blackcat | 20982ebcf2153ed7d8fa4cdce4266415527d54bd648f54ba839fe0687abff551

Resubmissions

22-05-2024 12:23

240522-pkt5rsah6s 10

22-05-2024 12:21

240522-pjp5esae34 10

05-05-2024 12:31

240505-pqcsnsdc87 10

Analysis

max time kernel
90s
max time network
90s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
05-05-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
Size

2.9MB
MD5

817f4bf0b4d0fc327fdfc21efacddaee
SHA1

8917af3878fa49fe4ec930230b881ff0ae8d19c9
SHA256

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb
SHA512

b0f8c0f3e18765606db9c29199b617f5a757c5b12cdddeac1e91deaadef790b1134eb3c009b0eab36096391d93c8fa6abcb983426bc506ae79a63cadb7ea954b
SSDEEP

49152:rAnCsMZjVpVbl4D5GzNMFsl4UROAUc1y32ZxJFi4NE/RgaJ2w1M:rAnCs8pVblGyNM+l4UxUc1BhFyvww1M

Score

10^/10

blackcat ransomware

Malware Config

Extracted

Family

blackcat

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
7954i9r
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion/336eb50d-ebf8-436b-937d-ec075de46e7f/419ef3f950d9f346cf86db56db453539dcd51567ea871728e78dbc9918c7efeb >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://sty5r4hhb5oihbq2mwevrofdiqbgesi66rvxr5sr573xgvtuvr4cs5yd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3746270565"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31104799"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
4452	WINWORD.EXE
4452	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
1868	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4452	WINWORD.EXE
4452	WINWORD.EXE
4452	WINWORD.EXE
4452	WINWORD.EXE
4452	WINWORD.EXE
4452	WINWORD.EXE
4452	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
2352	WINWORD.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe
"C:\Users\Admin\AppData\Local\Temp\f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb.exe"
1⤵
PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:2272

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConnectStop.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Files.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2996

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4204

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\TestMerge.pptx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UseRedo.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
194b2e74fd68bfa6883686f07a40c20b

SHA1
bc019093c96cdfae93aa7e5af351e6adcf8efdf1

SHA256
20b954d5ab1732e793d2c0a2f4e99e1504845d67b2d77d414cc426def424c3c1

SHA512
c2e297494f393c342ea628979ff408c8969fbea6b8781b991ca12ce6a1ecd41f0ab2ddb0c66a602b1fe7e71533167340d90ab544997fa4f7a4921e7180869627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
06b2b85220b13ce6529b78b6467556b7

SHA1
ab62f2f3578f92f5d2d3eb0302198ed0c95d69b3

SHA256
ac335bccbbf02940ff5f0bdc860ea8c6fdf343eeab79960d7dde9afcd5c24e23

SHA512
de45392e7993e174373512013ce8a26aa127da9c251383d71980417fff3a01913204c8d02eed55fd658432238b59126f6df2f29eff93ebc90eabed8767ff248e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
502B

MD5
faa5320066dd03a401fb6bb3ea94c70e

SHA1
a8e6ba9ab6d70c5e82f5db1761d2dab6799e7585

SHA256
a77eb10bbad7ef5fb935aa0675e0c3c0af6e38d670ddea8f086931c4a3d01669

SHA512
2a0a7219bed9172fdd494436e9b5e0034c233bb2c83f83cdb4022a49f4afa079185f3398a7b65778fec3087cfe118531c8ffa55f10d6306a842f953ddede47b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4B8E0785-E17E-4847-89EB-67BAE943E185

Filesize
160KB

MD5
890aa6fc644f9a6b55e1951547395276

SHA1
6e3a4c528fa4fb260dd99ca9b29736a459494f89

SHA256
d924ef5cdcd2cd1c007c5928dabe59c5466c2783cd117502bbf9701e46d72453

SHA512
638861f04eb9fef83b92a77ff920638b7dfb30f3a1aae7b2d95153b4c2e2aad351cf5241fa0e6ae601e64b483c2d42b9251da0a408b32b5083ea6abae7c87fc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
201B

MD5
35375f95b1430c8b11ebeb931fba0dda

SHA1
5122d139ac357db969c191b941bd479ceb9dc59f

SHA256
fd5691afe44306226fa973037fe144c3214867067cf88cb2285394888d959d5b

SHA512
b9043a4d4470ac90f83244a81fad5de8944b83ba1e8ab6bbc7d29fb216c2ded74bf1c7b1ca8c84535b989075660e83f676e273a1b524f9e5dd8e04fee412cc6b

Download Submit
memory/1868-107-0x00007FFAAB920000-0x00007FFAAB930000-memory.dmp

Filesize
64KB

Download
memory/1868-104-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-103-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-102-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-101-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-105-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-106-0x00007FFAAB920000-0x00007FFAAB930000-memory.dmp

Filesize
64KB

Download
memory/1868-119-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-120-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-122-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/1868-121-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-97-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-99-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-100-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-98-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-52-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-54-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-53-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-55-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2352-56-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/2692-0-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download
memory/4452-18-0x00007FFAAB920000-0x00007FFAAB930000-memory.dmp

Filesize
64KB

Download
memory/4452-48-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-10-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-11-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-12-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-13-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-14-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-50-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-17-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-47-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-51-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-19-0x00007FFAAB920000-0x00007FFAAB930000-memory.dmp

Filesize
64KB

Download
memory/4452-49-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-15-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-16-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-8-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-9-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-7-0x00007FFAEE040000-0x00007FFAEE249000-memory.dmp

Filesize
2.0MB

Download
memory/4452-6-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-5-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-4-0x00007FFAEE0E3000-0x00007FFAEE0E4000-memory.dmp

Filesize
4KB

Download
memory/4452-2-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-3-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download
memory/4452-1-0x00007FFAAE0D0000-0x00007FFAAE0E0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads