4c7a879639151a8b87a1476f65f88a959b9afbaebd179665f0da955e447b534d

General

Target

_$.exe
Size

50KB
MD5

7c93a02c3a90f915530df1acaa07fec9
SHA1

1353fc85e84a431d43e519c8eef3d789b2a84be5
SHA256

db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
SHA512

e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email parazite@tutanota.com , specify in the subject your unique identifier B7TTYMZA and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at alcmalcolm@cock.li Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Emails

parazite@tutanota.com

alcmalcolm@cock.li

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

0wkomrak.exeTaskHost.exe

pid process

1616 0wkomrak.exe
1948 TaskHost.exe
Loads dropped DLL 1 IoCs

Processes:

0wkomrak.exe

pid process

1616 0wkomrak.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1616	0wkomrak.exe
1948	TaskHost.exe

pid	process
1616	0wkomrak.exe

Drops file in System32 directory 3 IoCs

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\license.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\SysWOW64\license.rtf	TaskHost.exe
File created	C:\Windows\SysWOW64\locationnotificationsview.xml	TaskHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Drops file in Program Files directory 64 IoCs

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\TexturedBlue.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.arazite	TaskHost.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Country.css	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp.arazite	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	TaskHost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis.css	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GreenTea.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	TaskHost.exe

Drops file in Windows directory 64 IoCs

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx.arazite	TaskHost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx45_IIS_schema_update.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlStateTemplate.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1042\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SplashScreen.bmp.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1055\eula.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1038\LocalizedData.xml	TaskHost.exe
File created	C:\Windows\Fonts\fms_metadata.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallWebEventSqlProvider.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1033\eula.rtf.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1043\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallMembership.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchemaUpgrade.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\LocalizedData.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallMembership.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallCommon.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\LocalizedData.xml	TaskHost.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	TaskHost.exe
File created	C:\Windows\info.hta	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\UninstallSqlState.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\LocalizedData.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	TaskHost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchema.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminStyles.css.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceProviderSchema.sql	TaskHost.exe
File created	C:\Windows\servicing\Sessions\30846299_4142642496.back.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallWebEventSqlProvider.sql.arazite	TaskHost.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1444 vssadmin.exe
940 vssadmin.exe
660 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1108 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

0wkomrak.exe

pid process

1616 0wkomrak.exe

pid	process
1444	vssadmin.exe
940	vssadmin.exe
660	vssadmin.exe

pid	process
1108	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1616	0wkomrak.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

_$.exe

pid	process
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe
1724	_$.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

_$.exetaskkill.exe0wkomrak.exeTaskHost.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1724	_$.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	1616	0wkomrak.exe
Token: SeDebugPrivilege	1948	TaskHost.exe
Token: 33	1948	TaskHost.exe
Token: SeIncBasePriorityPrivilege	1948	TaskHost.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe
Token: SeBackupPrivilege	1228	vssvc.exe
Token: SeRestorePrivilege	1228	vssvc.exe
Token: SeAuditPrivilege	1228	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe
Token: 34	1332	WMIC.exe
Token: 35	1332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1108	WMIC.exe
Token: SeSecurityPrivilege	1108	WMIC.exe
Token: SeTakeOwnershipPrivilege	1108	WMIC.exe
Token: SeLoadDriverPrivilege	1108	WMIC.exe
Token: SeSystemProfilePrivilege	1108	WMIC.exe
Token: SeSystemtimePrivilege	1108	WMIC.exe
Token: SeProfSingleProcessPrivilege	1108	WMIC.exe
Token: SeIncBasePriorityPrivilege	1108	WMIC.exe
Token: SeCreatePagefilePrivilege	1108	WMIC.exe
Token: SeBackupPrivilege	1108	WMIC.exe
Token: SeRestorePrivilege	1108	WMIC.exe
Token: SeShutdownPrivilege	1108	WMIC.exe
Token: SeDebugPrivilege	1108	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1108	WMIC.exe
Token: SeRemoteShutdownPrivilege	1108	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

_$.exe

pid process

1724 _$.exe
1724 _$.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

_$.execmd.exe0wkomrak.execmd.exeTaskHost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 1900	1724	_$.exe	cmstp.exe
PID 1724 wrote to memory of 1900	1724	_$.exe	cmstp.exe
PID 1724 wrote to memory of 1900	1724	_$.exe	cmstp.exe
PID 1832 wrote to memory of 1616	1832	cmd.exe	0wkomrak.exe
PID 1832 wrote to memory of 1616	1832	cmd.exe	0wkomrak.exe
PID 1832 wrote to memory of 1616	1832	cmd.exe	0wkomrak.exe
PID 1832 wrote to memory of 1616	1832	cmd.exe	0wkomrak.exe
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	TaskHost.exe
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	TaskHost.exe
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	TaskHost.exe
PID 1616 wrote to memory of 1948	1616	0wkomrak.exe	TaskHost.exe
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	cmd.exe
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	cmd.exe
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	cmd.exe
PID 1616 wrote to memory of 1624	1616	0wkomrak.exe	cmd.exe
PID 1624 wrote to memory of 1444	1624	cmd.exe	choice.exe
PID 1624 wrote to memory of 1444	1624	cmd.exe	choice.exe
PID 1624 wrote to memory of 1444	1624	cmd.exe	choice.exe
PID 1624 wrote to memory of 1444	1624	cmd.exe	choice.exe
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 2012	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1916	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1616	1948	TaskHost.exe	cmd.exe
PID 1916 wrote to memory of 1332	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 1332	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 1332	1916	cmd.exe	WMIC.exe
PID 1916 wrote to memory of 1332	1916	cmd.exe	WMIC.exe
PID 2012 wrote to memory of 1444	2012	cmd.exe	vssadmin.exe
PID 2012 wrote to memory of 1444	2012	cmd.exe	vssadmin.exe
PID 2012 wrote to memory of 1444	2012	cmd.exe	vssadmin.exe
PID 2012 wrote to memory of 1444	2012	cmd.exe	vssadmin.exe
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1888	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1320	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1484	1948	TaskHost.exe	cmd.exe
PID 1888 wrote to memory of 940	1888	cmd.exe	vssadmin.exe
PID 1888 wrote to memory of 940	1888	cmd.exe	vssadmin.exe
PID 1888 wrote to memory of 940	1888	cmd.exe	vssadmin.exe
PID 1888 wrote to memory of 940	1888	cmd.exe	vssadmin.exe
PID 1320 wrote to memory of 1108	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 1108	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 1108	1320	cmd.exe	WMIC.exe
PID 1320 wrote to memory of 1108	1320	cmd.exe	WMIC.exe
PID 1948 wrote to memory of 880	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 880	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 880	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 880	1948	TaskHost.exe	cmd.exe
PID 1948 wrote to memory of 1440	1948	TaskHost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\_$.exe
"C:\Users\Admin\AppData\Local\Temp\_$.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\bbyhmk3v.inf
2⤵
PID:1900

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\0wkomrak.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\temp\0wkomrak.exe
C:\Windows\temp\0wkomrak.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\TaskHost.exe
"C:\Users\Admin\AppData\Roaming\TaskHost.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
PID:880

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
PID:1440

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:1920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
4⤵
- Modifies Internet Explorer settings
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"
4⤵
PID:1064

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
5⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\0wkomrak.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
4⤵
PID:1444

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TaskHost.exe
MD5
a6073d31eb10aaee44fea4aa90627629

SHA1
4d3711bb9e4162a4651fd53ce3ac25a555ef3a7d

SHA256
ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0

SHA512
081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663

Download Submit
C:\Users\Admin\AppData\Roaming\TaskHost.exe
MD5
a6073d31eb10aaee44fea4aa90627629

SHA1
4d3711bb9e4162a4651fd53ce3ac25a555ef3a7d

SHA256
ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0

SHA512
081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663

Download Submit
C:\Users\Admin\Desktop\info.hta
MD5
35cbcf33bf56364628ffb0344e81fc00

SHA1
1491300d8dabcf13c45891fc87428ae9bb0df166

SHA256
9814206bbd33890cb228f526da938dd03cbcf018c7c4ad665e6dd85e21bc3e4d

SHA512
016385ae00114d39d6ff6f990b8cf33e8fe091cff012ccf673d54f57bdfe5714c7ee443559294846b79c1f746b4834949e7497f25bb85ed4e565b0667d12ad99

Download Submit
C:\Windows\Temp\0wkomrak.exe
MD5
91ebd9edc1322c6200bef620dea7dde6

SHA1
adb5d32b4d03db0f39d2fb5be5769393099cc1fc

SHA256
6a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597

SHA512
d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd

Download Submit
C:\Windows\temp\0wkomrak.exe
MD5
91ebd9edc1322c6200bef620dea7dde6

SHA1
adb5d32b4d03db0f39d2fb5be5769393099cc1fc

SHA256
6a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597

SHA512
d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd

Download Submit
C:\Windows\temp\bbyhmk3v.inf
MD5
186de1fc4f5b0c58fd8b25f0730339d1

SHA1
8fa2559eaa827130790e3d5811861772ae42e43a

SHA256
7609536365498816c0d6dfa37976ca86ef4298f21cf08b8cfbb088dad1f34207

SHA512
89479e93fe762705707d2f2ba2440d815aeb8cbac472b4d93c296884d47815ae6c118db526c2f3ca68e493aec5980df475464ae3ececb89e0fa1c75444fcf1c3

Download Submit
\Users\Admin\AppData\Roaming\TaskHost.exe
MD5
a6073d31eb10aaee44fea4aa90627629

SHA1
4d3711bb9e4162a4651fd53ce3ac25a555ef3a7d

SHA256
ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0

SHA512
081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663

Download Submit
memory/660-59-0x0000000000000000-mapping.dmp

Download
memory/880-56-0x0000000000000000-mapping.dmp

Download
memory/884-63-0x0000000000000000-mapping.dmp

Download
memory/940-54-0x0000000000000000-mapping.dmp

Download
memory/1064-62-0x0000000000000000-mapping.dmp

Download
memory/1108-55-0x0000000000000000-mapping.dmp

Download
memory/1172-60-0x0000000000000000-mapping.dmp

Download
memory/1320-52-0x0000000000000000-mapping.dmp

Download
memory/1332-49-0x0000000000000000-mapping.dmp

Download
memory/1440-57-0x0000000000000000-mapping.dmp

Download
memory/1444-50-0x0000000000000000-mapping.dmp

Download
memory/1444-44-0x0000000000000000-mapping.dmp

Download
memory/1484-53-0x0000000000000000-mapping.dmp

Download
memory/1616-32-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-33-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1616-35-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1616-29-0x0000000000000000-mapping.dmp

Download
memory/1616-48-0x0000000000000000-mapping.dmp

Download
memory/1624-43-0x0000000000000000-mapping.dmp

Download
memory/1724-22-0x000000001AD8C000-0x000000001AD8D000-memory.dmp

Filesize
4KB

Download
memory/1724-19-0x000000001AD88000-0x000000001AD89000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1724-16-0x000000001AD85000-0x000000001AD86000-memory.dmp

Filesize
4KB

Download
memory/1724-11-0x000000001AD8B000-0x000000001AD8C000-memory.dmp

Filesize
4KB

Download
memory/1724-14-0x000000001AD66000-0x000000001AD85000-memory.dmp

Filesize
124KB

Download
memory/1724-31-0x000000001AD8D000-0x000000001AD8E000-memory.dmp

Filesize
4KB

Download
memory/1724-10-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/1724-17-0x000000001AD86000-0x000000001AD87000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-21-0x000000001AD8A000-0x000000001AD8B000-memory.dmp

Filesize
4KB

Download
memory/1724-18-0x000000001AD87000-0x000000001AD88000-memory.dmp

Filesize
4KB

Download
memory/1724-20-0x000000001AD89000-0x000000001AD8A000-memory.dmp

Filesize
4KB

Download
memory/1888-51-0x0000000000000000-mapping.dmp

Download
memory/1892-61-0x0000000000000000-mapping.dmp

Download
memory/1900-7-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

Filesize
8KB

Download
memory/1900-5-0x0000000000000000-mapping.dmp

Download
memory/1916-47-0x0000000000000000-mapping.dmp

Download
memory/1920-58-0x0000000000000000-mapping.dmp

Download
memory/1948-41-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1948-37-0x0000000000000000-mapping.dmp

Download
memory/1948-45-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1948-40-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-65-0x000007FEF5DF0000-0x000007FEF606A000-memory.dmp

Filesize
2.5MB

Download
memory/2012-46-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads