xworm | a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c

General

Target

Krampus V1.0.5.exe
Size

7.4MB
MD5

6cfc075819c99a2c6515729392b9ba02
SHA1

c6224ff71c43b6ae461d9ad870da5002a4e8bd5e
SHA256

a98d837ed01480f717df0d2f47021b757b8093469134f321cbd1e1a4c6fb8f5c
SHA512

7ee09e6c429f010a2e74170dcc0bc7c984fb436cbdf8eedba5c48eb8b82f68338aad9e5293b93438b191afd0d22277db0befb2f0c9d8392365bebeea209b53b6
SSDEEP

98304:NSc0SbSMt+dnz8JjHWxJHRLIHzcrmpliRYOeTjcIJ1IlhlWu8hK87N7Ceg6H08Bi:gMt+dnIdHWxdKHoYOeXRihlWu8YgoP/

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

C2

yet-musicians.gl.at.ply.gg:27619

Attributes

Install_directory
%Userprofile%
install_file
discord.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\test.exe	family_xworm
behavioral1/memory/2032-94-0x0000000001090000-0x00000000010B8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

test.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	test.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk	test.exe

Executes dropped EXE 4 IoCs

Processes:

Built.exeBuilt.exetest.exe

pid process

2864 Built.exe
1520 Built.exe
2032 test.exe
1176
Loads dropped DLL 3 IoCs

Processes:

Krampus V1.0.5.exeBuilt.exe

pid process

2492 Krampus V1.0.5.exe
1520 Built.exe
1176

pid	process
2864	Built.exe
1520	Built.exe
2032	test.exe
1176

pid	process
2492	Krampus V1.0.5.exe
1520	Built.exe
1176

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI28642\python311.dll	upx
behavioral1/memory/1520-77-0x000007FEEE2F0000-0x000007FEEE8E0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Krampus V1.0.5.exetest.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\System32\\test.exe"	Krampus V1.0.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\discord.exe"	test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\System32\\test.bat"	Krampus V1.0.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Windows\\System32\\Built.exe"	Krampus V1.0.5.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

Krampus V1.0.5.exe

description	ioc	process
File created	C:\Windows\System32\test.exe	Krampus V1.0.5.exe
File opened for modification	C:\Windows\System32\test.exe	Krampus V1.0.5.exe
File created	C:\Windows\System32\test.bat	Krampus V1.0.5.exe
File opened for modification	C:\Windows\System32\test.bat	Krampus V1.0.5.exe
File created	C:\Windows\System32\Built.exe	Krampus V1.0.5.exe
File opened for modification	C:\Windows\System32\Built.exe	Krampus V1.0.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1260 schtasks.exe
1992 schtasks.exe
2724 schtasks.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1940 NOTEPAD.EXE

pid	process
1260	schtasks.exe
1992	schtasks.exe
2724	schtasks.exe

pid	process
1940	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetest.exe

pid	process
2632	powershell.exe
2424	powershell.exe
1460	powershell.exe
2220	powershell.exe
2916	powershell.exe
3000	powershell.exe
3032	powershell.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe
2032	test.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Krampus V1.0.5.exepowershell.exepowershell.exepowershell.exetest.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2492	Krampus V1.0.5.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2032	test.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2032	test.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

test.exe

pid process

2032 test.exe

pid	process
2032	test.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Krampus V1.0.5.exeBuilt.exetest.exe

description	pid	process	target process
PID 2492 wrote to memory of 2632	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2632	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2632	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2408	2492	Krampus V1.0.5.exe	cmd.exe
PID 2492 wrote to memory of 2408	2492	Krampus V1.0.5.exe	cmd.exe
PID 2492 wrote to memory of 2408	2492	Krampus V1.0.5.exe	cmd.exe
PID 2492 wrote to memory of 2424	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2424	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2424	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 2724	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 2724	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 2724	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 2864	2492	Krampus V1.0.5.exe	Built.exe
PID 2492 wrote to memory of 2864	2492	Krampus V1.0.5.exe	Built.exe
PID 2492 wrote to memory of 2864	2492	Krampus V1.0.5.exe	Built.exe
PID 2492 wrote to memory of 1460	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 1460	2492	Krampus V1.0.5.exe	powershell.exe
PID 2492 wrote to memory of 1460	2492	Krampus V1.0.5.exe	powershell.exe
PID 2864 wrote to memory of 1520	2864	Built.exe	Built.exe
PID 2864 wrote to memory of 1520	2864	Built.exe	Built.exe
PID 2864 wrote to memory of 1520	2864	Built.exe	Built.exe
PID 2492 wrote to memory of 1260	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 1260	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 1260	2492	Krampus V1.0.5.exe	schtasks.exe
PID 2492 wrote to memory of 2032	2492	Krampus V1.0.5.exe	test.exe
PID 2492 wrote to memory of 2032	2492	Krampus V1.0.5.exe	test.exe
PID 2492 wrote to memory of 2032	2492	Krampus V1.0.5.exe	test.exe
PID 2032 wrote to memory of 2220	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 2220	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 2220	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 2916	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 2916	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 2916	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3000	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3000	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3000	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3032	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3032	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 3032	2032	test.exe	powershell.exe
PID 2032 wrote to memory of 1992	2032	test.exe	schtasks.exe
PID 2032 wrote to memory of 1992	2032	test.exe	schtasks.exe
PID 2032 wrote to memory of 1992	2032	test.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus V1.0.5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\cmd.exe
cmd /c ""C:\Windows\System32\test.bat" "
2⤵
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2724

C:\Windows\System32\Built.exe
"C:\Windows\System32\Built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\System32\Built.exe
"C:\Windows\System32\Built.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "test" /SC ONLOGON /TR "C:\Windows\System32\test.exe" /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:1260

C:\Windows\System32\test.exe
"C:\Windows\System32\test.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
3⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ggs.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28642\python311.dll
Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
06e91f927591cd7a282bdbac8b7e0df0

SHA1
d7c818508895bfaf7f9a43374beb7f321490faf7

SHA256
36e4e98cc33ba6e1644a9b9e9a90032e33ef2fe1b29b3b37fbcc6b07f499024c

SHA512
202f5e4c35c30c0583abf59762396f51b8a3cb0a1fe13ccc5ad2ad32002585dfbcc7a793871ed28756b26c1a193df4767d40197aa7bf6fe45888d6535b31be99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9ea8d5818ee1374c1f9a75d914055b00

SHA1
7729ddb5aa9a886f3b059d187dcc597dc1d236c2

SHA256
93c933199ec20a0bb73081fd38e94d5197d9fbf06e98bd67fd16ccc4180fe576

SHA512
d6160ab51862fc298958ca887f639841fa6074c3ea61a6ca9af3a5a614875c5b4ae9c9e0bd0c98374874b5e857eb729959239cfd33a965897c2c399633c3fa8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MFMQWI1SZ04VBL67NDC5.temp
Filesize
7KB

MD5
2c0d46959bf5e4086deff4a14cf8d083

SHA1
4cb0f8ec196dec5e08710af33af4373fd0f3785e

SHA256
21293a7c6f82e57782dbc9d5e3366b9e919eef2c99581c4180439b5a18dfe9b2

SHA512
c3632495d22b8e609b1aeabfb6575ac9a71cd69855d1e69768b8187956dae616541520f590cdeedeba9d2731e5ed585bc4bf5de7b9e04f29d0577cc99ba2587d

Download Submit
C:\Windows\System32\test.bat
Filesize
435B

MD5
40f36b839af3aad8887e3cfe758efab8

SHA1
2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

SHA256
c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

SHA512
13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

Download Submit
C:\Windows\System32\test.exe
Filesize
140KB

MD5
b2a4fa40f85cc8b5c66ff6bb6cc7b7ef

SHA1
57477ff6b2c5b45442a771e621db0688b15c72cf

SHA256
b8517dfc87a24a2364ec2f742af3d2c88ad216b0cd2acba632284fd10ce5bcdd

SHA512
323b2f2a03bcbc1788eb97af0f5d8824fb5c4caff7c5d5c1f00ee367965d4fe3fc62816a558ca5cb15baf2d6dba3200c72f757455488e7927e28ebe93e136a0e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\Built.exe
Filesize
7.4MB

MD5
7e312ac869e50b5847ff56eab59567d2

SHA1
3bcefc87de994260931ac94760e6b478696048be

SHA256
5a77b59bd2f5486fbb176fe7c7e8cc478419247c142e5ea7db8d14966bccb5af

SHA512
fb9a3658a636644d2df12c2ca1d6f399c84e571491a0dab888d798e5b9ccfb648e077cb90dfbffd5ad24f85441fafc1bb887b160263a2d53577c5db1adf892ee

Download Submit
memory/1460-82-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1460-79-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

Filesize
9.6MB

Download
memory/1460-78-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1460-80-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1460-83-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

Filesize
9.6MB

Download
memory/1460-84-0x0000000001EE0000-0x0000000001F60000-memory.dmp

Filesize
512KB

Download
memory/1460-85-0x000007FEED950000-0x000007FEEE2ED000-memory.dmp

Filesize
9.6MB

Download
memory/1520-77-0x000007FEEE2F0000-0x000007FEEE8E0000-memory.dmp

Filesize
5.9MB

Download
memory/1940-187-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2032-92-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-94-0x0000000001090000-0x00000000010B8000-memory.dmp

Filesize
160KB

Download
memory/2032-119-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-177-0x000000001AE60000-0x000000001AEE0000-memory.dmp

Filesize
512KB

Download
memory/2032-95-0x000000001AE60000-0x000000001AEE0000-memory.dmp

Filesize
512KB

Download
memory/2220-106-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-108-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-107-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2220-104-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2220-103-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-105-0x0000000002D10000-0x0000000002D90000-memory.dmp

Filesize
512KB

Download
memory/2424-34-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

Filesize
32KB

Download
memory/2424-32-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-38-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2424-39-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-37-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2424-36-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2424-33-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/2424-35-0x000007FEED5A0000-0x000007FEEDF3D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-31-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2492-93-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-1-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-2-0x000000001C1C0000-0x000000001C240000-memory.dmp

Filesize
512KB

Download
memory/2492-81-0x000007FEF5360000-0x000007FEF5D4C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-0-0x0000000000330000-0x0000000000A96000-memory.dmp

Filesize
7.4MB

Download
memory/2632-12-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2632-13-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2632-11-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-8-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-10-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2632-9-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

Filesize
32KB

Download
memory/2632-14-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2632-15-0x000007FEEDF40000-0x000007FEEE8DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-7-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-114-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2916-116-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-118-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2916-120-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2916-121-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-115-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download
memory/2916-117-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/3000-132-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/3000-130-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/3000-129-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-131-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/3000-133-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-127-0x000007FEEE7D0000-0x000007FEEF16D000-memory.dmp

Filesize
9.6MB

Download
memory/3000-128-0x0000000002CA0000-0x0000000002D20000-memory.dmp

Filesize
512KB

Download
memory/3032-139-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-140-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/3032-142-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/3032-141-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-143-0x0000000001E80000-0x0000000001F00000-memory.dmp

Filesize
512KB

Download
memory/3032-144-0x000007FEED0C0000-0x000007FEEDA5D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads