8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94

General

Target

8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94.exe
Size

703KB
MD5

521bd488a5de44d84e9d145d3eb8a238
SHA1

a9086094ba2eaa8dc6ff046788ccd441136ad692
SHA256

8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94
SHA512

e34ca05dca5745ba7e38f7414ce5c14407e31e28a3653408be5a9db411f4a1ae1c9f6e637d5147198e32c997bcd38698ac50f7397fa0696db039dce0a458f45b
SSDEEP

12288:Eq24RXH8L52vF+k9/WUqWb+6GqOwGhPcb/ruGe/2DUrkVH1:WmX8L5xk9+f6GqpGRcPuGQmPVH

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-wgyhzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 32P43MD-AZYCTGL-ZWCLAUW-NOOPIC4-FDKK7LQ-PVNG65K-KNKWHUR-56UJHCT OGYQWIU-PIZXDBT-JWDXHBU-L2ZOEED-GVMHZ2I-Y3ARTYI-7I5RFWU-NXT3FP5 FSLXWHF-HW6FQM3-YLHMYXE-SSAVUK4-UIQG2BQ-6TDRBG6-74HXTDJ-TRIWECP Follow the instructions on the server.

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-wgyhzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 32P43MD-AZYCTGL-ZWCLAUW-NOOPIC4-FDKK7LQ-PVNG65K-KNKWHUR-56UJHCT OGYQWIU-PIZXDBT-JWDXHBU-L2ZOEED-GVMHZ2I-Y3ARTYI-7I5RFWU-NXT3FP5 FSLXWHF-HW6FQM3-YLHMYXE-SSAVUK4-UIQGBTQ-YCDRBG6-74HXTDJ-TRIGQWE Follow the instructions on the server.

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

pdfisga.exepdfisga.exe

pid process

668 pdfisga.exe
1372 pdfisga.exe

pid	process
668	pdfisga.exe
1372	pdfisga.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DebugSelect.RAW.wgyhzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UseStop.RAW.wgyhzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExitSync.CRW.wgyhzxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pdfisga.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pdfisga.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-wgyhzxi.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-wgyhzxi.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-wgyhzxi.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

788 vssadmin.exe

pid	process
788	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

pdfisga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94.exepdfisga.exe

pid	process
1672	8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe
668	pdfisga.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pdfisga.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	668	pdfisga.exe
Token: SeDebugPrivilege	668	pdfisga.exe
Token: SeShutdownPrivilege	1236	Explorer.EXE
Token: SeShutdownPrivilege	1236	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pdfisga.exe

pid process

1372 pdfisga.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pdfisga.exe

pid process

1372 pdfisga.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pdfisga.exe

pid process

1372 pdfisga.exe
1372 pdfisga.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE

pid	process
1372	pdfisga.exe

pid	process
1372	pdfisga.exe

pid	process
1372	pdfisga.exe
1372	pdfisga.exe

pid	process
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exepdfisga.exesvchost.exe

description	pid	process	target process
PID 1552 wrote to memory of 668	1552	taskeng.exe	pdfisga.exe
PID 1552 wrote to memory of 668	1552	taskeng.exe	pdfisga.exe
PID 1552 wrote to memory of 668	1552	taskeng.exe	pdfisga.exe
PID 1552 wrote to memory of 668	1552	taskeng.exe	pdfisga.exe
PID 668 wrote to memory of 592	668	pdfisga.exe	svchost.exe
PID 592 wrote to memory of 1480	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1480	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 1480	592	svchost.exe	DllHost.exe
PID 668 wrote to memory of 1236	668	pdfisga.exe	Explorer.EXE
PID 668 wrote to memory of 788	668	pdfisga.exe	vssadmin.exe
PID 668 wrote to memory of 788	668	pdfisga.exe	vssadmin.exe
PID 668 wrote to memory of 788	668	pdfisga.exe	vssadmin.exe
PID 668 wrote to memory of 788	668	pdfisga.exe	vssadmin.exe
PID 668 wrote to memory of 1372	668	pdfisga.exe	pdfisga.exe
PID 668 wrote to memory of 1372	668	pdfisga.exe	pdfisga.exe
PID 668 wrote to memory of 1372	668	pdfisga.exe	pdfisga.exe
PID 668 wrote to memory of 1372	668	pdfisga.exe	pdfisga.exe
PID 592 wrote to memory of 316	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 316	592	svchost.exe	DllHost.exe
PID 592 wrote to memory of 316	592	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1236
- C:\Users\Admin\AppData\Local\Temp\8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94.exe
  "C:\Users\Admin\AppData\Local\Temp\8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1480
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {7EBEF831-08CC-4147-937E-576D2D133512} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
    "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
e4dfaea5ea0c1068119004bececaa2e7

SHA1
82738cc2981d54962702ea7151f76461c387da88

SHA256
e53cb064a10fb96fbc1159814c327f9df5d5dae18403a26ab9be3ce1b2567550

SHA512
3dae15727bd348c8b7e3623d62d89c146358391d8146ba84993c5902c8182b9290cf1f8282f42574b99a091368c236b637ebb2387d0613bed4cb84cc34c17daf

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
2e673818ab4cb6d81984fe92a7ebb8c2

SHA1
9018c639191f7df44f1de6fa4201d3a8ae1eb078

SHA256
0e4d8e41854653e1699d6f3f62cc96d2d03584145fe10719480111be1211dcca

SHA512
c526ce83ef147f4c2d1bf68479823c87d5de8aabf9d8724c3f4d103e26e2b163d88ff6ae14a9d19ab8721d110f95b16ef2ade99480ad547fd5027e96607d2978

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
0d0a2da120da98a0a18d48de5567ac07

SHA1
eb4cb38ebb8bdac2586d8cc1af1a9bc4431cae5a

SHA256
a79c6ad5c3529e7b2046d830fc2d9f31833d968671a1f700afa47e563dc69244

SHA512
30de57ae539649f382312e37b00539e575ef9cf1917874a8d94783b27bdb45600bef30d678c4c10c272fc2c7a0b9317a506b4b6e69c2ddd4bc27cc177934da7d

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
50ab83c8a40baa42f9536a195f9f2536

SHA1
4a057c79dc0b3408dce58b72f657beb4b787eb5f

SHA256
5a400c692ef5f2fff929f0d68512f9b69b5ed7383a473067016d3456ccedffa1

SHA512
bd6c88638875b87998d7abe2b8e0080a4e9c11afaabe1359525df0281fc5d2c967c26e5fe81b4b5bf84b902259e6ce70e868924ab109f4992cbade65beb62990

Download Submit
C:\ProgramData\zlwdkgg.html

Filesize
63KB

MD5
a6d80a6b16ab7bba47122015fe1df4bc

SHA1
0b85276e376b18ea05699fc9f18d9cd6c7e04529

SHA256
39fb5fe5ac0a61a1997a25a5e0daf2043859ad929054455c2860291cf4138a61

SHA512
1856b348792e3dfc680201f3a95e5bffc7a2452ae929bdc8d36e328fa7975c4b14b3d4502487d25aa615cc582eb01752b3c35b3a42171a39891ecfa3f8a888a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
703KB

MD5
521bd488a5de44d84e9d145d3eb8a238

SHA1
a9086094ba2eaa8dc6ff046788ccd441136ad692

SHA256
8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94

SHA512
e34ca05dca5745ba7e38f7414ce5c14407e31e28a3653408be5a9db411f4a1ae1c9f6e637d5147198e32c997bcd38698ac50f7397fa0696db039dce0a458f45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
703KB

MD5
521bd488a5de44d84e9d145d3eb8a238

SHA1
a9086094ba2eaa8dc6ff046788ccd441136ad692

SHA256
8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94

SHA512
e34ca05dca5745ba7e38f7414ce5c14407e31e28a3653408be5a9db411f4a1ae1c9f6e637d5147198e32c997bcd38698ac50f7397fa0696db039dce0a458f45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
703KB

MD5
521bd488a5de44d84e9d145d3eb8a238

SHA1
a9086094ba2eaa8dc6ff046788ccd441136ad692

SHA256
8a128f5122d32a4d6780644a13d3ac81cd85895ca025c5fb6e8bb12e94aa5f94

SHA512
e34ca05dca5745ba7e38f7414ce5c14407e31e28a3653408be5a9db411f4a1ae1c9f6e637d5147198e32c997bcd38698ac50f7397fa0696db039dce0a458f45b

Download Submit
memory/316-88-0x0000000000000000-mapping.dmp

Download
memory/592-69-0x00000000005B0000-0x0000000000624000-memory.dmp

Filesize
464KB

Download
memory/592-73-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/592-67-0x00000000005B0000-0x0000000000624000-memory.dmp

Filesize
464KB

Download
memory/668-66-0x0000000000C80000-0x0000000000EC0000-memory.dmp

Filesize
2.2MB

Download
memory/668-60-0x0000000000000000-mapping.dmp

Download
memory/788-79-0x0000000000000000-mapping.dmp

Download
memory/1372-86-0x0000000001FD0000-0x0000000002210000-memory.dmp

Filesize
2.2MB

Download
memory/1372-80-0x0000000000000000-mapping.dmp

Download
memory/1480-72-0x0000000000000000-mapping.dmp

Download
memory/1672-57-0x0000000001E50000-0x000000000205F000-memory.dmp

Filesize
2.1MB

Download
memory/1672-56-0x0000000000401000-0x00000000004A4000-memory.dmp

Filesize
652KB

Download
memory/1672-58-0x0000000002060000-0x00000000022A0000-memory.dmp

Filesize
2.2MB

Download
memory/1672-55-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads