5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b

General

Target

HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
Size

216KB
MD5

d06622833d3ee1c907d90bccec01ec74
SHA1

dcdc748bb8a8cb4d16c2d88e40fbd634b2396d42
SHA256

5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b
SHA512

119822dcc655cf9a9bd708992811cdb46d216ca5e77fb1f461290e37545cb348ea0ccd232ee1fb1c42d4ad91ec16aa93bbdf75829807c61934d97a8f84feb735
SSDEEP

3072:o7DtWs7prq6+ouCpk2mpcWJ0r+QNTBf8JMzmmsoltIrRuw+mqv9j1MWLQKq7:o7Jpldk1cWQRNTB0izmDAtS

Score

10^/10

discovery evasion exploit persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Ransom Note

Ooops! All your important files are encrypted! All you important files are encrypted with AES 256 algoritm. No one can help you to restore files without our special decryptor. All repair tools are useless. If you want to restore some your files for free write to email and attach 2-3 encrypted files (non-archived and your files should not contain valuable information like databases, backups, large excel sheets etc.) You have to pay $300 in bitcoin to decrypt other files. As soon as we get bitcoins you'll get all your decrypted data back. P.S. Remember we are not scammers Contact: 1.Download tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write e-mail to us (CobraLocker@mail2tor.com) That's all Good luck and have fun

Emails

CobraLocker@mail2tor.com

URLs

http://mail2tor2zyjdctd.onion/

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

BabaYaga.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" BabaYaga.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	BabaYaga.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

BabaYaga.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	BabaYaga.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

BabaYaga.exesomething.exe

pid process

1900 BabaYaga.exe
1060 something.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

BabaYaga.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExitRestore.png => C:\Users\Admin\Pictures\ExitRestore.png.enc	BabaYaga.exe
File renamed	C:\Users\Admin\Pictures\InitializeMount.crw => C:\Users\Admin\Pictures\InitializeMount.crw.enc	BabaYaga.exe
File renamed	C:\Users\Admin\Pictures\InvokeGrant.raw => C:\Users\Admin\Pictures\InvokeGrant.raw.enc	BabaYaga.exe

Possible privilege escalation attempt 10 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
240	takeown.exe
1552	icacls.exe
1612	takeown.exe
1924	icacls.exe
2008	takeown.exe
1556	takeown.exe
1464	icacls.exe
1696	takeown.exe
1684	icacls.exe
1748	icacls.exe

Loads dropped DLL 2 IoCs

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe

pid	process
1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe

Modifies file permissions 1 TTPs 10 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
1464	icacls.exe
1696	takeown.exe
240	takeown.exe
1748	icacls.exe
1552	icacls.exe
1612	takeown.exe
1556	takeown.exe
2008	takeown.exe
1924	icacls.exe
1684	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

692 taskkill.exe

pid	process
692	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BabaYaga.exe

pid	process
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe
1900	BabaYaga.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

takeown.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exeBabaYaga.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1556	takeown.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeTakeOwnershipPrivilege	1696	takeown.exe
Token: SeTakeOwnershipPrivilege	240	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	1612	takeown.exe
Token: SeDebugPrivilege	1900	BabaYaga.exe
Token: SeDebugPrivilege	1900	BabaYaga.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exesomething.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1900	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	BabaYaga.exe
PID 1768 wrote to memory of 1900	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	BabaYaga.exe
PID 1768 wrote to memory of 1900	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	BabaYaga.exe
PID 1768 wrote to memory of 1900	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	BabaYaga.exe
PID 1768 wrote to memory of 1060	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	something.exe
PID 1768 wrote to memory of 1060	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	something.exe
PID 1768 wrote to memory of 1060	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	something.exe
PID 1768 wrote to memory of 1060	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	something.exe
PID 1060 wrote to memory of 1584	1060	something.exe	cmd.exe
PID 1060 wrote to memory of 1584	1060	something.exe	cmd.exe
PID 1060 wrote to memory of 1584	1060	something.exe	cmd.exe
PID 1060 wrote to memory of 1584	1060	something.exe	cmd.exe
PID 1768 wrote to memory of 692	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	taskkill.exe
PID 1768 wrote to memory of 692	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	taskkill.exe
PID 1768 wrote to memory of 692	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	taskkill.exe
PID 1768 wrote to memory of 692	1768	HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe	taskkill.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1464	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1464	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1464	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1696	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1696	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1696	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1684	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1684	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1684	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 240	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1748	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1748	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1748	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1944	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 1944	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 1944	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 2008	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 2008	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 2008	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1552	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1552	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1552	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 596	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 596	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 596	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 1612	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1612	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1612	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1924	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1924	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1924	1584	cmd.exe	icacls.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	attrib.exe
PID 1584 wrote to memory of 1188	1584	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1944 attrib.exe
596 attrib.exe
1188 attrib.exe

pid	process
1944	attrib.exe
596	attrib.exe
1188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Diztakun.gen-5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe
"C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe"
2⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\something.exe
"C:\Users\Admin\AppData\Local\Temp\something.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FBDD.tmp\FBDE.tmp\FBDF.bat C:\Users\Admin\AppData\Local\Temp\something.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winlogon.exe /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1464

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\logonui.exe
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\logonui.exe /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1684

C:\Windows\system32\takeown.exe
takeown /f C:\autoexec.bat
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\system32\icacls.exe
icacls C:\autoexec.bat /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748

C:\Windows\system32\attrib.exe
attrib -r -s -h c:\autoexec.bat
4⤵
- Views/modifies file attributes
PID:1944

C:\Windows\system32\takeown.exe
takeown /f C:\boot.ini
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\icacls.exe
icacls C:\boot.ini /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1552

C:\Windows\system32\attrib.exe
attrib -r -s -h c:\boot.ini
4⤵
- Views/modifies file attributes
PID:596

C:\Windows\system32\takeown.exe
takeown /f C:\bootmgr
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\icacls.exe
icacls C:\bootmgr /grant Admin:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1924

C:\Windows\system32\attrib.exe
attrib -r -s -h C:\bootmgr
4⤵
- Views/modifies file attributes
PID:1188

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im BY.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

File Permissions Modification

1

T1222

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe
Filesize
20KB

MD5
255157e43ec2bb21d5b8ec800f5d34ce

SHA1
9735fc4659abe4f99547002fd7cce8559bc77038

SHA256
bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6

SHA512
a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\BabaYaga.exe
Filesize
20KB

MD5
255157e43ec2bb21d5b8ec800f5d34ce

SHA1
9735fc4659abe4f99547002fd7cce8559bc77038

SHA256
bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6

SHA512
a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBDD.tmp\FBDE.tmp\FBDF.bat
Filesize
649B

MD5
b1bf5bb9015986c23172c3d40177be16

SHA1
b2a21cfddc9b18348e526f218ebae123487a6019

SHA256
708c66bf6eed316604169730be6d5fa514cf439bc84ea3851dded4547fa871d2

SHA512
1c81bf9c0c178ba7067990dd0b23fa8125a1c7b055778c38c6a3f60bfbc5cabfea2efc01b8ef5939d7b1c89387939adbeecb7ce5711be367c44f792d9633d2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\something.exe
Filesize
87KB

MD5
b96f6781a1637637f0f25803545dae7b

SHA1
29cc78d4d641b6ad69b36e4e873e63f46010b21f

SHA256
e2477685e5831120f9b424f99bbeee79f700d1cd3ccae025ea46172fc1433dae

SHA512
0035761d673c8bcdc8eb7956115d177ad484a31d27e76b2fc1a41d8d8fea27124e9981e64ff1b6f254c8ddbace5ab95c091a8705bb3794f66aee6679bd912e56

Download Submit
\Users\Admin\AppData\Local\Temp\BabaYaga.exe
Filesize
20KB

MD5
255157e43ec2bb21d5b8ec800f5d34ce

SHA1
9735fc4659abe4f99547002fd7cce8559bc77038

SHA256
bed19c8647924a665df723bc139f962f244254eca50e24091af084b03e929df6

SHA512
a6a334b9d1e4f377e270447bec279a279ce8e3f57a0884ef07fb2eed2e4482a1ab324f03e6e9720dde3a17a3e361d84ace5360ecb7a00b0aab7d6a87858b1caa

Download Submit
\Users\Admin\AppData\Local\Temp\something.exe
Filesize
87KB

MD5
b96f6781a1637637f0f25803545dae7b

SHA1
29cc78d4d641b6ad69b36e4e873e63f46010b21f

SHA256
e2477685e5831120f9b424f99bbeee79f700d1cd3ccae025ea46172fc1433dae

SHA512
0035761d673c8bcdc8eb7956115d177ad484a31d27e76b2fc1a41d8d8fea27124e9981e64ff1b6f254c8ddbace5ab95c091a8705bb3794f66aee6679bd912e56

Download Submit
memory/240-72-0x0000000000000000-mapping.dmp

Download
memory/596-77-0x0000000000000000-mapping.dmp

Download
memory/692-65-0x0000000000000000-mapping.dmp

Download
memory/1060-61-0x0000000000000000-mapping.dmp

Download
memory/1188-81-0x0000000000000000-mapping.dmp

Download
memory/1464-69-0x0000000000000000-mapping.dmp

Download
memory/1552-76-0x0000000000000000-mapping.dmp

Download
memory/1556-68-0x0000000000000000-mapping.dmp

Download
memory/1584-64-0x0000000000000000-mapping.dmp

Download
memory/1612-78-0x0000000000000000-mapping.dmp

Download
memory/1684-71-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000000C30000-0x0000000000C6C000-memory.dmp

Filesize
240KB

Download
memory/1768-55-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1900-79-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x0000000000000000-mapping.dmp

Download
memory/1900-66-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/1900-82-0x000000001B426000-0x000000001B445000-memory.dmp

Filesize
124KB

Download
memory/1900-83-0x000000001B426000-0x000000001B445000-memory.dmp

Filesize
124KB

Download
memory/1924-80-0x0000000000000000-mapping.dmp

Download
memory/1944-74-0x0000000000000000-mapping.dmp

Download
memory/2008-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads