xworm | 2caf7c96d8891b799082f6406657817ec7cffd82e54d5a44d9d4f6b82ff8ea32

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/01/2025, 13:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm_V5.6/XWorm V5.6/._cache_Xworm.exe
Size

75KB
MD5

f63d6c11422e7e0ca83981e8dae62f96
SHA1

c9c6088a764b07e7d438ad603a8bfcd9972f2b06
SHA256

7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531
SHA512

b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9
SSDEEP

1536:GMSF34nJN7Z6/hv0beO3cCv6pDZOQlW3TDsdiv:RLjE/hv0b/DmOQlW3fXv

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

simply-exotic.gl.at.ply.gg:27183

Attributes

Install_directory
%Temp%
install_file
Windows.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/340-1-0x00000000000B0000-0x00000000000CA000-memory.dmp	family_xworm
behavioral1/files/0x000700000001c747-35.dat	family_xworm
behavioral1/memory/1044-37-0x0000000000E80000-0x0000000000E9A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
1280	powershell.exe
1348	powershell.exe
680	powershell.exe
936	powershell.exe
2764	powershell.exe
3044	powershell.exe
2432	powershell.exe

Deletes itself 1 IoCs

pid	Process
2076	cmd.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	._cache_Xworm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	._cache_Xworm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	User
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	User

Executes dropped EXE 1 IoCs

pid	Process
1044	User

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User = "C:\\Users\\Admin\\AppData\\Local\\Temp\\User"	._cache_Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\User = "C:\\Users\\Admin\\AppData\\Local\\Temp\\User"	User

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1792	timeout.exe
2460	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2764	powershell.exe
3044	powershell.exe
2432	powershell.exe
2688	powershell.exe
340	._cache_Xworm.exe
1280	powershell.exe
1348	powershell.exe
680	powershell.exe
936	powershell.exe
1044	User

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	._cache_Xworm.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	340	._cache_Xworm.exe
Token: SeDebugPrivilege	1044	User
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1044	User

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
340	._cache_Xworm.exe
1044	User

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2764	340	._cache_Xworm.exe	32
PID 340 wrote to memory of 2764	340	._cache_Xworm.exe	32
PID 340 wrote to memory of 2764	340	._cache_Xworm.exe	32
PID 340 wrote to memory of 3044	340	._cache_Xworm.exe	34
PID 340 wrote to memory of 3044	340	._cache_Xworm.exe	34
PID 340 wrote to memory of 3044	340	._cache_Xworm.exe	34
PID 340 wrote to memory of 2432	340	._cache_Xworm.exe	36
PID 340 wrote to memory of 2432	340	._cache_Xworm.exe	36
PID 340 wrote to memory of 2432	340	._cache_Xworm.exe	36
PID 340 wrote to memory of 2688	340	._cache_Xworm.exe	38
PID 340 wrote to memory of 2688	340	._cache_Xworm.exe	38
PID 340 wrote to memory of 2688	340	._cache_Xworm.exe	38
PID 340 wrote to memory of 844	340	._cache_Xworm.exe	40
PID 340 wrote to memory of 844	340	._cache_Xworm.exe	40
PID 340 wrote to memory of 844	340	._cache_Xworm.exe	40
PID 2988 wrote to memory of 1044	2988	taskeng.exe	43
PID 2988 wrote to memory of 1044	2988	taskeng.exe	43
PID 2988 wrote to memory of 1044	2988	taskeng.exe	43
PID 340 wrote to memory of 1768	340	._cache_Xworm.exe	44
PID 340 wrote to memory of 1768	340	._cache_Xworm.exe	44
PID 340 wrote to memory of 1768	340	._cache_Xworm.exe	44
PID 340 wrote to memory of 2076	340	._cache_Xworm.exe	46
PID 340 wrote to memory of 2076	340	._cache_Xworm.exe	46
PID 340 wrote to memory of 2076	340	._cache_Xworm.exe	46
PID 2076 wrote to memory of 1792	2076	cmd.exe	48
PID 2076 wrote to memory of 1792	2076	cmd.exe	48
PID 2076 wrote to memory of 1792	2076	cmd.exe	48
PID 1044 wrote to memory of 1280	1044	User	49
PID 1044 wrote to memory of 1280	1044	User	49
PID 1044 wrote to memory of 1280	1044	User	49
PID 1044 wrote to memory of 1348	1044	User	51
PID 1044 wrote to memory of 1348	1044	User	51
PID 1044 wrote to memory of 1348	1044	User	51
PID 1044 wrote to memory of 680	1044	User	53
PID 1044 wrote to memory of 680	1044	User	53
PID 1044 wrote to memory of 680	1044	User	53
PID 1044 wrote to memory of 936	1044	User	55
PID 1044 wrote to memory of 936	1044	User	55
PID 1044 wrote to memory of 936	1044	User	55
PID 1044 wrote to memory of 788	1044	User	57
PID 1044 wrote to memory of 788	1044	User	57
PID 1044 wrote to memory of 788	1044	User	57
PID 1044 wrote to memory of 2168	1044	User	59
PID 1044 wrote to memory of 2168	1044	User	59
PID 1044 wrote to memory of 2168	1044	User	59
PID 1044 wrote to memory of 2240	1044	User	61
PID 1044 wrote to memory of 2240	1044	User	61
PID 1044 wrote to memory of 2240	1044	User	61
PID 2240 wrote to memory of 2460	2240	cmd.exe	63
PID 2240 wrote to memory of 2460	2240	cmd.exe	63
PID 2240 wrote to memory of 2460	2240	cmd.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm_V5.6\XWorm V5.6\._cache_Xworm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_Xworm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:844
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
  2⤵
  PID:1768
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {563259E1-474B-462A-B337-06FF9327134E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\User
  C:\Users\Admin\AppData\Local\Temp\User
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:788
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
    3⤵
    PID:2168
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2460

Network

DNS

ip-api.com

User

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

._cache_Xworm.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 23 Jan 2025 13:47:44 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
DNS

simply-exotic.gl.at.ply.gg

User

Remote address:

8.8.8.8:53

Request

simply-exotic.gl.at.ply.gg

IN A

Response

simply-exotic.gl.at.ply.gg

IN A

147.185.221.25
GET

http://ip-api.com/line/?fields=hosting

User

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 23 Jan 2025 13:48:07 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

._cache_Xworm.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
147.185.221.25:27183

simply-exotic.gl.at.ply.gg

._cache_Xworm.exe

476 B
191 B
4
4
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

User

306 B
263 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
147.185.221.25:27183

simply-exotic.gl.at.ply.gg

User

472 B
191 B
4
4

8.8.8.8:53

ip-api.com

dns

User

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

simply-exotic.gl.at.ply.gg

dns

User

72 B
88 B
1
1

DNS Request

simply-exotic.gl.at.ply.gg

DNS Response

147.185.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\User

Filesize
75KB

MD5
f63d6c11422e7e0ca83981e8dae62f96

SHA1
c9c6088a764b07e7d438ad603a8bfcd9972f2b06

SHA256
7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

SHA512
b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2230.tmp.bat

Filesize
187B

MD5
afcbb5d9be239a7c65f8c725d8bf27ce

SHA1
382b9f10fd94417a3ef4c95edf1e872f07bad4b0

SHA256
d6c618c951c4a69cf09fe7310b8c890348d5f4313d344dcaf4777fdbe313d040

SHA512
ff0fe3a61d1e2453d21ef0a68bfaf28a15be9d670f6a1788dc49f028a8f1e9206cc2f18488b72ec72f7fbe7fe71d00a631be0ea4668af0aec99dbfd9805e8359

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp.bat

Filesize
152B

MD5
f6504e4dc34849f251a2ce1b85184430

SHA1
2340bf1164b1ca7a911e307872a18ace634c4fe6

SHA256
f1d31caebf61956eff35e21f581603358d7bc1321c731bcbd47f2e9964c797ca

SHA512
749292c90d80ef2f16cba43a05bb2900f6011104613825931c17e9ef4af0867422cb78a5a646c15cd1ace2b58c48b1495de138a6cf3a71a723fe8805ce058215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
382eafa09d3648d5185342528de323fc

SHA1
74ba59e527f5832dcbc10fae19d6a6bb5a2e63cd

SHA256
fa36f285ed80733447badf233ffbfd1501f03eee8a794ba9b389025b81edd3c8

SHA512
9899e841db2f3e5dd33ba1079fa0c64ed1e4df560d4cf712137f3c064c5690bc379ca119b3d9af5e87ebac8f9fdb5df6c1cd1f1e2926371aed1afd988f66f275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a09a99ccb456488ba3e33967281220e

SHA1
c6faa30ebab2056cdf73d0da106e036cf3b5b2ac

SHA256
858dcebc0d935ef33834712d691c8f97f4482b29c3c16ab866469a9a414d2e26

SHA512
b65ed786c4b7a49211d22cd8dd19c66841f104ff6973766aea092c002ad534f982210ba98aed72b60d6757cd78947dcdb896ce909f1e3ca4c6852e4afd3e5a52

Download Submit
memory/340-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/340-48-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-28-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/340-33-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/340-1-0x00000000000B0000-0x00000000000CA000-memory.dmp

Filesize
104KB

Download
memory/1044-37-0x0000000000E80000-0x0000000000E9A000-memory.dmp

Filesize
104KB

Download
memory/2764-8-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/2764-9-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2764-7-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/3044-16-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/3044-15-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.