xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1138s
max time network
1140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 11:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-1-0x0000000000050000-0x0000000000066000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
behavioral1/memory/1320-41-0x0000000001110000-0x0000000001126000-memory.dmp	family_xworm
behavioral1/memory/3000-45-0x0000000000080000-0x0000000000096000-memory.dmp	family_xworm
behavioral1/memory/2136-47-0x0000000000960000-0x0000000000976000-memory.dmp	family_xworm
behavioral1/memory/1360-49-0x0000000000250000-0x0000000000266000-memory.dmp	family_xworm
behavioral1/memory/708-51-0x0000000000810000-0x0000000000826000-memory.dmp	family_xworm
behavioral1/memory/888-53-0x0000000000A70000-0x0000000000A86000-memory.dmp	family_xworm
behavioral1/memory/2536-55-0x0000000000C00000-0x0000000000C16000-memory.dmp	family_xworm
behavioral1/memory/1152-57-0x0000000001090000-0x00000000010A6000-memory.dmp	family_xworm
behavioral1/memory/2576-59-0x0000000001250000-0x0000000001266000-memory.dmp	family_xworm
behavioral1/memory/2120-65-0x0000000000150000-0x0000000000166000-memory.dmp	family_xworm
behavioral1/memory/2724-79-0x0000000000BE0000-0x0000000000BF6000-memory.dmp	family_xworm
behavioral1/memory/2056-560-0x0000000000E30000-0x0000000000E46000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2656 powershell.exe
2600 powershell.exe
2672 powershell.exe
2900 powershell.exe

pid	process
2656	powershell.exe
2600	powershell.exe
2672	powershell.exe
2900	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 22 IoCs

Processes:

efajyv.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exeuibhcz.exesqu49BD.tmp.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid	process
900	efajyv.exe
1320	svhost.exe
2060	svhost.exe
3000	svhost.exe
2136	svhost.exe
1360	svhost.exe
708	svhost.exe
888	svhost.exe
2536	svhost.exe
1152	svhost.exe
2576	svhost.exe
2492	svhost.exe
1612	svhost.exe
2888	svhost.exe
2324	svhost.exe
2120	svhost.exe
1404	uibhcz.exe
2860	squ49BD.tmp.exe
2724	svhost.exe
2056	svhost.exe
2544	svhost.exe
1556	svhost.exe

Loads dropped DLL 1 IoCs

Processes:

uibhcz.exe

pid process

1404 uibhcz.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1404	uibhcz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef27ba738dcd74fa14fc9b9e302527300000000020000000000106600000001000020000000915a3446e80e76f5e490d3223801023d7aafb905bd9f023f354add2431046214000000000e80000000020000200000003be7ffa01deb3d7e28ac70166c65cd527eb729f6135fc47afed569e27c35820c20000000a443109e1865adba80bf08f9049548b84d1fb65832613bdb831bd1cf1ec3b3f240000000af2c347aab82627131ed423f31c921d159c493b3098603821142c6fb68a7679410e6910a3fb551a7519196420986d1ea7e27406cc365bb83e26a75b31229ca24	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72ED9CF1-379E-11EF-917A-EA263619F6CB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2049f647abcbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425995782"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef27ba738dcd74fa14fc9b9e302527300000000020000000000106600000001000020000000782b6aa56840556b63960d0f1bfaf33c1b2ddae77a5b9b21c202325f6c35bd2d000000000e80000000020000200000008f6efa71972a2be9c7ba677a0f994a52a2ebaa5737ae295f2eb9aad9fba49c26900000007c6a0c6317e961dec39b77260658355748ce55ed975651698fdb788765f7b832fc2f3b186f97d59f4842fee6090ee2e3f2ce44e0cd2e434d6e0570595a78b705574330f94441fd8538c2ea1e6215bc1caada16540ae632947a68ff30d89be57f9a21f708988bb3a36bfd30ba7421c2fb3230aac9197ef35045eb4c1048a6eb27e3f09cb1e6d88c98d93e7e50252fbf5f400000001dd29ff80cf836a5e90ed46af7837d648ddbcfc4d4c4a75d17a08ffb1b51b699f68893d9f4b83703cd666ed05a6806652ee998d83ecb4966f6a6385b8a910e39	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1196 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2900 powershell.exe
2656 powershell.exe
2600 powershell.exe
2672 powershell.exe

pid	process
1196	schtasks.exe

pid	process
2900	powershell.exe
2656	powershell.exe
2600	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3024	sv.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	3024	sv.exe
Token: SeDebugPrivilege	1320	svhost.exe
Token: SeDebugPrivilege	2060	svhost.exe
Token: SeDebugPrivilege	3000	svhost.exe
Token: SeDebugPrivilege	2136	svhost.exe
Token: SeDebugPrivilege	1360	svhost.exe
Token: SeDebugPrivilege	708	svhost.exe
Token: SeDebugPrivilege	888	svhost.exe
Token: SeDebugPrivilege	2536	svhost.exe
Token: SeDebugPrivilege	1152	svhost.exe
Token: SeDebugPrivilege	2576	svhost.exe
Token: SeDebugPrivilege	2492	svhost.exe
Token: SeDebugPrivilege	1612	svhost.exe
Token: SeDebugPrivilege	2888	svhost.exe
Token: SeDebugPrivilege	2324	svhost.exe
Token: SeDebugPrivilege	2120	svhost.exe
Token: SeDebugPrivilege	2724	svhost.exe
Token: SeDebugPrivilege	2056	svhost.exe
Token: SeDebugPrivilege	2544	svhost.exe
Token: SeDebugPrivilege	1556	svhost.exe
Token: SeShutdownPrivilege	2360	shutdown.exe
Token: SeRemoteShutdownPrivilege	2360	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1092 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1092 iexplore.exe
1092 iexplore.exe
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE
1816 IEXPLORE.EXE

pid	process
1092	iexplore.exe

pid	process
1092	iexplore.exe
1092	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exetaskeng.exe

description	pid	process	target process
PID 3024 wrote to memory of 2900	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2900	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2900	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2656	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2656	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2656	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2600	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2600	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2600	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2672	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2672	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 2672	3024	sv.exe	powershell.exe
PID 3024 wrote to memory of 1196	3024	sv.exe	schtasks.exe
PID 3024 wrote to memory of 1196	3024	sv.exe	schtasks.exe
PID 3024 wrote to memory of 1196	3024	sv.exe	schtasks.exe
PID 636 wrote to memory of 1320	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1320	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1320	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2060	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2060	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2060	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 3000	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 3000	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 3000	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2136	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2136	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2136	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1360	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1360	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1360	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 708	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 708	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 708	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2536	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2536	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2536	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1152	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1152	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1152	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2576	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2576	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2576	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2492	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2492	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2492	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1612	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1612	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 1612	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2888	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2324	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2324	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2324	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2120	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2120	636	taskeng.exe	svhost.exe
PID 636 wrote to memory of 2120	636	taskeng.exe	svhost.exe
PID 3024 wrote to memory of 1404	3024	sv.exe	uibhcz.exe
PID 3024 wrote to memory of 1404	3024	sv.exe	uibhcz.exe
PID 3024 wrote to memory of 1404	3024	sv.exe	uibhcz.exe
PID 3024 wrote to memory of 1404	3024	sv.exe	uibhcz.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Users\Admin\AppData\Local\Temp\efajyv.exe
"C:\Users\Admin\AppData\Local\Temp\efajyv.exe"
2⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Local\Temp\uibhcz.exe
"C:\Users\Admin\AppData\Local\Temp\uibhcz.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404

C:\Users\Admin\AppData\Local\Temp\squ49BD.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\squ49BD.tmp.exe" --setup "C:\Users\Admin\AppData\Local\Temp\squ49BE.tmp.nupkg"
3⤵
- Executes dropped EXE
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\yafern.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\system32\shutdown.exe
shutdown.exe /f /s /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\taskeng.exe
taskeng.exe {EBF47C38-B22D-4C69-8FFB-38F1E411243F} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d518fe1a6db2fcd192a628aefdf57538

SHA1
a767a6d8ba6c2a404ba3c634f5345ca41a058293

SHA256
e263913149ebdb9df9a622779fd2f24e923acc9b39e03cd06d20b8ed2890397d

SHA512
881ea9a249707ed34e90a5a948775521dc227644be764ba9dc2c603bb4aae0dfef767c5cd29e26c82531811a689e631f62b27d8f342992075fa6e2f4693fbc20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
dd2cafc0746b14bd37e738e5fbb39f9e

SHA1
7bfc0d926123164f072a23f3c84a67ed0fc04978

SHA256
65614352a0b829ec15b05017774add4aaa22a9c3e71bc65e80a4488ec9a028cf

SHA512
5e36e01cf247610df7a821ba7dc666392d12e64ccda294fe5d76cbec276a573e8ba4697ca037488498bfdd235ba2fb9510179d3a43fd6a7314c7227c44079f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
93b95c54a7cb186d58ab72af37fcc619

SHA1
4450ce848e16bfba5d49cbb5b17c504f6661416b

SHA256
839c9da6291fa8317a354568717afcef3e274c2c0efc8cc61636bc080a2c2977

SHA512
9b4a34c2fccfa0bd6f737edfd0500683db6dbb475b962740c096b6bca47ab770314b0004b919ec2359aaa685cecd4e136b2acbbd9958c129e2aaafd22266cfd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c11ebd608c2e3006ff7da16833876036

SHA1
9fd2180d705f958695159705e40c99fa051da89b

SHA256
4593c2381d6eef42159ee448937f07057c97574e2f4b55b14dd8fa92e4aecc67

SHA512
7cc0f110c7fc66c13f6516a2051e9bc6409f51732d4f8348680241c314238605e896a58ddf777f3cbcf82661e5071341c53539863132fd32c1980a829d833872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c0905bd3965557debabbd506053b8896

SHA1
185504942afaa9a78c9ec5e7824e1f827a0905cb

SHA256
8bf6a897f02624b8728f54800f6b8f778c7cc8a7c89adce119177c80a486aecd

SHA512
001a89a95ebf75d7a322efe74d2d73465f53f0da3cff20c3e0bbe3cf1e96b065b3d48555486901f2c6ece37919f12b02acc4f4cd78cdb09c03b85eccc242aec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
869ec45b40b4a5bc1ad32af2218b9f8a

SHA1
1df541c27aab9d32ec9301c8a1202680d60f950d

SHA256
1f18107bedcb40b90404e51409c7b9ae27adc7db3c21ee444445728189b54c58

SHA512
c0602a3b01b1809eb8119636d1d8973c3d2d596f00a1a5e39e74a8a12fdd8663c5d9d31db6e6d5016bdddae1e91ac487ac4acdb3c15edede68fb7bb22e688d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ee1ce41b7c70a043d9209a9287ff55c4

SHA1
c435fea7088cba4a7ff01f5a53619885ef00b101

SHA256
d30d32c80ac87be6df8a2e552ec906397b8a9d69f5bf7405aa1399bedda3a18e

SHA512
5087c705a4144315921ff983ba37bae1f5e5fcb13d44fe22578b06f6b35e36d9e58c01ffd7285e4d9588cd43e7164e5380180e88df0570a392fcf24fd5758188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
112b9ded3f6274633f69480f8218dea7

SHA1
0058e3e0af78376589d1b3156c6e18a9f25e7560

SHA256
9a4626edb36fceee54046e57c46f3379e87d68dc3130d8a059e1e19b23294b4f

SHA512
0b84ba02c6295373bfce0bb67085774438e75a250898fdbbe5340049fc1ce60ef37ad1d753e8be093a80fdcd7362a9d2a502c5a862f45379dab7ee0d31b3e31f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e435ba57cadbc3ad3b6a928bf32dc256

SHA1
c3ef822d6a4234db170bbd002afe52d2d51dc3ff

SHA256
42ee68cffa1894056588444d4740300bd9ea0f453ffc306ceb71c5c7d188d838

SHA512
458637c54f3487f9d8acea97157e8428945906dda611e7cc0067815bad26aa6fc98e08ece7ff4806ff53b02e0dffd35d25eba70a8e7b948c5342518ecf051a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8b97ba823c14b595b204db6c72c02d17

SHA1
0d577408096d6441c998422b04ec2cd2f6735ae6

SHA256
5abfb09b1e8aaaa93faeb78214542f93c70ebb12d8b2f2322c967ead8ac282db

SHA512
c679594656396b272e635d4204d745e01073b9d0385e9cfd9ba7dca0786fc6dd582fad790dfda2ee5d6da1d10b09f29d0ee911922425437b3168711965cac9c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f091570b4182e5ad40a25957d50ad083

SHA1
c228de159fc57cfa77f58926b5cd9d523fbdabcb

SHA256
6bbf9d8b8a459a3b16047874ebd7916bdec2300f2048f1779fe607196acd5bae

SHA512
50f07433c2df98bd5cb72ca41597b83b21a83e9e9e6ae19f64d9d6ed838772eb89b8aa927e9479336b0935705dd2efd33847dac14011568d76a914983116c266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
72c77ce004a9338ffae0afc888c7a771

SHA1
1c56a26ebfe2a6b3726147ea1e2e7d4af4e31c91

SHA256
36fdb391f8e9bb571ff1513e4a7c372ae23c236629cf07d9c79b78782bdb6eea

SHA512
8e3ef1751ce19f397c6a5b158ca25df7018bea817c2beb0278f86267869c728442c4544800d0ba9320c55af1f26ca6a0ceb6b6ad62b2a5dcabb93efb286af73f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
4d95cb810fb7d85a674803134a858aff

SHA1
2c37806be17b344c1aabd550e2c4b265efca5e10

SHA256
d9ced044acb3e3e010632fcdeae9b31c7b33523f8df21624c1f7aca909f66600

SHA512
75dd2084aa4d0e10aba5ced1ea76c131227dd1ee841f1463159e3a69f1c8252e5d8eea669a3798dd64537281a2ed05e2b43a5ec56e8c97bfebac5d5fb665cf3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e1bb7ff763fb1cf52e52832b026f5dde

SHA1
75aefe89d0f240cb814b066bbde8a977a29fd54a

SHA256
6baa3ecde78bc24496d48de23682eb617ab2295d58f575c899bae5d4487ff801

SHA512
80808c208f7f6ee451940f0915ef9c7fb9ed436bfe10fc976541d8f69ae4949555d2fe2dfcf28f174895a2f928aa436ce6e4f53e8e8b438f16e53fc1ccf58103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
55a2cb04a8794cd4c7c0e4d51dd8dc31

SHA1
54a9639dff4fdc23be3f2712cf058c2c9deddeb4

SHA256
3135e59307bb28da0562f50b1a08a8135216c2db2b0232c9614c58ba8070a898

SHA512
f43f36053eede8cc3f83005195006bc723550503911c7ec40f58f3518033a0e405b6c5214014e398d31dec7f8eb42654616488fa0982e3f92a5cc97e1b67e78b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ee32635dbc53ded6110c63367a7d4f2a

SHA1
cc00f863206d79477b5991befdcc50d97e0eaf0e

SHA256
b53f5534574e7ee31344510d60b4b57e2f1ab0aa541d71008bcaa047ff4212e1

SHA512
c2aeb72070fa28a8eba56a738a733b20499f7eb17ae69a8f49433db3458626bf80e651284614bd1bc8ac80ed5e5ad8367f2beb5fed9710e568cd86619dd53fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
7e56a84e1eab3f9a400a398b8f588e87

SHA1
3bc945c935454fe6971e25174b68dd9ae2620ef6

SHA256
4a89fade98b10703ba27557c11ff47a7f24bd4e9ecd6c177f7b15e2a171bd5fb

SHA512
e56ddeb8422b9b64de8c928d851d1e668f47a410265531b3ca146b2d24528307ec2fb49cdaa3b29819a48c29d849443ec1e0cd0636d0c9487c0cad5b82c2a43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f57d250dfca3423270a1754ebec50260

SHA1
ed24b994542f9f213a5c7e9e1f675d9d77803ca7

SHA256
0486fe5b11ff25af96e64140c2cad226885232ea8ec88ce982d75b0b88075530

SHA512
abdc5f6ccd25786e8a612a8766dd5686b41b6f1eb77b3907ca1acc2279515ee5401d12ca3895b5bc8faffb29c9df7bf69508de34b45736d017aa8a9157a0c92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c7069d42bc2ee70cce1768dedae66175

SHA1
f7fa7c36ab2f1d093a3c1347815fa5b02f10601c

SHA256
c4a9983ee954ac242fcf77259fb59a8f0ee4b565cc52199f6cf39100a1b474b4

SHA512
eb6a5f361c49058cd3946cc12ecc72471c58d29176b30e42d6358b8c93cee637cc5cdf468d582ae7fb4ec8d12216bae9f83c103620b2d9ffa543d877713d5776

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4963.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A73.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\efajyv.exe
Filesize
8.0MB

MD5
780d9df36221ccd24716da39ee3e2708

SHA1
3a2e4f8bc401856f1870e9fd3a3977044db68729

SHA256
f765d1d4012f47223a47c5992da55066e81d76b0714eb347ca6a54c55f4e374c

SHA512
36b1df97a9b0a3ae9cae704f722537c877c6b8a091c513be66bd16645cdf9ab424912e6dac3ddfbbf9419a9d0acc17113dec88418b8134e641a87028e8e4d6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yafern.html
Filesize
25.6MB

MD5
93ff3422fefbc1976fdc11c4fe15169b

SHA1
e6be4b9a96a28a7d32cad1ceda04c8edeb4f5a9a

SHA256
cd3dea6e79c0f9dda0f16a608ff04dc41dde17b3b6f3ce42d9018be839f058da

SHA512
8cdaee06dad6babd133853d59d511957e4ba056c5cf24200db1996d05be2d53d4711649316ea352912da5fb5c6f0080a77a7d645d14af6448a4b1e1c33343589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
3b2552a2f9989dfc9e945cbfb6039389

SHA1
6545cd3ce391aa511ff64eddcf7fa413352250f8

SHA256
9849eaee6ca35464b3fcf3dc9af8ad4dcf07b789232bbe7bf55f12410fb8721e

SHA512
44ef0cba7864002551981b42092b1040c7db26376e4726d672db6f51970d02704269847c259b43e997fa022824f48c3b2d22ec6c755e3ba50b33f108ea3450b3

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\squ49BD.tmp.exe
Filesize
12.1MB

MD5
19f260fd99cee82277338002e98b8729

SHA1
a2b688cde0c316fa40534aac2c34d53ea73de84b

SHA256
68376cde6708b39994c9d5d2d28097d4d6fb79f867f68298751ea3d3d854832d

SHA512
74d6e423e22f1f706fe72d0beab24eb4d0b87996746c0886234a572a6688c78919a2cc613594ee159723e06e9eaff3d0c78361542e7fa3acb7e4611f6c237c52

Download Submit
memory/708-51-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/888-53-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/1152-57-0x0000000001090000-0x00000000010A6000-memory.dmp

Filesize
88KB

Download
memory/1320-41-0x0000000001110000-0x0000000001126000-memory.dmp

Filesize
88KB

Download
memory/1360-49-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/2056-560-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/2120-65-0x0000000000150000-0x0000000000166000-memory.dmp

Filesize
88KB

Download
memory/2136-47-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2536-55-0x0000000000C00000-0x0000000000C16000-memory.dmp

Filesize
88KB

Download
memory/2576-59-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download
memory/2656-15-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2656-14-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2724-79-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

Filesize
88KB

Download
memory/2900-7-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2900-8-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2900-6-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/3000-45-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/3024-31-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/3024-32-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

Filesize
4KB

Download
memory/3024-33-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/3024-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

Filesize
4KB

Download
memory/3024-81-0x0000000001EF0000-0x0000000001F00000-memory.dmp

Filesize
64KB

Download
memory/3024-1-0x0000000000050000-0x0000000000066000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads