xmrig | 932f71143cd50338a8557d6e34058d4758ffaaeda8183a9811d296ae75ee8b58

General

Target

build.exe
Size

5.1MB
MD5

d2683333c33c9c8e7a0f0d81b65b3bc0
SHA1

2ea3f0156f0a47dd6801cc0e576bb4cd88932ef9
SHA256

932f71143cd50338a8557d6e34058d4758ffaaeda8183a9811d296ae75ee8b58
SHA512

41ae89fcefa854eda56211d51ae86435406262520bb5e66d4e61e3838b215bc28f464beb705bd104bb18c0bcb0f033ea0603de12741d87aaae0951a302045602
SSDEEP

98304:HNZOsiju24uvwISssMuIUbmFecKEKPssyWiNT4uChIhZ5:Ksiju24LNrIQmMTqyGd

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1260-32-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-35-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-36-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-34-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-33-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-30-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-29-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-38-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1260-37-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2532 powershell.exe
2340 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

lhhsgwktkatl.exe

pid process

484
1768 lhhsgwktkatl.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

484

pid	process
2532	powershell.exe
2340	powershell.exe

pid	process
484
1768	lhhsgwktkatl.exe

pid	process
484

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1260-25-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-24-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-28-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-32-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-35-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-36-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-34-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-33-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-30-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-29-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-27-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-26-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-38-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1260-37-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exebuild.exepowershell.exelhhsgwktkatl.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 1768 set thread context of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 set thread context of 1260	1768	lhhsgwktkatl.exe	conhost.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2576 sc.exe
2364 sc.exe
2180 sc.exe
2400 sc.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
2576	sc.exe
2364	sc.exe
2180	sc.exe
2400	sc.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

powershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00f39e7f82adda01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exebuild.exepowershell.exelhhsgwktkatl.exepowershell.execonhost.exetaskmgr.exe

pid	process
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2924	build.exe
2436	taskmgr.exe
2532	powershell.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
2924	build.exe
1768	lhhsgwktkatl.exe
2340	powershell.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
1768	lhhsgwktkatl.exe
2436	taskmgr.exe
2436	taskmgr.exe
1260	conhost.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
2436	taskmgr.exe
1260	conhost.exe
1260	conhost.exe
1260	conhost.exe
1260	conhost.exe
1260	conhost.exe
1980	taskmgr.exe
1980	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid process

2436 taskmgr.exe
1980 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

taskmgr.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2436	taskmgr.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeShutdownPrivilege	2656	powercfg.exe
Token: SeShutdownPrivilege	2796	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeShutdownPrivilege	2700	powercfg.exe
Token: SeShutdownPrivilege	2452	powercfg.exe
Token: SeShutdownPrivilege	2244	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeLockMemoryPrivilege	1260	conhost.exe
Token: SeDebugPrivilege	1980	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
2436	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe
1980	taskmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 2160 wrote to memory of 2356	2160	cmd.exe	wusa.exe
PID 2160 wrote to memory of 2356	2160	cmd.exe	wusa.exe
PID 2160 wrote to memory of 2356	2160	cmd.exe	wusa.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1324	1768	lhhsgwktkatl.exe	conhost.exe
PID 2612 wrote to memory of 1968	2612	cmd.exe	wusa.exe
PID 2612 wrote to memory of 1968	2612	cmd.exe	wusa.exe
PID 2612 wrote to memory of 1968	2612	cmd.exe	wusa.exe
PID 1768 wrote to memory of 1260	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1260	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1260	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1260	1768	lhhsgwktkatl.exe	conhost.exe
PID 1768 wrote to memory of 1260	1768	lhhsgwktkatl.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2356

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
2⤵
- Launches sc.exe
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2364

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
2⤵
- Launches sc.exe
PID:2180

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2436

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:1968

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1324

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
Filesize
5.1MB

MD5
d2683333c33c9c8e7a0f0d81b65b3bc0

SHA1
2ea3f0156f0a47dd6801cc0e576bb4cd88932ef9

SHA256
932f71143cd50338a8557d6e34058d4758ffaaeda8183a9811d296ae75ee8b58

SHA512
41ae89fcefa854eda56211d51ae86435406262520bb5e66d4e61e3838b215bc28f464beb705bd104bb18c0bcb0f033ea0603de12741d87aaae0951a302045602

Download Submit
memory/1260-33-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-32-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-28-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-24-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-37-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-38-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-26-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-27-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-29-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-31-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/1260-30-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-34-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-36-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-25-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1260-35-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1324-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1324-18-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1324-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1324-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1324-17-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1324-22-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1980-40-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2340-14-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2340-13-0x0000000019EE0000-0x000000001A1C2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2436-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2436-39-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2532-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2532-6-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2532-8-0x0000000002030000-0x0000000002038000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads