metasploit | a5d024a0be4a491e5004b9c4c1343fc172e210cc1bf78641d512c6fd9ec41f62

General

Target

21d6b63327f1f57348899d5992d43102.exe
Size

124KB
MD5

21d6b63327f1f57348899d5992d43102
SHA1

c1f72ac6dedd7817c094c41df3d9dd505675d93d
SHA256

a5d024a0be4a491e5004b9c4c1343fc172e210cc1bf78641d512c6fd9ec41f62
SHA512

0af75df0a6dfe44b33b03f4dc716c48db3a479f438fe0a9332b82cc832ffdb2d56254b073bfb67feed8c0f5516ede72a93f1de70e62c8ae9e9e9fd09f600d1cf
SSDEEP

1536:IFaM5mTEVEQnqrZM5V3J6fgNWbMb+KR0Nc8QsJq3:iaMqEVEUWZulJGgNAe0Nc8QsC

Score

10^/10

metasploit xmrig backdoor miner pyinstaller trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

86.104.74.31:9981

Extracted

Family

metasploit

Version

windows/reverse_winhttp

C2

https://86.104.74.31:2526/RA16f452MojHbcZsoVVHLwfmf2LL2vv_SyIdICyt06x8VXvrljLTg45B5Cw-8HN4Y6yGrVqLDLgnNYf6PspY3fW_UMqKFdRHaVgq5uFm4HN74-I_qCQMu1aA9HzMzSUh35FOziD5j5xcZnHTbA9p3F83Gh0GW05Phn8V2CUDEsBs7HHQyiXfFHvkQmaThVabGuTM2tXrih9GR_arJptYF_frrhl634

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
\Windows\System32\WindowsUpdate.exe	family_xmrig
\Windows\System32\WindowsUpdate.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

wwnlxd.exewwnlxd.exewwnlxd.exeWindowsUpdate.exePython-deamon.exe

pid process

2960 wwnlxd.exe
2328 wwnlxd.exe
2008 wwnlxd.exe
1152 WindowsUpdate.exe
2620 Python-deamon.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exewwnlxd.exeservices.exe

pid process

2108 cmd.exe
2108 cmd.exe
2328 wwnlxd.exe
476 services.exe
2456

pid	process
2960	wwnlxd.exe
2328	wwnlxd.exe
2008	wwnlxd.exe
1152	WindowsUpdate.exe
2620	Python-deamon.exe

pid	process
2108	cmd.exe
2108	cmd.exe
2328	wwnlxd.exe
476	services.exe
2456

Drops file in System32 directory 11 IoCs

Processes:

services.exeWindowsUpdate.exewwnlxd.exe

description	ioc	process
File created	C:\Windows\System32\WinRing0x64.sys	services.exe
File created	C:\Windows\System32\config.json	services.exe
File created	\??\c:\windows\system32\patch-updated.txt	services.exe
File opened for modification	\??\c:\windows\system32\config.json	WindowsUpdate.exe
File created	\??\c:\windows\system32\Python-deamon.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	wwnlxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	wwnlxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	wwnlxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	wwnlxd.exe
File created	\??\c:\windows\system32\WindowsUpdate.exe	services.exe
File opened for modification	C:\Windows\System32\loger2.log	WindowsUpdate.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Windows\System32\Python-deamon.exe	pyinstaller

Modifies data under HKEY_USERS 42 IoCs

Processes:

wwnlxd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	wwnlxd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wwnlxd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	wwnlxd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

21d6b63327f1f57348899d5992d43102.exeservices.exe

pid	process
2360	21d6b63327f1f57348899d5992d43102.exe
2360	21d6b63327f1f57348899d5992d43102.exe
476	services.exe
476	services.exe
476	services.exe
476	services.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

21d6b63327f1f57348899d5992d43102.exeservices.exeWindowsUpdate.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeAuditPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeBackupPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeChangeNotifyPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeCreateGlobalPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeCreatePagefilePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeCreatePermanentPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 35	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeCreateTokenPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeDebugPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 0	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeEnableDelegationPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeImpersonatePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeIncBasePriorityPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeIncreaseQuotaPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 33	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeLoadDriverPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeLockMemoryPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeMachineAccountPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeManageVolumePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeProfSingleProcessPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 32	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeRemoteShutdownPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeRestorePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeSecurityPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeShutdownPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeSyncAgentPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeSystemEnvironmentPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeSystemProfilePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeSystemtimePrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeTakeOwnershipPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeTcbPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 34	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 31	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeUndockPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: 0	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeDebugPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeDebugPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeDebugPrivilege	2360	21d6b63327f1f57348899d5992d43102.exe
Token: SeDebugPrivilege	476	services.exe
Token: SeDebugPrivilege	476	services.exe
Token: SeDebugPrivilege	476	services.exe
Token: SeDebugPrivilege	476	services.exe
Token: SeLockMemoryPrivilege	1152	WindowsUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WindowsUpdate.exe

pid process

1152 WindowsUpdate.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

services.exe

pid process

476 services.exe
476 services.exe

pid	process
1152	WindowsUpdate.exe

pid	process
476	services.exe
476	services.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

21d6b63327f1f57348899d5992d43102.execmd.exewwnlxd.exeservices.exe

description	pid	process	target process
PID 2360 wrote to memory of 2108	2360	21d6b63327f1f57348899d5992d43102.exe	cmd.exe
PID 2360 wrote to memory of 2108	2360	21d6b63327f1f57348899d5992d43102.exe	cmd.exe
PID 2360 wrote to memory of 2108	2360	21d6b63327f1f57348899d5992d43102.exe	cmd.exe
PID 2360 wrote to memory of 2108	2360	21d6b63327f1f57348899d5992d43102.exe	cmd.exe
PID 2108 wrote to memory of 2960	2108	cmd.exe	wwnlxd.exe
PID 2108 wrote to memory of 2960	2108	cmd.exe	wwnlxd.exe
PID 2108 wrote to memory of 2960	2108	cmd.exe	wwnlxd.exe
PID 2108 wrote to memory of 2960	2108	cmd.exe	wwnlxd.exe
PID 2328 wrote to memory of 2008	2328	wwnlxd.exe	wwnlxd.exe
PID 2328 wrote to memory of 2008	2328	wwnlxd.exe	wwnlxd.exe
PID 2328 wrote to memory of 2008	2328	wwnlxd.exe	wwnlxd.exe
PID 2328 wrote to memory of 2008	2328	wwnlxd.exe	wwnlxd.exe
PID 2360 wrote to memory of 476	2360	21d6b63327f1f57348899d5992d43102.exe	services.exe
PID 2360 wrote to memory of 476	2360	21d6b63327f1f57348899d5992d43102.exe	services.exe
PID 2360 wrote to memory of 476	2360	21d6b63327f1f57348899d5992d43102.exe	services.exe
PID 2360 wrote to memory of 476	2360	21d6b63327f1f57348899d5992d43102.exe	services.exe
PID 476 wrote to memory of 1152	476	services.exe	WindowsUpdate.exe
PID 476 wrote to memory of 1152	476	services.exe	WindowsUpdate.exe
PID 476 wrote to memory of 1152	476	services.exe	WindowsUpdate.exe
PID 476 wrote to memory of 2620	476	services.exe	Python-deamon.exe
PID 476 wrote to memory of 2620	476	services.exe	Python-deamon.exe
PID 476 wrote to memory of 2620	476	services.exe	Python-deamon.exe
PID 476 wrote to memory of 2620	476	services.exe	Python-deamon.exe

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\system32\cmd.exe
cmd.exe /c echo vmxiio > \\.\pipe\vmxiio
2⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe
"C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe" gUPjE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe
C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2008

\??\c:\windows\system32\WindowsUpdate.exe
c:/windows/system32/\WindowsUpdate.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1152

\??\c:\windows\system32\Python-deamon.exe
c:/windows/system32/\Python-deamon.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe
"C:\Users\Admin\AppData\Local\Temp\21d6b63327f1f57348899d5992d43102.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe" OSLQGT
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe
C:\Users\Admin\AppData\Local\Temp\wwnlxd.exe OSLQGT
3⤵
- Executes dropped EXE
PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Windows\System32\Python-deamon.exe
Filesize
4.9MB

MD5
2213c24bf5f894162377e83435bf6394

SHA1
34d35d4fefa2464c7a7adcf844a2055161283fcb

SHA256
920ddce9db19abbde837de204acf2c28abdc93525d50c74e686f2b64560dc6a2

SHA512
4fbccf72968372841668a4860ac5201138458c98eaf6dd034e435ae0741dba143cc5d5241cf19c1aee18ac425eb25ad3f9dd04452bc302b27f825313785fd554

Download Submit
C:\Windows\Temp\Tar9D4E.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\??\c:\windows\system32\config.json
Filesize
2KB

MD5
97190f32e9ebd6cfc56e63a7b558b4e5

SHA1
9085d5e432921cfee05603fc4cee635860494c78

SHA256
25e696edfadd0de5f13af4d3a7bd85a5cceac365d6d3ba96d1db4cdf3123ed2d

SHA512
d521d2efe74278b74bf04ef397ca33ed32afbd4b0d61442cfd4d57b4f940981472634eba8c32dffc996dbc79d47c2ab48ae53d0fca0f786cc2bd1329a5566617

Download Submit
\Users\Admin\AppData\Local\Temp\wwnlxd.exe
Filesize
10KB

MD5
6408a2892687c18e193adcff15a81c55

SHA1
0d29714733aaca5b9f017d3610a7ae3b812f2343

SHA256
c27704ba4e0ea1299f4dc41b0a01c8879fe7f5eece0d21473baa897af1f7d733

SHA512
317b49f96e92cb3f68b511c98c831cda5adea51fdf258055aaa92249c21795a7af225adf5b0ece950550c679dad318b54228cdd28673ebfca37b66ad90fe39f8

Download Submit
\Windows\System32\WindowsUpdate.exe
Filesize
5.4MB

MD5
1ce931c7db9f11fe942e34857e16100e

SHA1
18aa4aa3d4f4653ca3c8fb706b004f911a5dd9de

SHA256
7fac868eff64e2fae4e1d2cc9ef2d30b6e865e91f48782d5400f7f1376aeb543

SHA512
44d99eb110efd3e636a8c74015277f13b24306e41965a67a1b970e7a07cb63343a7e6d1dc48308a6a115330e568ea5c7e50e2ec8897e639de2d322278fa67a9e

Download Submit
memory/476-321-0x0000000002060000-0x0000000002260000-memory.dmp

Filesize
2.0MB

Download
memory/476-288-0x0000000002060000-0x0000000002260000-memory.dmp

Filesize
2.0MB

Download
memory/476-282-0x0000000002060000-0x0000000002260000-memory.dmp

Filesize
2.0MB

Download
memory/476-183-0x0000000002060000-0x0000000002260000-memory.dmp

Filesize
2.0MB

Download
memory/476-169-0x0000000002060000-0x0000000002260000-memory.dmp

Filesize
2.0MB

Download
memory/476-133-0x0000000000CB0000-0x0000000000CE2000-memory.dmp

Filesize
200KB

Download
memory/2008-76-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2008-126-0x00000000038C0000-0x0000000003CC0000-memory.dmp

Filesize
4.0MB

Download
memory/2360-41-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-119-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/2360-40-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/2360-120-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2360-36-0x00000000002E0000-0x0000000000305000-memory.dmp

Filesize
148KB

Download
memory/2360-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2360-61-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-20-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-121-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2360-104-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/2360-66-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-19-0x0000000002160000-0x0000000002260000-memory.dmp

Filesize
1024KB

Download
memory/2360-14-0x0000000000420000-0x0000000000483000-memory.dmp

Filesize
396KB

Download
memory/2360-7-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-6-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download
memory/2360-5-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/2360-2-0x0000000000350000-0x0000000000381000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads