globeimposter | 37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a

General

Target

e3f6878bcafe2463f6028956f44a6e74.exe
Size

1.2MB
MD5

e3f6878bcafe2463f6028956f44a6e74
SHA1

99373d51d3975bbdea8664cdd8ab48240cfe3e44
SHA256

37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a
SHA512

2dca531b8f9dd52d1fa29c910bde579d397bae65355544d9c7eeeb88f533fcc0713fa298fc52a2e44c839a332f38f5a712bf8453bd46b84fd17ed648816431b7

Score

10^/10

globeimposter ransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��52 71 C4 B4 5D 5B 9E 43 00 A6 3B 20 C7 4D 56 E4 B7 33 9B 87 EA 0D 7E A8 43 45 F3 B8 18 FF 31 BB B8 CC FC A8 F8 CD 9F 2A 9A 6F F1 15 55 87 27 6C D0 EE AD BC B0 05 C0 B2 40 00 58 4E 6A 73 DA 02 B1 3C 53 5D B7 24 BA F3 C9 EF 8C B0 11 3A 3C 84 5F C7 6E A4 B0 48 01 69 18 35 CD A8 44 74 29 65 F8 CA 72 18 6A D5 79 B4 9F 3A C8 3E 16 91 1E 64 45 AB 7C 20 3D E3 97 0B 21 04 4E 31 8A CE A2 25 FB B5 6F 91 AC 72 28 A7 87 EE CF A8 DE C4 2C 6C 34 32 1B A4 0F E5 8E CB B7 FA 5C 77 F0 D8 D7 19 0A 40 EB EB 8B A4 ED C0 F2 81 E9 09 09 F0 A4 72 AE DC BB 09 76 0A 95 EE 20 DB 27 79 F8 D5 AD A0 8A 9F 98 43 7F DF 8D 9B 14 D7 65 E6 98 74 E9 09 13 2E 04 AD AF 1B C5 9E E3 48 9E 23 1C 2E 5E B4 8C 9B 07 12 60 13 71 CA 0C 25 CF 19 E2 0E CD 37 4E 22 12 E3 13 A4 E8 19 D5 E4 A7 D9 67 FE A0 E7

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

mscorsvw.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MountComplete.tif => C:\Users\Admin\Pictures\MountComplete.tif.xls	mscorsvw.exe
File renamed	C:\Users\Admin\Pictures\UnblockConvert.crw => C:\Users\Admin\Pictures\UnblockConvert.crw.xls	mscorsvw.exe
File renamed	C:\Users\Admin\Pictures\UseRedo.crw => C:\Users\Admin\Pictures\UseRedo.crw.xls	mscorsvw.exe
File renamed	C:\Users\Admin\Pictures\ExportComplete.raw => C:\Users\Admin\Pictures\ExportComplete.raw.xls	mscorsvw.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

mscorsvw.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\desktop.ini	mscorsvw.exe
File opened for modification	C:\Program Files\desktop.ini	mscorsvw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	mscorsvw.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	mscorsvw.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	mscorsvw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e3f6878bcafe2463f6028956f44a6e74.exe

description pid process target process

PID 912 set thread context of 768 912 e3f6878bcafe2463f6028956f44a6e74.exe mscorsvw.exe

description	pid	process	target process
PID 912 set thread context of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe

Drops file in Program Files directory 64 IoCs

Processes:

mscorsvw.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated_contrast-black.png	mscorsvw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\read-me.txt	mscorsvw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\read-me.txt	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\MedTile.scale-100.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_contrast-black.png	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	mscorsvw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\read-me.txt	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-100.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-64_altform-unplated_contrast-white.png	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-256_altform-unplated_contrast-high.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-200.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4583_20x20x32.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-48.png	mscorsvw.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\read-me.txt	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\it_get.svg	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pm_16x11.png	mscorsvw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_k_col.hxk	mscorsvw.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg	mscorsvw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\read-me.txt	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Oart.dll	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6701_48x48x32.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_FR-FR.respack	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\resources.pri	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	mscorsvw.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore\Resources\Assets\RT_Icons_Cert_42.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\quickreplysend.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\lt_60x42.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Explosion.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Solve\autosolve_button_up.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\move.scale-140.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2016.511.9510.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforcomments_18.svg	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-125.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\SmallLogo.scale-200.png	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-60.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10290_20x20x32.png	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Hard.png	mscorsvw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	mscorsvw.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\read-me.txt	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\appuri.model	mscorsvw.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24.png	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

e3f6878bcafe2463f6028956f44a6e74.exe

pid	process
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe
912	e3f6878bcafe2463f6028956f44a6e74.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

mscorsvw.exe

pid process

768 mscorsvw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e3f6878bcafe2463f6028956f44a6e74.exe

description pid process

Token: SeDebugPrivilege 912 e3f6878bcafe2463f6028956f44a6e74.exe

pid	process
768	mscorsvw.exe

description	pid	process
Token: SeDebugPrivilege	912	e3f6878bcafe2463f6028956f44a6e74.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e3f6878bcafe2463f6028956f44a6e74.exe

description	pid	process	target process
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe
PID 912 wrote to memory of 768	912	e3f6878bcafe2463f6028956f44a6e74.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\e3f6878bcafe2463f6028956f44a6e74.exe
"C:\Users\Admin\AppData\Local\Temp\e3f6878bcafe2463f6028956f44a6e74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
  2⤵
  - Modifies extensions of user files
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/768-127-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/768-131-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/768-130-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/768-129-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/768-128-0x0000000000409F20-mapping.dmp

Download
memory/912-118-0x0000000002E10000-0x0000000002E13000-memory.dmp

Filesize
12KB

Download
memory/912-124-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/912-125-0x0000000006B20000-0x0000000006B2D000-memory.dmp

Filesize
52KB

Download
memory/912-126-0x0000000006C10000-0x0000000006C2B000-memory.dmp

Filesize
108KB

Download
memory/912-123-0x00000000067D0000-0x000000000694C000-memory.dmp

Filesize
1.5MB

Download
memory/912-122-0x00000000054B0000-0x0000000005552000-memory.dmp

Filesize
648KB

Download
memory/912-115-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/912-117-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/912-116-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads