b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd

General

Target

b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd.exe
Size

691KB
MD5

2b62cdb6bcec4bff47eff437e4fc46d3
SHA1

c69586cd9813701974a65a9025383c56a0b5f306
SHA256

b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd
SHA512

902e67858db24b95ed0f0a4457348b246d49350cd9416bc71b8b256f71791fe4491293b4853028cb7a6f09a80333835919277ab9b40e393cff84526156262dbd
SSDEEP

12288:+ti86TibqhI6FhRJmYFrM9MizFXQ1jUWVH65adhEyHvNuGkvdMIEq3QusHP:+0PTCmI62YFrMpXCjUWVAdyHVuGkvdMr

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dxphzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YXYHTLX-7LVLFIF-CWNO32D-OKU7RWW-XWZKJBH-ZVCMPCW-JN6SOPQ-CHUP2YP VPSBQHA-7Z5S322-KGUUIWV-CU56673-E7M3O23-AYOULMB-UK2XEVC-X5JXONS TIGJGQD-IJFO3ON-7KUXQK7-C6LSH52-7H4N5U5-ZM7PUXZ-67MDT6Z-BNNYV63 Follow the instructions on the server.

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-dxphzxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YXYHTLX-7LVLFIF-CWNO32D-OKU7RWW-XWZKJBH-ZVCMPCW-JN6SOPQ-CHUP2YP VPSBQHA-7Z5S322-KGUUIWV-CU56673-E7M3O23-AYOULMB-UK2XEVC-X5JXONS TIGJGQD-IJFO3ON-7KUXQK7-C6LSH52-7H4N4H5-R57PUXZ-67MDT6Z-BNNYATB Follow the instructions on the server.

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://w7yue5dc5amppggs.onion.cab or http://w7yue5dc5amppggs.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://w7yue5dc5amppggs.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://w7yue5dc5amppggs.onion.cab

http://w7yue5dc5amppggs.tor2web.org

http://w7yue5dc5amppggs.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

pdfisga.exepdfisga.exe

pid process

276 pdfisga.exe
1644 pdfisga.exe

pid	process
276	pdfisga.exe
1644	pdfisga.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromRepair.RAW.dxphzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PingRestore.CRW.dxphzxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SendMove.RAW.dxphzxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pdfisga.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

pdfisga.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-dxphzxi.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dxphzxi.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-dxphzxi.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2020 vssadmin.exe

pid	process
2020	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

pdfisga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd.exepdfisga.exe

pid	process
1204	b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe
276	pdfisga.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pdfisga.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	276	pdfisga.exe
Token: SeDebugPrivilege	276	pdfisga.exe
Token: SeShutdownPrivilege	1288	Explorer.EXE
Token: SeShutdownPrivilege	1288	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pdfisga.exe

pid process

1644 pdfisga.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pdfisga.exe

pid process

1644 pdfisga.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pdfisga.exe

pid process

1644 pdfisga.exe
1644 pdfisga.exe

pid	process
1644	pdfisga.exe

pid	process
1644	pdfisga.exe

pid	process
1644	pdfisga.exe
1644	pdfisga.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exepdfisga.exesvchost.exe

description	pid	process	target process
PID 1036 wrote to memory of 276	1036	taskeng.exe	pdfisga.exe
PID 1036 wrote to memory of 276	1036	taskeng.exe	pdfisga.exe
PID 1036 wrote to memory of 276	1036	taskeng.exe	pdfisga.exe
PID 1036 wrote to memory of 276	1036	taskeng.exe	pdfisga.exe
PID 276 wrote to memory of 600	276	pdfisga.exe	svchost.exe
PID 600 wrote to memory of 1376	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1376	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1376	600	svchost.exe	DllHost.exe
PID 276 wrote to memory of 1288	276	pdfisga.exe	Explorer.EXE
PID 276 wrote to memory of 2020	276	pdfisga.exe	vssadmin.exe
PID 276 wrote to memory of 2020	276	pdfisga.exe	vssadmin.exe
PID 276 wrote to memory of 2020	276	pdfisga.exe	vssadmin.exe
PID 276 wrote to memory of 2020	276	pdfisga.exe	vssadmin.exe
PID 276 wrote to memory of 1644	276	pdfisga.exe	pdfisga.exe
PID 276 wrote to memory of 1644	276	pdfisga.exe	pdfisga.exe
PID 276 wrote to memory of 1644	276	pdfisga.exe	pdfisga.exe
PID 276 wrote to memory of 1644	276	pdfisga.exe	pdfisga.exe
PID 600 wrote to memory of 1852	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1852	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1852	600	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1288
- C:\Users\Admin\AppData\Local\Temp\b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd.exe
  "C:\Users\Admin\AppData\Local\Temp\b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1376
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {9B542B09-DC55-4B33-90E2-F1FDE73DAABD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
    "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
e897e9d37dca9003c211398bb87b7a91

SHA1
3720cdc11046d53235af5bcab68c984c143cf772

SHA256
3c0ca1ae263414bb5459d8685eafca9f0c937826b72a9a2ff7e77a000726da17

SHA512
b6e19af88421558582a5da6a711716234d3b115ea05a45c4d1ee894207dcd22caf382146905b8fcef79f7eb6abe492cd12179651f6fffd34a279493bf6d55421

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
999b88e7e9a5088f5c0c742d7c547eca

SHA1
dfbc74cbdb700b937729be013390c3f8cca99c38

SHA256
c0aa6123e09846afde9f1c859ce68ac395c099d0f35ed39bcbaaa197dd5120ac

SHA512
b9d61ab6588dff4a26cb86ba0726855588bf8699eab8ed1fe26e9748fc8ec2b885cce1d7bd9a6ec9380845f0f71fa50f06888ddb74513a77332d6bb712bfc01d

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
1c9a8cc8316e363df548e060c4c6a9f9

SHA1
8aebb5edc2a8647445ef997d5ba280511c7f09f7

SHA256
6b4c6e920838d6fe0b7a7cadfa6a7c162ad1b69d01cb7c87c51d466d3a5b16e5

SHA512
bc62d215338afd325986017043da89f31b28ae7de6fef0b3d5848fa5423325c2d6db124b688ffbe083af896f3f65c5e72561ba4df125d9c052abd6474e26bc6b

Download Submit
C:\ProgramData\Microsoft Help\xptppml

Filesize
654B

MD5
1c9a8cc8316e363df548e060c4c6a9f9

SHA1
8aebb5edc2a8647445ef997d5ba280511c7f09f7

SHA256
6b4c6e920838d6fe0b7a7cadfa6a7c162ad1b69d01cb7c87c51d466d3a5b16e5

SHA512
bc62d215338afd325986017043da89f31b28ae7de6fef0b3d5848fa5423325c2d6db124b688ffbe083af896f3f65c5e72561ba4df125d9c052abd6474e26bc6b

Download Submit
C:\ProgramData\zlwdkgg.html

Filesize
63KB

MD5
f822550e9af790f1c3170e2d4aa99e3e

SHA1
ac99a4ae1d37a263ca32be6e220d3ff58ca2ed1b

SHA256
b0d5501da5c8a683104f46c1302e13f68b8a7a4c4d1dfa55d74e4ef2dae33e52

SHA512
77ed4f798d1be1b249f4237f904896a3d8c605f0d647981f832da4c113342025fbf0af5fb7089f7e72bd04de9a894e2979f3238a521d76bb1a6ee5b3efb9bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
691KB

MD5
2b62cdb6bcec4bff47eff437e4fc46d3

SHA1
c69586cd9813701974a65a9025383c56a0b5f306

SHA256
b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd

SHA512
902e67858db24b95ed0f0a4457348b246d49350cd9416bc71b8b256f71791fe4491293b4853028cb7a6f09a80333835919277ab9b40e393cff84526156262dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
691KB

MD5
2b62cdb6bcec4bff47eff437e4fc46d3

SHA1
c69586cd9813701974a65a9025383c56a0b5f306

SHA256
b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd

SHA512
902e67858db24b95ed0f0a4457348b246d49350cd9416bc71b8b256f71791fe4491293b4853028cb7a6f09a80333835919277ab9b40e393cff84526156262dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
691KB

MD5
2b62cdb6bcec4bff47eff437e4fc46d3

SHA1
c69586cd9813701974a65a9025383c56a0b5f306

SHA256
b5dd6e8288017f4988f8b8d5738546b9ef90837b47be912c86bfa66d65d65dbd

SHA512
902e67858db24b95ed0f0a4457348b246d49350cd9416bc71b8b256f71791fe4491293b4853028cb7a6f09a80333835919277ab9b40e393cff84526156262dbd

Download Submit
memory/276-60-0x0000000000000000-mapping.dmp

Download
memory/276-66-0x0000000001070000-0x000000000129D000-memory.dmp

Filesize
2.2MB

Download
memory/600-67-0x00000000000E0000-0x000000000014D000-memory.dmp

Filesize
436KB

Download
memory/600-73-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/600-69-0x00000000000E0000-0x000000000014D000-memory.dmp

Filesize
436KB

Download
memory/1204-54-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1204-58-0x00000000021C0000-0x00000000023ED000-memory.dmp

Filesize
2.2MB

Download
memory/1204-57-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-56-0x0000000001FC0000-0x00000000021BC000-memory.dmp

Filesize
2.0MB

Download
memory/1204-55-0x0000000000401000-0x00000000004A2000-memory.dmp

Filesize
644KB

Download
memory/1376-72-0x0000000000000000-mapping.dmp

Download
memory/1644-80-0x0000000000000000-mapping.dmp

Download
memory/1644-86-0x0000000002380000-0x00000000025AD000-memory.dmp

Filesize
2.2MB

Download
memory/1852-88-0x0000000000000000-mapping.dmp

Download
memory/2020-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads