147-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1388-148-0x0000000003B90000-0x0000000003CD0000-memory.dmp

Filesize
1.2MB

Download
memory/1548-135-0x0000000000000000-mapping.dmp

Download
memory/1592-149-0x0000000000000000-mapping.dmp

Download
memory/1592-150-0x00000000029F0000-0x000000000344A000-memory.dmp

Filesize
10.4MB

Download
memory/1592-151-0x0000000000770000-0x00000000008B0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-152-0x0000000000770000-0x00000000008B0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-153-0x0000000000AA0000-0x00000000013DB000-memory.dmp

Filesize
9.2MB

Download
memory/1592-154-0x00000000029F0000-0x000000000344A000-memory.dmp

Filesize
10.4MB

Download
memory/1592-155-0x00000000029F0000-0x000000000344A000-memory.dmp

Filesize
10.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads