atomsilo | d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b

General

Target

ATOMSILO_2.exe
Size

328KB
MD5

04a8307259478245cbae49940b6d655a
SHA1

0f5259812be378bbd764cef94697019075990b4d
SHA256

d9f7bb98ad01c4775ec71ec66f5546de131735e6dba8122474cc6eb62320e47b
SHA512

a2277ba16e1749ea7528f38640b2e2ca6d3aeb3c86df0bc417df37416fa6bc9be3bc84889e73793f8cda965676c2b0976bab140be2246dce7ab4ea6451d2e0f3

Score

10^/10

atomsilo ransomware

Malware Config

Extracted

Path

C:\Users\Public\ATOMSILO-README.hta

Family

atomsilo

Ransom Note

Atom Slio Instructions WARNING! YOUR FILES ARE ENCRYPTED AND LEAKED! We are AtomSilo.Sorry to inform you that your files has been obtained and encrypted by us. But don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! The only way to decrypt your files safely is to buy the special decryption software from us. The price of decryption software is 1000000 dollars . If you pay within 48 hours, you only need to pay 500000 dollars . No price reduction is accepted. We only accept Bitcoin payment,you can buy it from bitpay,coinbase,binance or others. You have five days to decide whether to pay or not. After a week, we will no longer provide decryption tools and publish your files Time starts at 0:00 on September 11 Survival time： You can contact us with the following email: Email:[email protected] If this email can't be contacted, you can find the latest email address on the following website: http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion If you don’t know how to open this dark web site, please follow the steps below to installation and use TorBrowser: run your Internet browser enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER wait for the site loading on the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed run TorBrowser connect with the button "Connect" (if you use the English version) a normal Internet browser window will be opened after the initialization type or copy the address in this browser address bar and press ENTER the site should be loaded; if for some reason the site is not loading wait for a moment and try again. If you have any problems during installation or use of TorBrowser, please, visit https://www.youtube.com and type request in the search bar "Install TorBrowser Windows" and you will find a lot of training videos about TorBrowser installation and use. Additional information: You will find the instructions ("README-FILE-#COMPUTER#-#TIME#.hta") for restoring your files in any folder with your encrypted files. The instructions "README-FILE-#COMPUTER#-#TIME#.hta" in the folders with your encrypted files are not viruses! The instructions "README-FILE-#COMPUTER#-#TIME#.hta" will help you to decrypt your files. Remember! The worst situation already happened and now the future of your files depends on your determination and speed of your actions.

Emails

Email:[email protected]

URLs

http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion

Signatures

AtomSilo
Ransomware family first seen in September 2021.
ransomware atomsilo

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ATOMSILO_2.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RevokeTest.crw => \??\c:\Users\Admin\Pictures\RevokeTest.crw.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\SyncBlock.tif => \??\c:\Users\Admin\Pictures\SyncBlock.tif.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\MergeSplit.tif => \??\c:\Users\Admin\Pictures\MergeSplit.tif.ATOMSILO	ATOMSILO_2.exe
File renamed	C:\Users\Admin\Pictures\ReceiveRename.raw => \??\c:\Users\Admin\Pictures\ReceiveRename.raw.ATOMSILO	ATOMSILO_2.exe

Drops startup file 1 IoCs

Processes:

ATOMSILO_2.exe

description ioc process

File created \??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README-FILE-GFBFPSXA-1633373518.hta ATOMSILO_2.exe

description	ioc	process
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe

Drops file in Program Files directory 64 IoCs

Processes:

ATOMSILO_2.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\wordEtw.man	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated.png	ATOMSILO_2.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-125.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\lr_16x11.png	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\see_all_bp_920.jpg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\UpsellContentDialogHeader.jpg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_altform-unplated_contrast-black.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\ui-strings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mx_60x42.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\MedTile.scale-100.png	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\core.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OneConnectAppList.targetsize-36.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg5.jpg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg6_thumb.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\jp_60x42.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Solitaire25.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_Welcome.mp4	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\LockScreenBadgeLogo.scale-200.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ui-strings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxManifest.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\generic.Messaging.config	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_48x48x32.png	ATOMSILO_2.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-400.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ma_60x42.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotContain.snippets.ps1xml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-125.png	ATOMSILO_2.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_CatEye.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls\BridgedWebBrowser.xaml	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-3x.png	ATOMSILO_2.exe
File created	\??\c:\Program Files\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms	ATOMSILO_2.exe
File created	\??\c:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\README-FILE-GFBFPSXA-1633373518.hta	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Awards_cup.png	ATOMSILO_2.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	ATOMSILO_2.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3176 PING.EXE

pid	process
3176	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ATOMSILO_2.execmd.exe

description	pid	process	target process
PID 900 wrote to memory of 3980	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 3980	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 584	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 584	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2856	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2856	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2868	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2868	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 336	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 336	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 4040	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 4040	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 856	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 856	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 3888	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 3888	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2416	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 2416	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 4024	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 4024	900	ATOMSILO_2.exe	mshta.exe
PID 900 wrote to memory of 636	900	ATOMSILO_2.exe	cmd.exe
PID 900 wrote to memory of 636	900	ATOMSILO_2.exe	cmd.exe
PID 636 wrote to memory of 3176	636	cmd.exe	PING.EXE
PID 636 wrote to memory of 3176	636	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe
"C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:3980
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:2856
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:584
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:2868
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:336
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:4040
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:856
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:3888
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:2416
- C:\Windows\SYSTEM32\mshta.exe
  mshta "C:\Users\Public\ATOMSILO-README.hta"
  2⤵
  PID:4024
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 127.0.0.1 -n 6 && del "C:\Users\Admin\AppData\Local\Temp\ATOMSILO_2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 6
    3⤵
    - Runs ping.exe
    PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ATOMSILO-README.hta

MD5
491ea317fb6c8b6480e466c7f9609882

SHA1
174a6b3a5746f0e9c4147c84f9f4886a81c00596

SHA256
62895cbddaa94033f325b454d177aa0d1db3c0e33d6042fcf26bde1f7886f4f6

SHA512
6a7146b513e3872d273f2fcc3114c6f1951b1fd0472735614ad1e77b5fdbebebb89d5127f1db9c5cdbb7340092f33a11bd8a1d67fe31ce22c835194667cfe4f1

Download Submit
memory/336-118-0x0000000000000000-mapping.dmp

Download
memory/584-115-0x0000000000000000-mapping.dmp

Download
memory/636-124-0x0000000000000000-mapping.dmp

Download
memory/856-120-0x0000000000000000-mapping.dmp

Download
memory/2416-122-0x0000000000000000-mapping.dmp

Download
memory/2856-116-0x0000000000000000-mapping.dmp

Download
memory/2868-117-0x0000000000000000-mapping.dmp

Download
memory/3176-136-0x0000000000000000-mapping.dmp

Download
memory/3888-121-0x0000000000000000-mapping.dmp

Download
memory/3980-114-0x0000000000000000-mapping.dmp

Download
memory/4024-123-0x0000000000000000-mapping.dmp

Download
memory/4040-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads