xworm | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
36s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3eedde12ec9a2f363c13d643bd2acdf.exe
Size

48KB
MD5

f3eedde12ec9a2f363c13d643bd2acdf
SHA1

2d53fef1c7b2036d4c25097fe1d3d5276cff9cb8
SHA256

63c8a594926959e99dbcaac2e4bdf923691373d432500ddc0572996bfb8e399e
SHA512

0f6f4ed01f591edb4565fd31169aebb3be2d2dec246459411c52db0c9c7168da4404d4657312c879980b524da6047d9a87b8a49bae5836bf40e9ebeb6f166a53
SSDEEP

768:p4Q66hONMScH5lT67gmvCrPz3uRr+Ubpi6yCAHBQSE+ZO+h+ArZ6T:pXOWpzPz3WrhbpryCAhQx+ZO+do

Score

10^/10

xworm persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

request-busy.gl.at.ply.gg:6728

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral30/memory/6020-1-0x0000000000F80000-0x0000000000F92000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	f3eedde12ec9a2f363c13d643bd2acdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	vpuqoz.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk	f3eedde12ec9a2f363c13d643bd2acdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3eedde12ec9a2f363c13d643bd2acdf.lnk	f3eedde12ec9a2f363c13d643bd2acdf.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2480	vpuqoz.exe

Modifies system executable filetype association 2 TTPs 34 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3eedde12ec9a2f363c13d643bd2acdf = "C:\\Users\\Admin\\AppData\\Roaming\\f3eedde12ec9a2f363c13d643bd2acdf.exe"	f3eedde12ec9a2f363c13d643bd2acdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\Programmable	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\DeviceUpdateCenter	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.File\PackageId\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F6342F2-D848-42E3-8995-C10A9EF9A3BA}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305900A9-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\cplfile\shell\cplopen\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B923FDE1-F08C-11D3-91B0-00105A0A19FD}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\InputApp.AppX654gddqdhxd9smyt91r9s0dr975jqnh9.mca\Custom	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C03D4-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\7-Zip.tar\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\AppXpwc46qrmp0f8q5ysxk6ngj8d32yk22kz\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0239-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0327-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0319-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wab	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\vlc.exe\shell\Open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71985F4B-1CA1-11D3-9CC8-00C04F7971E0}\Instance\Microsoft ATSC Network Provider	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4C18D40-1CD5-101C-B325-00AA001F3168}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\ActivatableClassId	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002088B-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\mspaint.exe\SupportedTypes	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\opennewwindow	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0136-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0306-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0207-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E9729012-8271-4e1f-BC56-CF85F914915A}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F6E6E26-F123-437D-8CED-DC1D2BC0C3A9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{941105E9-760A-49EC-995F-7668CB60216C}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0E13A85-238A-4800-8315-D947C960A843}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\fonfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51A21C32-DD1F-4D3C-85F1-6F8A6172CA82}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\AcroRd32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CID\3f55c848-83c8-4649-9928-10a9f8aa72f8\CustomProperties	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\Control	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4A8539E-015A-4F13-AE49-E78C1D9DA236}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\OpenWithList\notepad.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020833-0000-0000-C000-000000000046}\MiscStatus	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0202-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934E2-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0042-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0178-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5d69e663-e64e-5d4b-b50f-f6f34bdd9015}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\AppX3p914qnpgw4hwj856jw2y286v7d4qnzh\Shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0123-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000035-0000-0010-8000-00AA006D2EA4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208E1-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209E1-0000-0000-C000-000000000046}	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6020	f3eedde12ec9a2f363c13d643bd2acdf.exe
Token: 33	3348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3348	AUDIODG.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 6020 wrote to memory of 2480	6020	f3eedde12ec9a2f363c13d643bd2acdf.exe	100
PID 6020 wrote to memory of 2480	6020	f3eedde12ec9a2f363c13d643bd2acdf.exe	100
PID 2480 wrote to memory of 6056	2480	vpuqoz.exe	102
PID 2480 wrote to memory of 6056	2480	vpuqoz.exe	102
PID 6056 wrote to memory of 2176	6056	cmd.exe	104
PID 6056 wrote to memory of 2176	6056	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe
"C:\Users\Admin\AppData\Local\Temp\f3eedde12ec9a2f363c13d643bd2acdf.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6020
- C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe
  "C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k reg delete HKCR /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6056
  - - C:\Windows\system32\reg.exe
      reg delete HKCR /f
      4⤵
      Modifies system executable filetype association
      Modifies registry class
      PID:2176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vpuqoz.exe

Filesize
11KB

MD5
866805b3414d1f1ad797c8ef51e63860

SHA1
7196fd0df3f92d9c3677927b9973db196b12f1e6

SHA256
e65a3ff4d43861f1096c7963b848d10c831c0990f0f75b76ae9a575179776355

SHA512
bcb38dbe1a3d8f3b0812b3ca244608f0ae96fd38489639efd4d7c7dfa2cfcce1fbf9820b35abc9cb90ce31b8c5b032a6cc6099dde6b44a0bc2f47d4e9cbae575

Download Submit
memory/2480-23-0x0000000000B50000-0x0000000000B5A000-memory.dmp

Filesize
40KB

Download
memory/2480-27-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp

Filesize
10.8MB

Download
memory/2480-28-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp

Filesize
10.8MB

Download
memory/2480-29-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp

Filesize
10.8MB

Download
memory/6020-1-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download
memory/6020-0-0x00007FFB2BE73000-0x00007FFB2BE75000-memory.dmp

Filesize
8KB

Download
memory/6020-8-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp

Filesize
10.8MB

Download
memory/6020-9-0x00007FFB2BE73000-0x00007FFB2BE75000-memory.dmp

Filesize
8KB

Download
memory/6020-10-0x00007FFB2BE70000-0x00007FFB2C931000-memory.dmp

Filesize
10.8MB

Download
memory/6020-11-0x0000000003240000-0x000000000324A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads