blackmatter | 496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d

General

Target

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Size

78KB
MD5

cb1e9e0b57107c1f5cd3569bf268de4f
SHA1

53f0be750671f565019890a35d8463eebc6fddc9
SHA256

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d
SHA512

2620215ca9a7ba3cb412c8fc33f2bd6d89e0e61dd70d6bbe1762ccb820b29d2e5f7fd6be06c27328b0d333c5d12ef239d0101dfea23c6025b06110b7a3ad4cb5

Score

10^/10

blackmatter ransomware

Malware Config

Extracted

Path

C:\y2VGe3tGZ.README.txt

Family

blackmatter

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Z1DHIS62B9LUNC74 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/Z1DHIS62B9LUNC74

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RevokeResolve.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\MountClear.raw => C:\Users\Admin\Pictures\MountClear.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\MountClear.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\ExportStep.png.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\FormatRemove.raw => C:\Users\Admin\Pictures\FormatRemove.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\OutPublish.crw => C:\Users\Admin\Pictures\OutPublish.crw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertUnprotect.tif.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\EnterRestore.tiff => C:\Users\Admin\Pictures\EnterRestore.tiff.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\EnterRestore.tiff	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\EnterRestore.tiff.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\ExportStep.png => C:\Users\Admin\Pictures\ExportStep.png.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\FormatRemove.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\RevokeResolve.raw => C:\Users\Admin\Pictures\RevokeResolve.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\SyncSave.crw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\ConvertUnprotect.tif => C:\Users\Admin\Pictures\ConvertUnprotect.tif.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\EnableAssert.tiff	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\WatchCheckpoint.raw => C:\Users\Admin\Pictures\WatchCheckpoint.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\OutPublish.crw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\SyncSave.crw => C:\Users\Admin\Pictures\SyncSave.crw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\WatchCheckpoint.raw.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tiff => C:\Users\Admin\Pictures\EnableAssert.tiff.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
File opened for modification	C:\Users\Admin\Pictures\EnableAssert.tiff.y2VGe3tGZ	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\y2VGe3tGZ.bmp"	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\y2VGe3tGZ.bmp"	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

pid	process
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\WallpaperStyle = "10"	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

Modifies registry class 20 IoCs

Processes:

splwow64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	splwow64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	splwow64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	splwow64.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	splwow64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	splwow64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

900 NOTEPAD.EXE

pid	process
900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

pid	process
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

splwow64.exe

pid process

1756 splwow64.exe

pid	process
1756	splwow64.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exevssvc.exe

description	pid	process
Token: SeBackupPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeDebugPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: 36	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeImpersonatePrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeIncBasePriorityPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeIncreaseQuotaPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: 33	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeManageVolumePrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeProfSingleProcessPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeRestorePrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeSecurityPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeSystemProfilePrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeTakeOwnershipPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeShutdownPrivilege	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
Token: SeBackupPrivilege	1148	vssvc.exe
Token: SeRestorePrivilege	1148	vssvc.exe
Token: SeAuditPrivilege	1148	vssvc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

splwow64.exe

pid process

1756 splwow64.exe
1756 splwow64.exe
1756 splwow64.exe
1756 splwow64.exe
1756 splwow64.exe

pid	process
1756	splwow64.exe
1756	splwow64.exe
1756	splwow64.exe
1756	splwow64.exe
1756	splwow64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exeNOTEPAD.EXE

description	pid	process	target process
PID 740 wrote to memory of 900	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe	NOTEPAD.EXE
PID 740 wrote to memory of 900	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe	NOTEPAD.EXE
PID 740 wrote to memory of 900	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe	NOTEPAD.EXE
PID 740 wrote to memory of 900	740	496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe	NOTEPAD.EXE
PID 900 wrote to memory of 1756	900	NOTEPAD.EXE	splwow64.exe
PID 900 wrote to memory of 1756	900	NOTEPAD.EXE	splwow64.exe
PID 900 wrote to memory of 1756	900	NOTEPAD.EXE	splwow64.exe
PID 900 wrote to memory of 1756	900	NOTEPAD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe
"C:\Users\Admin\AppData\Local\Temp\496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" /p C:\Users\y2VGe3tGZ.README.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\PingUndo.xps.y2VGe3tGZ
MD5
8895165fca0114f7e0262741a16d6648

SHA1
2d771961a7da526f89fd6017779ebe356ff244de

SHA256
86fd802002f456bfa1cff344944bd38de372d26f9406c1204a0420aec1b9bf6c

SHA512
a5a38d3ee6bf735cc8bd0b8e35b4f6cb1b3a9f8922107c82511b752211bd3d3d991de240f5cc77cf3995f5ef03f7710d9d1166a4b6ba17c0c06c1e1ba7af0cb1

Download Submit
C:\Users\y2VGe3tGZ.README.txt
MD5
3173c50d2e00032d48353d7edb3f6117

SHA1
7848dc8f46e8bf2daa056c7a9e6f74bf5709ebab

SHA256
f38f654730eceb53bb1e07dc19efad9fced2079aa7053518918e6eb090afffcf

SHA512
036f72851e0ac9f5c8d0d97ba9278476da568a1b31266d808ba9f76870f2c8fb21be5b9d4a304cc798d0c06c10316dc64bbe9e80877a411e14f02e8ce2dd9c9a

Download Submit
memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/740-56-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/740-55-0x0000000001E15000-0x0000000001E26000-memory.dmp

Filesize
68KB

Download
memory/740-57-0x0000000001E26000-0x0000000001E27000-memory.dmp

Filesize
4KB

Download
memory/1756-61-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/1756-62-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads