formbook | c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5

General

Target

PI.exe
Size

70KB
MD5

72e88de1efc3b17b6b59a635bad25294
SHA1

929b2471c0186e2e676c44d7687d3ac1f23c555c
SHA256

c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5
SHA512

95ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480
SSDEEP

1536:i03oxUXqNKAuDUaQl+kzdC9GiZQWSwi/fUpS/fX/MNK:i/QAuis1Jy///f/M0

Score

10^/10

formbook xloader zzun loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

Extracted

Family

xloader

Version

2.9

Campaign

zzun

Decoy

JnNtRHyNupy0GqRzAcasu7hb4rc=

Qv593NGLE7p9UNSaVkPXljAJm2QCNnc=

ePArIFWvjkkMgVEVhw4M4Jk=

26rqUwJ7dD0AiDI=

pBAxMHeK741QFw==

kHD7TPt5846pUMTX

56UnjFjHL1i0j659h3LymRnHpQj+SshC

4vKlKHflPqmWXRbrRwfPtrhb4rc=

6LBd4qButFAi

phMzGll8Ue7Fu+inq5cdnPaSugG3

NKswiQGCvZoG5FgsdHEI

rtTHnuUY8M1qVcXV

SOmECrlAt2oGAA==

L1ep9adutFAi

/UE+/AyvE6uEl28weFI=

IP+xMPQxJR4NE6TK

xvW5GN9/rqA5YUoOVt185Sf7Uw==

fRFNW9DhxL6VF7LA

KFYTfkaY741QFw==

W4JGvMBmt2oGAA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4208-146-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/4208-148-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral2/memory/2036-154-0x0000000000F00000-0x0000000000F2C000-memory.dmp	xloader
behavioral2/memory/2036-159-0x0000000000F00000-0x0000000000F2C000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\H8R0TXE8_4 = "C:\\Program Files (x86)\\Fe6qlrh\\vgaevwtv400.exe"	systray.exe

Executes dropped EXE 1 IoCs

Processes:

vgaevwtv400.exe

pid process

2172 vgaevwtv400.exe

pid	process
2172	vgaevwtv400.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vgaevwtv400.exePI.exePI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	vgaevwtv400.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	PI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	PI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PI.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iocoj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ndsosim\\Iocoj.exe\""	PI.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI.exePI.exesystray.exe

description	pid	process	target process
PID 1324 set thread context of 4208	1324	PI.exe	PI.exe
PID 4208 set thread context of 2416	4208	PI.exe	Explorer.EXE
PID 2036 set thread context of 2416	2036	systray.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

Explorer.EXEsystray.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe	systray.exe
File opened for modification	C:\Program Files (x86)\Fe6qlrh	Explorer.EXE
File created	C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exePI.exePI.exesystray.exepowershell.exe

pid	process
3396	powershell.exe
3396	powershell.exe
1324	PI.exe
1324	PI.exe
4208	PI.exe
4208	PI.exe
4208	PI.exe
4208	PI.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
3628	powershell.exe
3628	powershell.exe
2036	systray.exe
2036	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2416 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

PI.exesystray.exe

pid process

4208 PI.exe
4208 PI.exe
4208 PI.exe
2036 systray.exe
2036 systray.exe
2036 systray.exe
2036 systray.exe

pid	process
2416	Explorer.EXE

pid	process
4208	PI.exe
4208	PI.exe
4208	PI.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe
2036	systray.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

PI.exepowershell.exePI.exesystray.exeExplorer.EXEvgaevwtv400.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1324	PI.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	4208	PI.exe
Token: SeDebugPrivilege	2036	systray.exe
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeShutdownPrivilege	2416	Explorer.EXE
Token: SeCreatePagefilePrivilege	2416	Explorer.EXE
Token: SeDebugPrivilege	2172	vgaevwtv400.exe
Token: SeDebugPrivilege	3628	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

PI.exeExplorer.EXEsystray.exevgaevwtv400.exe

description	pid	process	target process
PID 1324 wrote to memory of 3396	1324	PI.exe	powershell.exe
PID 1324 wrote to memory of 3396	1324	PI.exe	powershell.exe
PID 1324 wrote to memory of 3396	1324	PI.exe	powershell.exe
PID 1324 wrote to memory of 4624	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4624	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4624	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 1324 wrote to memory of 4208	1324	PI.exe	PI.exe
PID 2416 wrote to memory of 2036	2416	Explorer.EXE	systray.exe
PID 2416 wrote to memory of 2036	2416	Explorer.EXE	systray.exe
PID 2416 wrote to memory of 2036	2416	Explorer.EXE	systray.exe
PID 2036 wrote to memory of 3140	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 3140	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 3140	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 1324	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 1324	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 1324	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 444	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 444	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 444	2036	systray.exe	cmd.exe
PID 2036 wrote to memory of 892	2036	systray.exe	Firefox.exe
PID 2036 wrote to memory of 892	2036	systray.exe	Firefox.exe
PID 2036 wrote to memory of 892	2036	systray.exe	Firefox.exe
PID 2416 wrote to memory of 2172	2416	Explorer.EXE	vgaevwtv400.exe
PID 2416 wrote to memory of 2172	2416	Explorer.EXE	vgaevwtv400.exe
PID 2416 wrote to memory of 2172	2416	Explorer.EXE	vgaevwtv400.exe
PID 2172 wrote to memory of 3628	2172	vgaevwtv400.exe	powershell.exe
PID 2172 wrote to memory of 3628	2172	vgaevwtv400.exe	powershell.exe
PID 2172 wrote to memory of 3628	2172	vgaevwtv400.exe	powershell.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Users\Admin\AppData\Local\Temp\PI.exe
C:\Users\Admin\AppData\Local\Temp\PI.exe
3⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\PI.exe
C:\Users\Admin\AppData\Local\Temp\PI.exe
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:444

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:892

C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe
"C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe
Filesize
70KB

MD5
72e88de1efc3b17b6b59a635bad25294

SHA1
929b2471c0186e2e676c44d7687d3ac1f23c555c

SHA256
c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5

SHA512
95ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480

Download Submit
C:\Program Files (x86)\Fe6qlrh\vgaevwtv400.exe
Filesize
70KB

MD5
72e88de1efc3b17b6b59a635bad25294

SHA1
929b2471c0186e2e676c44d7687d3ac1f23c555c

SHA256
c0fdf37354c28e674255d1a26ed5190c6664639f424d485c5652098f458835c5

SHA512
95ec26ffa6a1de34aa9dc91ed431bccaa6c238bd316e79696e14e1ec4976f1a1564435f0d33e540cb15a023bc60230f223595c26e081033300c43ddc6edd3480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a030b924386a906cce4bc7f41b92ac10

SHA1
64d319e816b289f62ea7877be5f06498360afbd7

SHA256
d07eaace9a8c73b74542dc3e14850ceafd0974725ec5ea4bb89eff3879d78388

SHA512
4063c94ce4edec93999f5c08062424d65d4e0c4d8aa79c86e48d35b0978eb6a8c6979f16914284b99525c19daeaf0d97b25f04485cafec9b32ad96fceedfcffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/444-163-0x0000000000000000-mapping.dmp

Download
memory/1324-142-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/1324-132-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/1324-143-0x00000000069F0000-0x0000000006F94000-memory.dmp

Filesize
5.6MB

Download
memory/1324-133-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/1324-161-0x0000000000000000-mapping.dmp

Download
memory/2036-153-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/2036-159-0x0000000000F00000-0x0000000000F2C000-memory.dmp

Filesize
176KB

Download
memory/2036-157-0x0000000002C00000-0x0000000002C90000-memory.dmp

Filesize
576KB

Download
memory/2036-155-0x0000000002D70000-0x00000000030BA000-memory.dmp

Filesize
3.3MB

Download
memory/2036-154-0x0000000000F00000-0x0000000000F2C000-memory.dmp

Filesize
176KB

Download
memory/2036-152-0x0000000000000000-mapping.dmp

Download
memory/2172-179-0x0000000000000000-mapping.dmp

Download
memory/2416-172-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-178-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-151-0x0000000002FE0000-0x00000000030A9000-memory.dmp

Filesize
804KB

Download
memory/2416-177-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-176-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-158-0x0000000007C00000-0x0000000007D3D000-memory.dmp

Filesize
1.2MB

Download
memory/2416-175-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2416-160-0x0000000007C00000-0x0000000007D3D000-memory.dmp

Filesize
1.2MB

Download
memory/2416-174-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-173-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-171-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-170-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2416-165-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/2416-166-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/2416-167-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-168-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2416-169-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/3140-156-0x0000000000000000-mapping.dmp

Download
memory/3396-138-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/3396-134-0x0000000000000000-mapping.dmp

Download
memory/3396-140-0x0000000007830000-0x0000000007EAA000-memory.dmp

Filesize
6.5MB

Download
memory/3396-135-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download
memory/3396-141-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/3396-136-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/3396-137-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/3396-139-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/3628-182-0x0000000000000000-mapping.dmp

Download
memory/4208-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4208-150-0x0000000000F10000-0x0000000000F21000-memory.dmp

Filesize
68KB

Download
memory/4208-149-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/4208-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4208-145-0x0000000000000000-mapping.dmp

Download
memory/4624-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads