xmrig | 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

Analysis

max time kernel
150s
max time network
137s
platform
windows10_x64
resource
win10v20210410
submitted
13-05-2021 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Size

477KB
MD5

0ffd87a198719090f53bf74fedc89844
SHA1

670ded197734c25593e69da9f6a9dba7a986bf93
SHA256

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297
SHA512

d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Score

10^/10

xmrig macro miner persistence xlm

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 3 IoCs

Processes:

findshta.exeDismhone.exe~204F.tmp

pid process

2500 findshta.exe
2700 Dismhone.exe
2728 ~204F.tmp

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\~207E.tmp.ppt	office_xlm_macros

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\certsmon = "C:\\Users\\Admin\\AppData\\Roaming\\cttuutou\\findshta.exe"	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

Drops file in System32 directory 1 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

description ioc process

File created C:\Windows\SysWOW64\Dismhone.exe 313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\Dismhone.exe	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 1 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2616 POWERPNT.EXE

pid	process
2616	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

findshta.exeExplorer.EXEDismhone.exe

pid	process
2500	findshta.exe
2500	findshta.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe
1700	Explorer.EXE
1700	Explorer.EXE
2700	Dismhone.exe
2700	Dismhone.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1700 Explorer.EXE

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

Explorer.EXE

description	pid	process
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE
Token: SeShutdownPrivilege	1700	Explorer.EXE
Token: SeCreatePagefilePrivilege	1700	Explorer.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Explorer.EXE

pid	process
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE
1700	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

POWERPNT.EXE

pid process

2616 POWERPNT.EXE
2616 POWERPNT.EXE
2616 POWERPNT.EXE
2616 POWERPNT.EXE

pid	process
2616	POWERPNT.EXE
2616	POWERPNT.EXE
2616	POWERPNT.EXE
2616	POWERPNT.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exefindshta.exe~204F.tmp

description	pid	process	target process
PID 2232 wrote to memory of 2500	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	findshta.exe
PID 2232 wrote to memory of 2500	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	findshta.exe
PID 2232 wrote to memory of 2500	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	findshta.exe
PID 2500 wrote to memory of 2728	2500	findshta.exe	~204F.tmp
PID 2500 wrote to memory of 2728	2500	findshta.exe	~204F.tmp
PID 2728 wrote to memory of 1700	2728	~204F.tmp	Explorer.EXE
PID 2232 wrote to memory of 2616	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 2232 wrote to memory of 2616	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE
PID 2232 wrote to memory of 2616	2232	313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe	POWERPNT.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe
"C:\Users\Admin\AppData\Local\Temp\313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Roaming\cttuutou\findshta.exe
"C:\Users\Admin\AppData\Roaming\cttuutou\findshta.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\~204F.tmp
"C:\Users\Admin\AppData\Local\Temp\~204F.tmp"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\~207E.tmp.ppt" /ou ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\SysWOW64\Dismhone.exe
C:\Windows\SysWOW64\Dismhone.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2700

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~204F.tmp
MD5
aafb6998cac344968e28d1da537ccc53

SHA1
036a237a8b1dd7d806cb5835ad04a9eeb59511ba

SHA256
4faf561633698164c95850bb4c29cef23d59b08ead1f04e1a6ec16a4d2a624ed

SHA512
00266bf8252a2f389ce525ee1ab6cf928652ffb691a481803f29091a15b829a38825b3de657d459f39e71fd130d95ab36fd5ffed1372d750e41bbc2b9292c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\~204F.tmp
MD5
aafb6998cac344968e28d1da537ccc53

SHA1
036a237a8b1dd7d806cb5835ad04a9eeb59511ba

SHA256
4faf561633698164c95850bb4c29cef23d59b08ead1f04e1a6ec16a4d2a624ed

SHA512
00266bf8252a2f389ce525ee1ab6cf928652ffb691a481803f29091a15b829a38825b3de657d459f39e71fd130d95ab36fd5ffed1372d750e41bbc2b9292c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\~207E.tmp.ppt
MD5
a9ae55d32795c21226c818127d60d670

SHA1
2b5c685ba112069216ab62a0e8c049f535612403

SHA256
efdcbf149da28a90bf23517fd48df67c23c72db10e350adeda950a380cf17524

SHA512
1855bd90aa39218502c04a8bc0537590cf51f0fd8f56cc6607cbd43c26d125cb853e95f40d88f207655b7902cad341b120cf1a50bc8777d11b91a2da31fbb887

Download Submit
C:\Users\Admin\AppData\Roaming\cttuutou\findshta.exe
MD5
fb90a260b845c41b10eb2cd3924fa7fa

SHA1
e25c29e943165410c079697885c7aa6e1d0e1591

SHA256
7daf00af99e0b685f3df294dbc262c22fc032d1a3383a345502d66e684f2bcc3

SHA512
7bd570aaf35da4ff925cd03aaec35e9ea78ce1961aaaa5b2300697350ee0b914632258d0925dd1667952688a2f318d82ce2109aa467b4b5275ece6bd17d2f44b

Download Submit
C:\Users\Admin\AppData\Roaming\cttuutou\findshta.exe
MD5
fb90a260b845c41b10eb2cd3924fa7fa

SHA1
e25c29e943165410c079697885c7aa6e1d0e1591

SHA256
7daf00af99e0b685f3df294dbc262c22fc032d1a3383a345502d66e684f2bcc3

SHA512
7bd570aaf35da4ff925cd03aaec35e9ea78ce1961aaaa5b2300697350ee0b914632258d0925dd1667952688a2f318d82ce2109aa467b4b5275ece6bd17d2f44b

Download Submit
C:\Windows\SysWOW64\Dismhone.exe
MD5
0ffd87a198719090f53bf74fedc89844

SHA1
670ded197734c25593e69da9f6a9dba7a986bf93

SHA256
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

SHA512
d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Download Submit
C:\Windows\SysWOW64\Dismhone.exe
MD5
0ffd87a198719090f53bf74fedc89844

SHA1
670ded197734c25593e69da9f6a9dba7a986bf93

SHA256
313a2beb0a7cc0c1d763339ea4a58705deacb0f222b8113dbfa8aa0cfd1c5297

SHA512
d6136d807424dea537cb6f26f32c91cf67c83a964e5b3e7215d5c0930a562e08d44f63b0c81df7b3291a5281fade69a472f73da4ed497ee8f99cbfc3d3ccd93c

Download Submit
memory/1700-226-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-234-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1700-250-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-251-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-249-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-126-0x0000000001010000-0x0000000001053000-memory.dmp

Filesize
268KB

Download
memory/1700-215-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-243-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-244-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-247-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-248-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1700-245-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-246-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-242-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1700-235-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-195-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-196-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-197-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-198-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-199-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-194-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-193-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1700-200-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1700-202-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-201-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-204-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-205-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-206-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-207-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/1700-203-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-209-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-208-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-211-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-210-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-213-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-214-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-216-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-239-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-232-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1700-218-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-219-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/1700-220-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-217-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-222-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-221-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/1700-223-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-224-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-225-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-227-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/1700-231-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-230-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-229-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-228-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-238-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-212-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/1700-233-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-236-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-237-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/1700-240-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/1700-241-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2232-114-0x00000000008F0000-0x0000000000A3A000-memory.dmp

Filesize
1.3MB

Download
memory/2500-124-0x0000000000C00000-0x0000000000D4A000-memory.dmp

Filesize
1.3MB

Download
memory/2500-115-0x0000000000000000-mapping.dmp

Download
memory/2616-130-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

Filesize
64KB

Download
memory/2616-135-0x0000021CE4140000-0x0000021CE522E000-memory.dmp

Filesize
16.9MB

Download
memory/2616-136-0x00007FFF90A20000-0x00007FFF92915000-memory.dmp

Filesize
31.0MB

Download
memory/2616-131-0x00007FFF98A00000-0x00007FFF9A5DD000-memory.dmp

Filesize
27.9MB

Download
memory/2616-132-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

Filesize
64KB

Download
memory/2616-129-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

Filesize
64KB

Download
memory/2616-128-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

Filesize
64KB

Download
memory/2616-127-0x00007FFF77040000-0x00007FFF77050000-memory.dmp

Filesize
64KB

Download
memory/2616-123-0x0000000000000000-mapping.dmp

Download
memory/2700-125-0x0000000000A80000-0x0000000000BCA000-memory.dmp

Filesize
1.3MB

Download
memory/2728-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads