phemedrone | 5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8

Reason

Machine shutdown

General

Target

5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe
Size

126KB
MD5

44c6137a640da62e553d4e0c0c92ea85
SHA1

cb0039d1f529c70af31fe580680f0529c20c9a9f
SHA256

5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8
SHA512

adb46b23d889e3b8e5e84567a2bdee447069422743780d8a1f1a788ffe083b2fae143daf9579313280de211189961029313df45baae69d317e4af5722e8327af
SSDEEP

3072:EVsADUYOklG1NOuyUGbDf8OIipwYCBxsq9XLsk:Ey4UqlGtyUG3fDIizCBxb9XL

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

david-florist.gl.at.ply.gg:34674

Attributes

Install_directory
%Public%
install_file
USB.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\dwm.exe	family_xworm
behavioral1/memory/2804-10-0x00000000009E0000-0x00000000009F8000-memory.dmp	family_xworm
behavioral1/memory/2968-59-0x0000000001300000-0x0000000001318000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1724 powershell.exe
1888 powershell.exe
2592 powershell.exe

pid	process
1724	powershell.exe
1888	powershell.exe
2592	powershell.exe

Drops startup file 2 IoCs

Processes:

dwm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.lnk	dwm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwm.lnk	dwm.exe

Executes dropped EXE 4 IoCs

Processes:

dwm.exeSync Center.exeLauncher.exedwm.exe

pid process

2804 dwm.exe
2768 Sync Center.exe
2888 Launcher.exe
2968 dwm.exe
Loads dropped DLL 3 IoCs

Processes:

5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe

pid process

2400 5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe
2772
1200
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2804	dwm.exe
2768	Sync Center.exe
2888	Launcher.exe
2968	dwm.exe

pid	process
2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe
2772
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dwm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "C:\\Users\\Public\\dwm.exe"	dwm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
4	ip-api.com

Modifies registry class 20 IoCs

Processes:

Launcher.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_Classes\Local Settings	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Launcher.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Launcher.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Launcher.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1028 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Sync Center.exepowershell.exepowershell.exepowershell.exe

pid process

2768 Sync Center.exe
2592 powershell.exe
1724 powershell.exe
1888 powershell.exe

pid	process
1028	schtasks.exe

pid	process
2768	Sync Center.exe
2592	powershell.exe
1724	powershell.exe
1888	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exedwm.exeSync Center.exepowershell.exepowershell.exepowershell.exedwm.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe
Token: SeDebugPrivilege	2804	dwm.exe
Token: SeDebugPrivilege	2768	Sync Center.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2804	dwm.exe
Token: SeDebugPrivilege	2968	dwm.exe
Token: SeShutdownPrivilege	2420	shutdown.exe
Token: SeRemoteShutdownPrivilege	2420	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Launcher.exe

pid process

2888 Launcher.exe

pid	process
2888	Launcher.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exeSync Center.exedwm.exetaskeng.exe

description	pid	process	target process
PID 2400 wrote to memory of 2804	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	dwm.exe
PID 2400 wrote to memory of 2804	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	dwm.exe
PID 2400 wrote to memory of 2804	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	dwm.exe
PID 2400 wrote to memory of 2768	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Sync Center.exe
PID 2400 wrote to memory of 2768	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Sync Center.exe
PID 2400 wrote to memory of 2768	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Sync Center.exe
PID 2400 wrote to memory of 2888	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Launcher.exe
PID 2400 wrote to memory of 2888	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Launcher.exe
PID 2400 wrote to memory of 2888	2400	5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe	Launcher.exe
PID 2768 wrote to memory of 1956	2768	Sync Center.exe	WerFault.exe
PID 2768 wrote to memory of 1956	2768	Sync Center.exe	WerFault.exe
PID 2768 wrote to memory of 1956	2768	Sync Center.exe	WerFault.exe
PID 2804 wrote to memory of 2592	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 2592	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 2592	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1724	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1724	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1724	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1888	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1888	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1888	2804	dwm.exe	powershell.exe
PID 2804 wrote to memory of 1028	2804	dwm.exe	schtasks.exe
PID 2804 wrote to memory of 1028	2804	dwm.exe	schtasks.exe
PID 2804 wrote to memory of 1028	2804	dwm.exe	schtasks.exe
PID 964 wrote to memory of 2968	964	taskeng.exe	dwm.exe
PID 964 wrote to memory of 2968	964	taskeng.exe	dwm.exe
PID 964 wrote to memory of 2968	964	taskeng.exe	dwm.exe
PID 2804 wrote to memory of 2420	2804	dwm.exe	shutdown.exe
PID 2804 wrote to memory of 2420	2804	dwm.exe	shutdown.exe
PID 2804 wrote to memory of 2420	2804	dwm.exe	shutdown.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe
"C:\Users\Admin\AppData\Local\Temp\5cd5cb50a9e21ca0a6ed68bb45f7295a97851f8d79108bcfb8311cdc0d420bc8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\dwm.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dwm.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\dwm.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Public\dwm.exe"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\shutdown.exe
shutdown.exe /f /s /t 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
"C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2768 -s 512
3⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {98192544-C381-4E9B-A47B-F6E248E840D4} S-1-5-21-1385883288-3042840365-2734249351-1000:RPXOCQRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Public\dwm.exe
C:\Users\Public\dwm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Launcher.exe

Filesize
22KB

MD5
c5531ab09e7b382061ef6000b4316a8c

SHA1
a97bfb232859f3a68429ca4516ea8ea02cd82285

SHA256
2e6c05ec90e8db1bce430599e91de01408d39e8941ce3fbdf6e8aba97fe67762

SHA512
10ae0a09643d8abddbc1c653ca29926ccd36cd630c85d2fa39274b27480c7ff70f3af43da669203b1ad8e8b89274706086b7057d018cd564ce7bb37237d1d68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwm.exe

Filesize
73KB

MD5
47fb642b2c85bee2624d803bd1109dfe

SHA1
452157d77f861436c452ac20a8e48bfb562a7abc

SHA256
adf1dfef469dec04d134cee395017041155bde2d7ad89eb0ecd00a0343839268

SHA512
9b54b72602b27fb1ce22f3bb62dda748251be60f0ae61a7f35d2a39734dd207f8f638d09bc5fa0ba055110c67e058d39ccf927ed359ea1dae992a8c98efc4cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
286ba65ad609122fb91d9e525e9222a4

SHA1
4e46d53c5a167074f0051f167174af6e879fd6a7

SHA256
6a5d21208ce46f42c7c622e97e813f9874b534c7d22c86ee91f68b272b2cc055

SHA512
2975e5a2843a806343ffc8cd1426d18c051fb654a67bc9694f7def58b13db288211f2d35febd351ba7e8e608dc32bf61fa5b0622d3e7f9f3658fd2cebe344264

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1724-36-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1724-37-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2400-2-0x000007FEF6680000-0x000007FEF706C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-0-0x000007FEF6683000-0x000007FEF6684000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000001310000-0x0000000001336000-memory.dmp

Filesize
152KB

Download
memory/2400-22-0x000007FEF6680000-0x000007FEF706C000-memory.dmp

Filesize
9.9MB

Download
memory/2592-29-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2592-30-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2768-18-0x0000000001240000-0x0000000001264000-memory.dmp

Filesize
144KB

Download
memory/2804-20-0x000007FEF6680000-0x000007FEF706C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-10-0x00000000009E0000-0x00000000009F8000-memory.dmp

Filesize
96KB

Download
memory/2804-44-0x000007FEF6680000-0x000007FEF706C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-54-0x00000000021B0000-0x00000000021BA000-memory.dmp

Filesize
40KB

Download
memory/2804-60-0x000007FEF6680000-0x000007FEF706C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-23-0x0000000004600000-0x0000000004610000-memory.dmp

Filesize
64KB

Download
memory/2968-59-0x0000000001300000-0x0000000001318000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads