xworm | fd96a23ae800a272e8bdf46dba1c8a3ac285cf1c7f6c6f5ae4b473a00e3cf43d

Analysis

max time kernel
59s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 20:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2025-01-17-13-06-51.exe
Size

83KB
MD5

45b9c22e416482de6446d6422f37fd17
SHA1

7db3bdee144cb804d73ecb8fcafa4748024f67a2
SHA256

fd96a23ae800a272e8bdf46dba1c8a3ac285cf1c7f6c6f5ae4b473a00e3cf43d
SHA512

731ea90275dbc39ac0ad9c16afa9b61488d5a6ff5a1fbe5af7800a7a38b54b4623c26857b4caec2a5c15c4afee788bc98215ce22ce9764c44e8d90b698e5ae03
SSDEEP

1536:uaPkD+QdQoTFuUer5QhORVx/KzNHUSWUiuCLWm2XiZs8hfNG7xEa1af:uQ89lfo/eJWWCLWm1fNkGakf

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

trip-thesaurus.gl.at.ply.gg:16715

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c9f-4.dat	family_xworm
behavioral1/memory/2544-12-0x0000000000140000-0x000000000015A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
760	powershell.exe
4492	powershell.exe
1936	powershell.exe
1772	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	zjzavm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	zjzavm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2025-01-17-13-06-51.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2025-01-17-13-06-51.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2025-01-17-13-06-51.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	2025-01-17-13-06-51.exe

Executes dropped EXE 8 IoCs

pid	Process
2544	2025-01-17-13-06-51.exe
4152	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
2608	zjzavm.exe
1044	zjzavm.exe
4500	zjzavm.exe
2988	zjzavm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthSystray"	2025-01-17-13-06-51.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	zjzavm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-17-13-06-51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjzavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjzavm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	powershell.exe
2268	powershell.exe
1772	powershell.exe
1772	powershell.exe
760	powershell.exe
760	powershell.exe
4492	powershell.exe
4492	powershell.exe
1936	powershell.exe
1936	powershell.exe
2544	2025-01-17-13-06-51.exe
2984	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
2608	zjzavm.exe
2608	zjzavm.exe
4248	zjzavm.exe
4248	zjzavm.exe
2608	zjzavm.exe
2608	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
4248	zjzavm.exe
2608	zjzavm.exe
2608	zjzavm.exe
4500	zjzavm.exe
4500	zjzavm.exe
4248	zjzavm.exe
4248	zjzavm.exe
1044	zjzavm.exe
1044	zjzavm.exe
1044	zjzavm.exe
4248	zjzavm.exe
1044	zjzavm.exe
4248	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
2984	zjzavm.exe
1044	zjzavm.exe
4248	zjzavm.exe
4248	zjzavm.exe
1044	zjzavm.exe
4500	zjzavm.exe
4500	zjzavm.exe
2608	zjzavm.exe
2608	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
1044	zjzavm.exe
4500	zjzavm.exe
4500	zjzavm.exe
1044	zjzavm.exe
2608	zjzavm.exe
1044	zjzavm.exe
2608	zjzavm.exe
1044	zjzavm.exe
4248	zjzavm.exe
4500	zjzavm.exe
4500	zjzavm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	2025-01-17-13-06-51.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2544	2025-01-17-13-06-51.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2544	2025-01-17-13-06-51.exe
2988	zjzavm.exe
4248	zjzavm.exe
4500	zjzavm.exe
2984	zjzavm.exe
1044	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
4500	zjzavm.exe
1044	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
4500	zjzavm.exe
1044	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe
4500	zjzavm.exe
1044	zjzavm.exe
4248	zjzavm.exe
2984	zjzavm.exe
4500	zjzavm.exe
1044	zjzavm.exe
2984	zjzavm.exe
4248	zjzavm.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 2268	832	2025-01-17-13-06-51.exe	83
PID 832 wrote to memory of 2268	832	2025-01-17-13-06-51.exe	83
PID 832 wrote to memory of 2268	832	2025-01-17-13-06-51.exe	83
PID 832 wrote to memory of 2544	832	2025-01-17-13-06-51.exe	85
PID 832 wrote to memory of 2544	832	2025-01-17-13-06-51.exe	85
PID 2544 wrote to memory of 1772	2544	2025-01-17-13-06-51.exe	87
PID 2544 wrote to memory of 1772	2544	2025-01-17-13-06-51.exe	87
PID 2544 wrote to memory of 760	2544	2025-01-17-13-06-51.exe	89
PID 2544 wrote to memory of 760	2544	2025-01-17-13-06-51.exe	89
PID 2544 wrote to memory of 4492	2544	2025-01-17-13-06-51.exe	91
PID 2544 wrote to memory of 4492	2544	2025-01-17-13-06-51.exe	91
PID 2544 wrote to memory of 1936	2544	2025-01-17-13-06-51.exe	93
PID 2544 wrote to memory of 1936	2544	2025-01-17-13-06-51.exe	93
PID 2544 wrote to memory of 4152	2544	2025-01-17-13-06-51.exe	110
PID 2544 wrote to memory of 4152	2544	2025-01-17-13-06-51.exe	110
PID 2544 wrote to memory of 4152	2544	2025-01-17-13-06-51.exe	110
PID 4152 wrote to memory of 2984	4152	zjzavm.exe	111
PID 4152 wrote to memory of 2984	4152	zjzavm.exe	111
PID 4152 wrote to memory of 2984	4152	zjzavm.exe	111
PID 4152 wrote to memory of 4248	4152	zjzavm.exe	112
PID 4152 wrote to memory of 4248	4152	zjzavm.exe	112
PID 4152 wrote to memory of 4248	4152	zjzavm.exe	112
PID 4152 wrote to memory of 2608	4152	zjzavm.exe	113
PID 4152 wrote to memory of 2608	4152	zjzavm.exe	113
PID 4152 wrote to memory of 2608	4152	zjzavm.exe	113
PID 4152 wrote to memory of 1044	4152	zjzavm.exe	114
PID 4152 wrote to memory of 1044	4152	zjzavm.exe	114
PID 4152 wrote to memory of 1044	4152	zjzavm.exe	114
PID 4152 wrote to memory of 4500	4152	zjzavm.exe	115
PID 4152 wrote to memory of 4500	4152	zjzavm.exe	115
PID 4152 wrote to memory of 4500	4152	zjzavm.exe	115
PID 4152 wrote to memory of 2988	4152	zjzavm.exe	116
PID 4152 wrote to memory of 2988	4152	zjzavm.exe	116
PID 4152 wrote to memory of 2988	4152	zjzavm.exe	116
PID 2988 wrote to memory of 4012	2988	zjzavm.exe	119
PID 2988 wrote to memory of 4012	2988	zjzavm.exe	119
PID 2988 wrote to memory of 4012	2988	zjzavm.exe	119

C:\Users\Admin\AppData\Local\Temp\2025-01-17-13-06-51.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-17-13-06-51.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAdABpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AdQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAagBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAYQB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe
  "C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2025-01-17-13-06-51.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
    "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /watchdog
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4500
  - - C:\Users\Admin\AppData\Local\Temp\zjzavm.exe
      "C:\Users\Admin\AppData\Local\Temp\zjzavm.exe" /main
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\SysWOW64\notepad.exe
        
        "C:\Windows\System32\notepad.exe" \note.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnreihvl.nhl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjzavm.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Roaming\2025-01-17-13-06-51.exe

Filesize
77KB

MD5
e2b82b4f39f2527e850756664e5462a1

SHA1
8de7c878e724e1667cc90f3fad7b109f5ed65927

SHA256
e41f276291b01717c78ffe3d6a288bf95b42da33445c0c8490e0b546fe380935

SHA512
5cb25a33e937febb5f8255e2a80eaa1fccc4b5f6442e831d47839ba896727b85e139af5195c46957187b422c7f010f2349320ef977d4598f4b26f8ca2d573a82

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1772-59-0x0000028DF7580000-0x0000028DF75A2000-memory.dmp

Filesize
136KB

Download
memory/2268-49-0x0000000007F70000-0x00000000085EA000-memory.dmp

Filesize
6.5MB

Download
memory/2268-53-0x0000000007BC0000-0x0000000007C56000-memory.dmp

Filesize
600KB

Download
memory/2268-20-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/2268-30-0x0000000005FF0000-0x0000000006344000-memory.dmp

Filesize
3.3MB

Download
memory/2268-31-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/2268-32-0x0000000006640000-0x000000000668C000-memory.dmp

Filesize
304KB

Download
memory/2268-45-0x00000000077D0000-0x00000000077EE000-memory.dmp

Filesize
120KB

Download
memory/2268-35-0x0000000070270000-0x00000000702BC000-memory.dmp

Filesize
304KB

Download
memory/2268-34-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-33-0x0000000006BE0000-0x0000000006C12000-memory.dmp

Filesize
200KB

Download
memory/2268-46-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-47-0x0000000007800000-0x00000000078A3000-memory.dmp

Filesize
652KB

Download
memory/2268-48-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-18-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-50-0x0000000007930000-0x000000000794A000-memory.dmp

Filesize
104KB

Download
memory/2268-51-0x00000000079A0000-0x00000000079AA000-memory.dmp

Filesize
40KB

Download
memory/2268-13-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/2268-19-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2268-54-0x0000000007B30000-0x0000000007B41000-memory.dmp

Filesize
68KB

Download
memory/2268-55-0x0000000007B70000-0x0000000007B7E000-memory.dmp

Filesize
56KB

Download
memory/2268-56-0x0000000007B80000-0x0000000007B94000-memory.dmp

Filesize
80KB

Download
memory/2268-57-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/2268-58-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

Filesize
32KB

Download
memory/2268-17-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/2268-71-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-16-0x00000000057D0000-0x0000000005DF8000-memory.dmp

Filesize
6.2MB

Download
memory/2268-15-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/2268-14-0x0000000005050000-0x0000000005086000-memory.dmp

Filesize
216KB

Download
memory/2544-103-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/2544-52-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2544-113-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2544-114-0x000000001AF50000-0x000000001AF5C000-memory.dmp

Filesize
48KB

Download
memory/2544-12-0x0000000000140000-0x000000000015A000-memory.dmp

Filesize
104KB

Download
memory/2544-11-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/2544-131-0x000000001BD30000-0x000000001BD3C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads