10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

General

Target

10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
Size

1.0MB
MD5

5b65b00894b6bdf79de272360d268604
SHA1

ba437d3e5f376f1d655632a52bf1e05af8a7e7a9
SHA256

10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80
SHA512

4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12
SSDEEP

24576:xVm0yFkkRztCxlvTJe9XJaCubcnoxtjZZHh65:rmvFvRav1eVdeQ8FZN6

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TQVVR6P-NZX36AZ-OROIQOA-INTZUS7-L5GAGW3-7XVG54R-XZHVRX2-EEMF6QI OQKAJBE-ALZKGMI-WRGO2X2-W4P3JOB-YXSMWTV-ZG2UUNR-MYSJOPS-ZTSXAXM NDBLWCY-RGGOBTN-ZSXQE3C-3EIDEZB-UMOWU43-H2YC4F4-RM3F42T-SRYJGOD Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-gkwiicl.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. TQVVR6P-NZX36AZ-OROIQOA-INTZUS7-L5GAGW3-7XVG54R-XZHVRX2-EEMF6QI OQKAJBE-ALZKGMI-WRGO2X2-W4P3JOB-YXSMWTV-ZG2UUNR-MYSJOPS-ZTSXAXM NDBLWCY-RGGOBTN-ZSXQE3C-3EIDEZB-UMOWEO3-LKYC4F4-RM3F42T-SRYJ5HY Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

gejzibk.exegejzibk.exe

pid process

1228 gejzibk.exe
1180 gejzibk.exe

pid	process
1228	gejzibk.exe
1180	gejzibk.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SaveConvertFrom.CRW.gkwiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConnectPublish.RAW.gkwiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SelectStart.RAW.gkwiicl	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\AssertSelect.CRW.gkwiicl	svchost.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-gkwiicl.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exegejzibk.exe

description	pid	process	target process
PID 1160 set thread context of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1228 set thread context of 1180	1228	gejzibk.exe	gejzibk.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-gkwiicl.bmp	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1692 vssadmin.exe

pid	process
1692	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6abee744-1a82-11ed-8290-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061006200650065003700340034002d0031006100380032002d0031003100650064002d0038003200390030002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exegejzibk.exe

pid	process
1712	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe
1180	gejzibk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

gejzibk.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1180 gejzibk.exe
Token: SeDebugPrivilege 1180 gejzibk.exe
Token: SeShutdownPrivilege 1276 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1180	gejzibk.exe
Token: SeDebugPrivilege	1180	gejzibk.exe
Token: SeShutdownPrivilege	1276	Explorer.EXE

pid	process
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exetaskeng.exegejzibk.exegejzibk.exesvchost.exe

description	pid	process	target process
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1160 wrote to memory of 1712	1160	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe	10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
PID 1376 wrote to memory of 1228	1376	taskeng.exe	gejzibk.exe
PID 1376 wrote to memory of 1228	1376	taskeng.exe	gejzibk.exe
PID 1376 wrote to memory of 1228	1376	taskeng.exe	gejzibk.exe
PID 1376 wrote to memory of 1228	1376	taskeng.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1228 wrote to memory of 1180	1228	gejzibk.exe	gejzibk.exe
PID 1180 wrote to memory of 600	1180	gejzibk.exe	svchost.exe
PID 600 wrote to memory of 1676	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1676	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1676	600	svchost.exe	DllHost.exe
PID 1180 wrote to memory of 1276	1180	gejzibk.exe	Explorer.EXE
PID 1180 wrote to memory of 1692	1180	gejzibk.exe	vssadmin.exe
PID 1180 wrote to memory of 1692	1180	gejzibk.exe	vssadmin.exe
PID 1180 wrote to memory of 1692	1180	gejzibk.exe	vssadmin.exe
PID 1180 wrote to memory of 1692	1180	gejzibk.exe	vssadmin.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1276

C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
"C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
"C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {0CE8622C-D822-410F-BB36-402E1B1E2335} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\qrsyusl
Filesize
654B

MD5
6effb15e094018eb4b4984db188a7d69

SHA1
7f2c06eab9d73a18bf1b31cc712b495807132785

SHA256
35d178b93af779c4bfb46efb56351ae68301d504b9cd329b05aa51abb18351fd

SHA512
b0ba3ae97015584011667b4ed1a12d07bc2fc8fe751ceb06ee4ed318dfaf8a7e69810e8e23b462c6ed11927f9e499f7857c623d05344fdcf8a171c79302192db

Download Submit
C:\ProgramData\Package Cache\qrsyusl
Filesize
654B

MD5
6effb15e094018eb4b4984db188a7d69

SHA1
7f2c06eab9d73a18bf1b31cc712b495807132785

SHA256
35d178b93af779c4bfb46efb56351ae68301d504b9cd329b05aa51abb18351fd

SHA512
b0ba3ae97015584011667b4ed1a12d07bc2fc8fe751ceb06ee4ed318dfaf8a7e69810e8e23b462c6ed11927f9e499f7857c623d05344fdcf8a171c79302192db

Download Submit
C:\ProgramData\Package Cache\qrsyusl
Filesize
654B

MD5
39977b8f27f221085f57bc009441db79

SHA1
ef4ae8ff5eb263136276de8c3b764152292d6022

SHA256
53a4091b59d016770b910410107121d33ec4149a6b9b8cbc7cdb5ae5f7baf508

SHA512
489a825abf246b5c7b43fddce181cba8058fdba21919fe4136140ed23017f8eb03d526ef5cef35b15864b4912806593ef2b3bdb2682234deba6c1710dc9f817c

Download Submit
C:\ProgramData\Package Cache\qrsyusl
Filesize
654B

MD5
e239cc20de2df399aafe6f8d0073b92e

SHA1
9166382661172740371095b979154a497e4c5188

SHA256
e158809900877ea058b0e6cb44678ebebced0bc2ca6c6a65e75500052e9f1a74

SHA512
3eb80bd068471ec32b4c7d2fe7a1715f9d079ed37bce095e2cfda65e9edf4788f4fb1874260bcae5e3cf8ff435faf2f7cc91d5d02548f4384480a36fb2debe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
1.0MB

MD5
5b65b00894b6bdf79de272360d268604

SHA1
ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

SHA256
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

SHA512
4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
1.0MB

MD5
5b65b00894b6bdf79de272360d268604

SHA1
ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

SHA256
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

SHA512
4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
Filesize
1.0MB

MD5
5b65b00894b6bdf79de272360d268604

SHA1
ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

SHA256
10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

SHA512
4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

Download Submit
memory/600-82-0x0000000000600000-0x0000000000674000-memory.dmp

Filesize
464KB

Download
memory/600-88-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download
memory/600-84-0x0000000000600000-0x0000000000674000-memory.dmp

Filesize
464KB

Download
memory/1160-55-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-63-0x0000000074780000-0x0000000074D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1180-74-0x00000000013EC07E-mapping.dmp

Download
memory/1180-81-0x0000000000BA0000-0x0000000000DE0000-memory.dmp

Filesize
2.2MB

Download
memory/1228-67-0x0000000000000000-mapping.dmp

Download
memory/1228-70-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-76-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-87-0x0000000000000000-mapping.dmp

Download
memory/1692-94-0x0000000000000000-mapping.dmp

Download
memory/1712-61-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1712-57-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1712-59-0x000000000124C07E-mapping.dmp

Download
memory/1712-60-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1712-56-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1712-62-0x0000000000610000-0x000000000081F000-memory.dmp

Filesize
2.1MB

Download
memory/1712-65-0x0000000000820000-0x0000000000A60000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads