4c7a879639151a8b87a1476f65f88a959b9afbaebd179665f0da955e447b534d

General

Target

_$.exe
Size

50KB
MD5

7c93a02c3a90f915530df1acaa07fec9
SHA1

1353fc85e84a431d43e519c8eef3d789b2a84be5
SHA256

db5964ee570a1cbcbd1a0c7c8a7e4aadb44f64c27061ab25fde24a7f21d73f45
SHA512

e8fa76667098d6d9caf3348dfd784ad68e14f44879d0a25a087486599478debc7f337669e16b444e3e056368faf7036ff39a2c60beb408af4bca2d4d151608f2

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email parazite@tutanota.com , specify in the subject your unique identifier ESM8IZN6 and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at alcmalcolm@cock.li Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Emails

parazite@tutanota.com

alcmalcolm@cock.li

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

z4calwqf.exeTaskHost.exe

pid process

584 z4calwqf.exe
1324 TaskHost.exe

pid	process
584	z4calwqf.exe
1324	TaskHost.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SwitchProtect.png.arazite	TaskHost.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.png.arazite => C:\Users\Admin\Pictures\SwitchProtect.png.arazite	TaskHost.exe
File renamed	C:\Users\Admin\Pictures\SwitchProtect.png => C:\Users\Admin\Pictures\SwitchProtect.png.arazite	TaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in System32 directory 1 IoCs

Processes:

TaskHost.exe

description ioc process

File created C:\Windows\SysWOW64\@AudioToastIcon.png TaskHost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\@AudioToastIcon.png	TaskHost.exe

Drops file in Program Files directory 64 IoCs

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main-selector.css	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogo.png	TaskHost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Confirmation2x.png.arazite	TaskHost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\main.css	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@3x.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent@3x.png	TaskHost.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	TaskHost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\LogoCanary.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.arazite	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\README.html	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.arazite	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.arazite	TaskHost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png	TaskHost.exe
File created	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png	TaskHost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png	TaskHost.exe

Drops file in Windows directory 64 IoCs

Processes:

TaskHost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE (x86).lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk	TaskHost.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.MicrosoftOfficeHub_2017.311.255.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallSqlStateTemplate.sql.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	TaskHost.exe
File opened for modification	C:\Windows\Professional.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx.arazite	TaskHost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList\FrameworkList.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlStateTemplate.sql.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk.arazite	TaskHost.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml.arazite	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\UninstallMembership.sql	TaskHost.exe
File opened for modification	C:\Windows\Panther\diagerr.xml.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.SkypeApp_11.8.204.0_neutral_~_kzf8qxf38zg5c\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\Performance\WinSAT\Clip_1080_5sec_10mbps_h264.mp4	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersonalization.sql	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\SmtpSettings.aspx.arazite	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk.arazite	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	TaskHost.exe
File opened for modification	C:\Windows\Panther\diagwrn.xml	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk.arazite	TaskHost.exe
File created	C:\Windows\info.hta	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx.arazite	TaskHost.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.BingWeather_4.18.56.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxBlockMap.xml	TaskHost.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	TaskHost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	TaskHost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk	TaskHost.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

356 vssadmin.exe
2052 vssadmin.exe
976 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4092 taskkill.exe
Modifies registry class 1 IoCs

Processes:

TaskHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings TaskHost.exe

pid	process
356	vssadmin.exe
2052	vssadmin.exe
976	vssadmin.exe

pid	process
4092	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	TaskHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

_$.exe

pid	process
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe
812	_$.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

_$.exetaskkill.exez4calwqf.exeTaskHost.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	812	_$.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	584	z4calwqf.exe
Token: SeDebugPrivilege	1324	TaskHost.exe
Token: 33	1324	TaskHost.exe
Token: SeIncBasePriorityPrivilege	1324	TaskHost.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeBackupPrivilege	1008	vssvc.exe
Token: SeRestorePrivilege	1008	vssvc.exe
Token: SeAuditPrivilege	1008	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe
Token: 35	3820	WMIC.exe
Token: 36	3820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2572	WMIC.exe
Token: SeSecurityPrivilege	2572	WMIC.exe
Token: SeTakeOwnershipPrivilege	2572	WMIC.exe
Token: SeLoadDriverPrivilege	2572	WMIC.exe
Token: SeSystemProfilePrivilege	2572	WMIC.exe
Token: SeSystemtimePrivilege	2572	WMIC.exe
Token: SeProfSingleProcessPrivilege	2572	WMIC.exe
Token: SeIncBasePriorityPrivilege	2572	WMIC.exe
Token: SeCreatePagefilePrivilege	2572	WMIC.exe
Token: SeBackupPrivilege	2572	WMIC.exe
Token: SeRestorePrivilege	2572	WMIC.exe
Token: SeShutdownPrivilege	2572	WMIC.exe
Token: SeDebugPrivilege	2572	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

_$.exe

pid process

812 _$.exe
812 _$.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

_$.execmd.exez4calwqf.execmd.exeTaskHost.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 3780	812	_$.exe	cmstp.exe
PID 812 wrote to memory of 3780	812	_$.exe	cmstp.exe
PID 2916 wrote to memory of 584	2916	cmd.exe	z4calwqf.exe
PID 2916 wrote to memory of 584	2916	cmd.exe	z4calwqf.exe
PID 2916 wrote to memory of 584	2916	cmd.exe	z4calwqf.exe
PID 584 wrote to memory of 1324	584	z4calwqf.exe	TaskHost.exe
PID 584 wrote to memory of 1324	584	z4calwqf.exe	TaskHost.exe
PID 584 wrote to memory of 1324	584	z4calwqf.exe	TaskHost.exe
PID 584 wrote to memory of 1376	584	z4calwqf.exe	cmd.exe
PID 584 wrote to memory of 1376	584	z4calwqf.exe	cmd.exe
PID 584 wrote to memory of 1376	584	z4calwqf.exe	cmd.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	choice.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	choice.exe
PID 1376 wrote to memory of 3948	1376	cmd.exe	choice.exe
PID 1324 wrote to memory of 3768	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3768	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3768	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 2344	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 2344	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 2344	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3992	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3992	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3992	1324	TaskHost.exe	cmd.exe
PID 3768 wrote to memory of 356	3768	cmd.exe	vssadmin.exe
PID 3768 wrote to memory of 356	3768	cmd.exe	vssadmin.exe
PID 3768 wrote to memory of 356	3768	cmd.exe	vssadmin.exe
PID 2344 wrote to memory of 3820	2344	cmd.exe	WMIC.exe
PID 2344 wrote to memory of 3820	2344	cmd.exe	WMIC.exe
PID 2344 wrote to memory of 3820	2344	cmd.exe	WMIC.exe
PID 1324 wrote to memory of 2336	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 2336	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 2336	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3392	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3392	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3392	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3508	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3508	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3508	1324	TaskHost.exe	cmd.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	vssadmin.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	vssadmin.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	vssadmin.exe
PID 3392 wrote to memory of 2572	3392	cmd.exe	WMIC.exe
PID 3392 wrote to memory of 2572	3392	cmd.exe	WMIC.exe
PID 3392 wrote to memory of 2572	3392	cmd.exe	WMIC.exe
PID 1324 wrote to memory of 3488	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3488	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3488	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3252	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3252	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3252	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3832	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3832	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3832	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 1068	1324	TaskHost.exe	mshta.exe
PID 1324 wrote to memory of 1068	1324	TaskHost.exe	mshta.exe
PID 1324 wrote to memory of 1068	1324	TaskHost.exe	mshta.exe
PID 3252 wrote to memory of 3840	3252	cmd.exe	WMIC.exe
PID 3252 wrote to memory of 3840	3252	cmd.exe	WMIC.exe
PID 3252 wrote to memory of 3840	3252	cmd.exe	WMIC.exe
PID 3488 wrote to memory of 976	3488	cmd.exe	vssadmin.exe
PID 3488 wrote to memory of 976	3488	cmd.exe	vssadmin.exe
PID 3488 wrote to memory of 976	3488	cmd.exe	vssadmin.exe
PID 1324 wrote to memory of 3836	1324	TaskHost.exe	cmd.exe
PID 1324 wrote to memory of 3836	1324	TaskHost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\_$.exe
"C:\Users\Admin\AppData\Local\Temp\_$.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\30zrxhkv.inf
2⤵
PID:3780

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\z4calwqf.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\temp\z4calwqf.exe
C:\Windows\temp\z4calwqf.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Roaming\TaskHost.exe
"C:\Users\Admin\AppData\Roaming\TaskHost.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:3840

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\TaskHost.exe"
4⤵
PID:3836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
5⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\z4calwqf.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
4⤵
PID:3948

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\TaskHost.exe
MD5
a6073d31eb10aaee44fea4aa90627629

SHA1
4d3711bb9e4162a4651fd53ce3ac25a555ef3a7d

SHA256
ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0

SHA512
081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663

Download Submit
C:\Users\Admin\AppData\Roaming\TaskHost.exe
MD5
a6073d31eb10aaee44fea4aa90627629

SHA1
4d3711bb9e4162a4651fd53ce3ac25a555ef3a7d

SHA256
ae4140e284b0c132c88415bb6ceb195c220668d1c6ad64f72313ffffed8cd0a0

SHA512
081d4ad5bdaeaec02ce4d6ab5cad704580b3401ec42eb6b23b31d1f1ffa443e2e2d2970506b8f5b020dcc33bc1b2b5d2ef9ce63d641eb963521f4a0318e65663

Download Submit
C:\Users\Admin\Desktop\info.hta
MD5
a0e158a308a89132c4aad305e27f0784

SHA1
cf334bf9d01dcff9412d249b4aafad911fc15028

SHA256
638b0f9ee2dde8f74316b5b5dced64828d056b8944e8cac3a88921576458589d

SHA512
1d959f9ed6b048084134ce615bab3ecb4429c906ecd25dec8c2e50fb26270bceabe79039593179a7e91a0d50bb41fb6ac691fe4ab49a00573a02f9f712e7f775

Download Submit
C:\Windows\Temp\z4calwqf.exe
MD5
91ebd9edc1322c6200bef620dea7dde6

SHA1
adb5d32b4d03db0f39d2fb5be5769393099cc1fc

SHA256
6a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597

SHA512
d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd

Download Submit
C:\Windows\temp\30zrxhkv.inf
MD5
c5a5f3714941a6b4f42acb87dc40f6d2

SHA1
7bbce16eee198ad265b76b6ce98a6b3389170d40

SHA256
0ead4918e97fcf67eff46e4e5f599b1f32cbe73f2ba9352c51e56635f358e2b0

SHA512
28e5042ba9418941d7c20e63073957fb7116cee83bb89a4581b62b8f9d3177b406b122f37779ac95bb1c8f5e6e3a1541c3089c10e4bb428fb90658d44a47a738

Download Submit
C:\Windows\temp\z4calwqf.exe
MD5
91ebd9edc1322c6200bef620dea7dde6

SHA1
adb5d32b4d03db0f39d2fb5be5769393099cc1fc

SHA256
6a2151f059327c592dec77ee158596f4bbb64ded544a3e3be77f2765d02f6597

SHA512
d26dae8a8fa0fa244d024192baeb768bd3668a089e236f77f97530b240cea1ddfe51d7a1f53c9ca6593e74db4fc07cddd4c130c29f24d7c0c1e3c6d9d75a30fd

Download Submit
memory/356-40-0x0000000000000000-mapping.dmp

Download
memory/584-19-0x0000000000000000-mapping.dmp

Download
memory/584-23-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/584-22-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/812-17-0x000000001AF34000-0x000000001AF36000-memory.dmp

Filesize
8KB

Download
memory/812-16-0x000000001AF32000-0x000000001AF34000-memory.dmp

Filesize
8KB

Download
memory/812-15-0x000000001AF30000-0x000000001AF32000-memory.dmp

Filesize
8KB

Download
memory/812-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmp

Filesize
9.9MB

Download
memory/812-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/976-52-0x0000000000000000-mapping.dmp

Download
memory/1068-50-0x0000000000000000-mapping.dmp

Download
memory/1324-33-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1324-36-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1324-29-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1324-31-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1324-28-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-25-0x0000000000000000-mapping.dmp

Download
memory/1324-35-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1352-54-0x0000000000000000-mapping.dmp

Download
memory/1376-32-0x0000000000000000-mapping.dmp

Download
memory/2052-45-0x0000000000000000-mapping.dmp

Download
memory/2336-42-0x0000000000000000-mapping.dmp

Download
memory/2344-38-0x0000000000000000-mapping.dmp

Download
memory/2572-46-0x0000000000000000-mapping.dmp

Download
memory/3252-48-0x0000000000000000-mapping.dmp

Download
memory/3392-43-0x0000000000000000-mapping.dmp

Download
memory/3488-47-0x0000000000000000-mapping.dmp

Download
memory/3508-44-0x0000000000000000-mapping.dmp

Download
memory/3768-37-0x0000000000000000-mapping.dmp

Download
memory/3780-9-0x00000217F8610000-0x00000217F8611000-memory.dmp

Filesize
4KB

Download
memory/3780-12-0x00000217F8670000-0x00000217F8671000-memory.dmp

Filesize
4KB

Download
memory/3780-7-0x00000217F8610000-0x00000217F8611000-memory.dmp

Filesize
4KB

Download
memory/3780-5-0x0000000000000000-mapping.dmp

Download
memory/3820-41-0x0000000000000000-mapping.dmp

Download
memory/3832-49-0x0000000000000000-mapping.dmp

Download
memory/3836-53-0x0000000000000000-mapping.dmp

Download
memory/3840-51-0x0000000000000000-mapping.dmp

Download
memory/3948-34-0x0000000000000000-mapping.dmp

Download
memory/3992-39-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads