buran | 54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

Analysis

max time kernel
110s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
18-12-2020 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

imposter11.exe
Size

446KB
MD5

567204cbb8d1c5908a5316f9dfdcb353
SHA1

cc7eca3c24883a3b563288c08cfab7cc248a0315
SHA256

54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371
SHA512

ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: China.Helper@aol.com ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 8E5-AA3-C3C Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

taskeng.exetaskeng.exe

pid process

2684 taskeng.exe
504 taskeng.exe

pid	process
2684	taskeng.exe
504	taskeng.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConvertFromBlock.tiff	taskeng.exe
File opened for modification	C:\Users\Admin\Pictures\FormatPing.tiff	taskeng.exe
File opened for modification	C:\Users\Admin\Pictures\RedoSwitch.tiff	taskeng.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

imposter11.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	imposter11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	imposter11.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe

Drops file in Program Files directory 25683 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_24x24x32.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-400.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\release.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.dualsim1.sad.scale-200.png	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses-hover.svg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_ja_4.4.0.v20140623020002.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_20x20x32.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sqlpdw.xsl.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W6.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\skin_beeps.lua	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-20.png	taskeng.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-125.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dull_tauri.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\va_16x11.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\ui-strings.js.8E5-AA3-C3C	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Icon.targetsize-16.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\11c.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\tk_60x42.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-100_contrast-white.png	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server-15.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar	taskeng.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG.8E5-AA3-C3C	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\12s.png	taskeng.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pl_60x42.png	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.8E5-AA3-C3C	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg.8E5-AA3-C3C	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.8E5-AA3-C3C	taskeng.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe

Drops file in Windows directory 1 IoCs

Processes:

taskeng.exe

description ioc process

File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT taskeng.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4064 vssadmin.exe
3988 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT	taskeng.exe

pid	process
4064	vssadmin.exe
3988	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 89 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: 36	3064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2296	WMIC.exe
Token: SeSecurityPrivilege	2296	WMIC.exe
Token: SeTakeOwnershipPrivilege	2296	WMIC.exe
Token: SeLoadDriverPrivilege	2296	WMIC.exe
Token: SeSystemProfilePrivilege	2296	WMIC.exe
Token: SeSystemtimePrivilege	2296	WMIC.exe
Token: SeProfSingleProcessPrivilege	2296	WMIC.exe
Token: SeIncBasePriorityPrivilege	2296	WMIC.exe
Token: SeCreatePagefilePrivilege	2296	WMIC.exe
Token: SeBackupPrivilege	2296	WMIC.exe
Token: SeRestorePrivilege	2296	WMIC.exe
Token: SeShutdownPrivilege	2296	WMIC.exe
Token: SeDebugPrivilege	2296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2296	WMIC.exe
Token: SeRemoteShutdownPrivilege	2296	WMIC.exe
Token: SeUndockPrivilege	2296	WMIC.exe
Token: SeManageVolumePrivilege	2296	WMIC.exe
Token: 33	2296	WMIC.exe
Token: 34	2296	WMIC.exe
Token: 35	2296	WMIC.exe
Token: 36	2296	WMIC.exe
Token: SeBackupPrivilege	2832	vssvc.exe
Token: SeRestorePrivilege	2832	vssvc.exe
Token: SeAuditPrivilege	2832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

imposter11.exetaskeng.execmd.execmd.execmd.exe

description	pid	process	target process
PID 64 wrote to memory of 2684	64	imposter11.exe	taskeng.exe
PID 64 wrote to memory of 2684	64	imposter11.exe	taskeng.exe
PID 64 wrote to memory of 2684	64	imposter11.exe	taskeng.exe
PID 2684 wrote to memory of 1380	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1380	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1380	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 2968	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 2968	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 2968	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 3808	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 3808	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 3808	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1504	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1504	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1504	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1080	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1080	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 1080	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 488	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 488	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 488	2684	taskeng.exe	cmd.exe
PID 2684 wrote to memory of 504	2684	taskeng.exe	taskeng.exe
PID 2684 wrote to memory of 504	2684	taskeng.exe	taskeng.exe
PID 2684 wrote to memory of 504	2684	taskeng.exe	taskeng.exe
PID 1080 wrote to memory of 4064	1080	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 4064	1080	cmd.exe	vssadmin.exe
PID 1080 wrote to memory of 4064	1080	cmd.exe	vssadmin.exe
PID 1380 wrote to memory of 3064	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 3064	1380	cmd.exe	WMIC.exe
PID 1380 wrote to memory of 3064	1380	cmd.exe	WMIC.exe
PID 488 wrote to memory of 2296	488	cmd.exe	WMIC.exe
PID 488 wrote to memory of 2296	488	cmd.exe	WMIC.exe
PID 488 wrote to memory of 2296	488	cmd.exe	WMIC.exe
PID 488 wrote to memory of 3988	488	cmd.exe	vssadmin.exe
PID 488 wrote to memory of 3988	488	cmd.exe	vssadmin.exe
PID 488 wrote to memory of 3988	488	cmd.exe	vssadmin.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe
PID 2684 wrote to memory of 416	2684	taskeng.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\imposter11.exe
"C:\Users\Admin\AppData\Local\Temp\imposter11.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3988

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
PID:504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4064

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
49f30697c634c40272e3aa13c370279f

SHA1
bd543555d20162a2afcfb3a0f85cde37b7faf0db

SHA256
c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

SHA512
ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
567204cbb8d1c5908a5316f9dfdcb353

SHA1
cc7eca3c24883a3b563288c08cfab7cc248a0315

SHA256
54f6ec27eb7526c439d33e7592e4864842fccf950d828fe14ef7c8eb080ee371

SHA512
ec4e2a03a525ae5150449d5403f2fc72b88d1cd977c503f4943b0889b82c543e46c35cd204fe27c5c03d4817bcc9413ec467637a038d2d7cd164d59d2b377f3b

Download Submit
C:\Users\Admin\Desktop\AddPush.jtx.8E5-AA3-C3C
MD5
efb55cc5779d6c74800131d31a3141c4

SHA1
4b4d2e3c8277944cecbcc2e0a859a9bd9cc3855a

SHA256
c15aafb321838647e7289a3897746de8c085095ed0257a29f1022802138dab2d

SHA512
7272dec7188848aadeafbb64ec0fd065818bc89ba7ef52b76d3dcf893dadec3446938110efa1f415de67b1c7ec890b7c7127f4378b44fe5c9f887c2348873ac7

Download Submit
C:\Users\Admin\Desktop\AddRestore.gif.8E5-AA3-C3C
MD5
4574f774ea6aca8c2a9700c3741c3df2

SHA1
0cbff00761fd9d9c164463564ade153af6a6cd22

SHA256
6bfc04cf644724f154f080e15b9a0ec10fce7d370c4b19dc0af869d561ff8dd9

SHA512
e89399d2a609a2f9d2529e5211dc007cdd710c97549dfb8c34c87040c75d057ae72cc1ceee09daa975a10d277fb0d6fb591ac60f903bec59a5b18c8c832c064e

Download Submit
C:\Users\Admin\Desktop\AssertPop.mhtml.8E5-AA3-C3C
MD5
8a2d50434b6872554d7efca9be4f84b4

SHA1
a61868a82b878cf57fb1422eecec5ed65c752f00

SHA256
f7e4bc1c3b29da40b3912ac7db563b54978d32e0517934158e98101bcca98e89

SHA512
e5c237ac70ba0864cea3281c9a3595df80157ad79ac08c19d2d71e81f74b19a6be03f39ca85efa0bbf9ceb3a987f33b77d83ed9a8cb4fe33f4c94ea58b8432ba

Download Submit
C:\Users\Admin\Desktop\BackupStop.search-ms.8E5-AA3-C3C
MD5
545081a939995162163ab7425793766b

SHA1
6b1b0e1f2c05fa4ef2f12f3b441776dd36fc4d93

SHA256
d331cb4c2ea838a7fd6558f07ecefc569c48b78dd0480695b62cae4a36f2b790

SHA512
62d9c553643180ff6cf9600eaa2c4e2758918fd67a82663b4f88df115f1c896cece0d2d0cd3165077b033ccc37c97468c007720e8c756d6f1fdcc2e4ceed1649

Download Submit
C:\Users\Admin\Desktop\BlockImport.inf.8E5-AA3-C3C
MD5
18e620f7d74f53fe1b718c565c40b29b

SHA1
1c5d3a92c372ec5dad477ba9bb75b661470cdd4f

SHA256
49ddb0827f4cd53c554cd9a0dc33b303054a983967d11d0abecb5b11c92ea3fc

SHA512
f1dfce095d30f97d0b6fa23aa43fd7898e6aad8fdcc0ac9404c530b12e0c3725edb3c077ac040bf695cac2915986bdb968baad83895cf65bd0dea1f41e085fad

Download Submit
C:\Users\Admin\Desktop\CloseTest.asf.8E5-AA3-C3C
MD5
9aebba647b6fe2ea449f79b6ce07f56e

SHA1
b750496b6607dbccf15f7be2ab3915c95532eb8e

SHA256
0e7427eea52bdd8b88cc6dd1fecf58ee078f4748686b93c0c98d3d9fee26d471

SHA512
b074048932d4133be87a0148c5037980bae5cbb184ff397ce2876fe895bf21c81c49d253546590e04ccf906e25d1420f5ac0cc33de51f3fd5897411f232eeddc

Download Submit
C:\Users\Admin\Desktop\CompressSet.svg.8E5-AA3-C3C
MD5
894eefd0834b2ae0cc22e46448965d39

SHA1
1db36c10d5d843cd04b1e464f32e76d815a863d5

SHA256
ecf07f3c8b1c328a798356b0f3c6010a2153972a1bf92fa82eb39e7271f6934a

SHA512
e30a72120f4b9a3a641b092abdaba8cb6113ca60b7897b20f1af367d44587b82599c8a0c6a1dc68ba6456e6a7c3c9250015d397096e51851638eb8da3d4c1949

Download Submit
C:\Users\Admin\Desktop\ConvertToSkip.xht.8E5-AA3-C3C
MD5
ef20b13f5beb1b6c9591452203494362

SHA1
c734d971e1b6dcb839ed4758dee8c8169e926886

SHA256
a938a7239401b73b9dbccc3b7994ffe9e515fb60b43140baab2a75b846e4eb57

SHA512
d72da5b4383b615a16d6c908a0387cd8aac74fdcc4130604529cd7c8d0e9dea21c60df29e51142a66cf33f873fc7ec44e094ed1c5b5e57e05b024c619000981a

Download Submit
C:\Users\Admin\Desktop\ConvertToUnpublish.ogg.8E5-AA3-C3C
MD5
05d517f2b8e4e0ce0058fd550ba08be9

SHA1
20410b51b473fc999f5f346fac5464d287c97a9b

SHA256
c81d5180ab4bb94e0c274e9817ce61cebd0f22b9862f8d3e249d515116a1578f

SHA512
a89c00ed40f462d20b6d5e951b8d4720108ef16d9c6f9a5bab1eac609edefa8d422b1577546a1cb34f60efe6c3d13f553ee6a44c8b394664a37ca64e70b0b519

Download Submit
C:\Users\Admin\Desktop\DebugUse.midi.8E5-AA3-C3C
MD5
fb6774565737cb629b935ae320f445ea

SHA1
ad1f304cadd2538ccacc2b0f31c857d51d812591

SHA256
5cbe9657b5ab4e155af9d827263ba1d34f23d4e41ef5e7044421c292ad01741d

SHA512
1515897c611b9a7b293455c48bf42a7a93892fe7245c9d06e8aaba4e96d0a999e7c0be4d6f252a41dc49e2cdc718a0d164e11cffdab5514829173f28011286da

Download Submit
C:\Users\Admin\Desktop\ExitGet.mov.8E5-AA3-C3C
MD5
037b8fdc57826fb110ce28d7bf867563

SHA1
70a6c6ee1ffefb9b5bbc2dd16251864dae4086f3

SHA256
43b4e33f97d57e7a9d64e613582f1eb1113ec33019ae2e49ec7ae1561169fe31

SHA512
2421449ed74eaa4ff2e3fcebb7d182d9e7fca3f3c68e4c9333d37eb12343a01339fdb6b9522115e7015aed742389e3017189c1d01f94d3c385e911b4852f292d

Download Submit
C:\Users\Admin\Desktop\ExportStart.m4a.8E5-AA3-C3C
MD5
95d3e6f7ff2d37209bd336b2e09dd12e

SHA1
49096e2b9a0dd0bc07bcda8e9f0f8ab91bcdf72c

SHA256
1dcaddd96507fbbfbf8df23ab08a2d3cf8354c3f769c973901fae65c250f732a

SHA512
869d357a8defc5e41479659ecd48ef462b4f34c9a29d2b2f95eb20e3ec644b61d2ad22b3d6beb891b5180b37d654969b9aa29b6f665ec8585e661249f8325605

Download Submit
C:\Users\Admin\Desktop\GroupCopy.vst.8E5-AA3-C3C
MD5
3a80062b08e475b1735d574ca6d7e362

SHA1
adce9d9f97e0f15af3ea10e746e131ae4a0056b2

SHA256
fd83a9bd58e26a375b73dec3e497457784d8ab80650e16864d226b3136f1d4c3

SHA512
7a8f60f58a9814d7c30b385371a0be3140773c63c2b325c367b005c6e8d2db8e7f1c06c5b0381c5d3ec45c3c0dae3271aabeb73ea4b04367d4281d99fff9928c

Download Submit
C:\Users\Admin\Desktop\InstallConvertFrom.pot.8E5-AA3-C3C
MD5
7bd1a8ca00989bd2bee5ebe1ffc70b0a

SHA1
e975d08b6e60540d3e3778391a7b027162de4533

SHA256
d79ea265d6ab64ada5c161680c12271b1191e53faf770823a20583fa2ef90d47

SHA512
552dcab555e8ec24cbb5897e73ffa69a3a157f5f403338f86237fb229859b6e0230b739e05ede6fdbb7e15aeba12ee50622e0c72549f160155c855dd61902a4a

Download Submit
C:\Users\Admin\Desktop\PopLock.vsd.8E5-AA3-C3C
MD5
1b6b27231b17a5e925bb97d51f8da140

SHA1
433057c0654e57861023bd0ca10b21ec9c11e643

SHA256
7b1d7aad9e1df3b67303292ea01441934dcc38a1313c6c9a984aedb8cae453b9

SHA512
99f48776e3631a3698a03157783a1fd81fa7257726aac2bdee1379e87dabbb07d33d755808fbd0db353cf2ffccae03432a6f9b7179496e926f7ccc384fa88d22

Download Submit
C:\Users\Admin\Desktop\PublishUnpublish.DVR.8E5-AA3-C3C
MD5
44fa2605f323200124665431d497a7d8

SHA1
daa4fb5461aed76360b25f8219410285283f350e

SHA256
24866f32c8f82dfa950d54ac4916cfb95cced204eb4a6353936b20e33737fec2

SHA512
3bcc17ef726522238ab89cc8664091fed5353b30c4e88f198de7f2160243a1bf1d7bca6603d0ba07bf5e243055e156715a1d64b73d933d4322158c6d56a7bf6b

Download Submit
C:\Users\Admin\Desktop\RedoUnblock.xlsb.8E5-AA3-C3C
MD5
cf840f62f9b5b23903eee09926915ac2

SHA1
40961700ac5c81d557a12bb9d846048e69a19ab8

SHA256
e00f124fb0f2a9fcd61cd83769148fab4939db64c1f3ed598ec1a03d80ad540c

SHA512
d9db634f9803d24e27b7057d2db414c7f39a57bf131f761c04448a88b46638383342cfd52f9f0b1b86cdd319c8568f5e6400f2eae5ce64d495c17ef1a93e4dc6

Download Submit
C:\Users\Admin\Desktop\RequestResume.vsdx.8E5-AA3-C3C
MD5
564550e854094e4fb3cfebbefcffdb53

SHA1
9aa1a5bc645242a7f0abf7f0bb6c8f50cf5c94cc

SHA256
7a6192f341e7b2b91b766146d7a957e7b2f5b2a1b27fdc403039d4d7960c026d

SHA512
8f1d6a9170a348426649a76efb68cf51c3da62bc7a0966ac7a5147f029c14dbd8665087e41390273c9495ba3ea6fc761d17760d3dabb2e74f77342c266b4700d

Download Submit
C:\Users\Admin\Desktop\SetPing.xml.8E5-AA3-C3C
MD5
5b8760e47f09dd08b1c834bf6bcd7170

SHA1
79273c06b548d1b1746c6ec1f9af4a72ec87c39c

SHA256
9b6e7ec200d2972c2b732b87a3937ee90dc4622fbf9e559b22d1c012446c8b8a

SHA512
a1ceabe00ba7f4f82ffc0c8b51eef26c1804fadc364d274c13a097f31e52e29c73f0912ae8b737daf7c85cfb3faeefdd72aedf49fcbd78d4c2280f991d1377ad

Download Submit
C:\Users\Admin\Desktop\SkipConvertFrom.avi.8E5-AA3-C3C
MD5
0208cd3e7604e2b93b73b11322c924c4

SHA1
08428636808472b968e679c5c29bc6bf781fef3d

SHA256
d9c1426e659f78911bc23a2f3b3ea66544df431196ebca085b07d5b66c4a66db

SHA512
2770f441b40f9e409d786b524fb5282461bd886455c6817a75c17b765affe20d32006011eb83784bff03015d0f898524e0477c2841f36871f1f87bee34158fc1

Download Submit
C:\Users\Admin\Desktop\StartOut.mpg.8E5-AA3-C3C
MD5
874c7fbc103683de83180e755a47de9a

SHA1
1885de5b9658eb30375a514753520a89fd25784f

SHA256
28842bb8dfc92cff194dd8354caba1c9b8a488f20febc32b9069ab7f3e86b5a6

SHA512
a2426ff6071c493d598f7ac18db2aada2c682bd7ebcb073865510db9ebad8eac44edf7c03c8f772f7b4da5a9620130b8bce46967c761d4364f76c297cf2763b6

Download Submit
C:\Users\Admin\Desktop\SuspendDismount.au3.8E5-AA3-C3C
MD5
5f2a0b00a93523c020d026e3cfe121bd

SHA1
cde6a4370c93bfc8c6031b01bc19d001777cbf07

SHA256
d85cb784c58a099b23ed3fed163f3055a0b1a5ce16ff1815704818eeb2693e64

SHA512
60d67c285cc724732ff4ea6b2f2a04017d1dbd8203a512ca89f37de48dae5851d2894f7110a035dcc939aeb46007401339ad0e2dfe23fd3ab17d50d03c0d0305

Download Submit
C:\Users\Admin\Desktop\SwitchReset.rtf.8E5-AA3-C3C
MD5
a1b02c56ecce36d3e9c1c092148363a8

SHA1
79f8ac6312dab78b50c0db3aa184d9b54f12131e

SHA256
14bd1cbea99749d06e15f5ac4862e501ae49ddb06701e4363ebf6eeceb0fea60

SHA512
fc752f8e9d521d9ea000e042945c14093ca7581e3208140f410929c34298aaad17f7f5676b16da34fd58e217a06020147579da70f49838d9c0d1496d45ad9c4c

Download Submit
C:\Users\Admin\Desktop\SyncMerge.mpe.8E5-AA3-C3C
MD5
c15af10d65c867e5f8cce9f8bb451c56

SHA1
b4d1391ddbd1a5077c3087e230919653cfbca491

SHA256
19dc1791b0aca6b2e03fc0d2fc41a7c09aba51c5ed69781eefc3106716337cd5

SHA512
8b70d1507a213a5f37ca2788492ab367b4bb9fdedca0b2a2c20a87d2e5d71b91d5f0d5ec489f6298275f0108e67e20927fc26eaa80cda91bede90a1640af2e87

Download Submit
C:\Users\Admin\Desktop\UnblockTrace.aif.8E5-AA3-C3C
MD5
3a2283770327bb6e189ba8683bad8df5

SHA1
dc1692c61a8964e24adb9993f52407865c400089

SHA256
d40fa0de0372b8320fce6d8043aba967b78b0471f39746579d53e052752f20ec

SHA512
03949c08e80e4fe797f4568cf4c80048b82c01c2406bae854a5a65ab3181ac7463d387ff51b5e20d62bad8a5acdfb30ff003bd84ee731808cc7c58475c5867bd

Download Submit
C:\Users\Admin\Desktop\UnprotectPublish.ogg.8E5-AA3-C3C
MD5
3b2a5281254178c4f9410ad1e6d8b0b8

SHA1
215199df43fea9e9ffd3b9098b27900a70c7fde4

SHA256
65ed9581b3c4af0f270324f36d4f87cd718460d116e63cbe0893cdaadeb2206e

SHA512
b0bb4767bbe703eff866672ecae9dbc7834cefc61672d87687915551cc5556bfbe8425a9b04d02e1f54996b532d052a6666e1c99bcbadbac344ca047a22ee240

Download Submit
C:\Users\Admin\Desktop\WriteMove.3gp2.8E5-AA3-C3C
MD5
3de33ad558596fab3768204ec9233704

SHA1
066b24bbb50d57eac370ecf0472f21ba28171de7

SHA256
47e2edb2d1d1ac65e665cc6a426d1aae9ccef39e89fa1540d5634199abda5d09

SHA512
63e3fb936099df263ca2378f50e73573712ab44925e8718c3032325f707d63d08ee8072d93655b5a544565d1049b2d8fd5f2ec497e8897477eb1ae1e5cbb45f1

Download Submit
memory/416-46-0x0000000000000000-mapping.dmp

Download
memory/416-45-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/488-10-0x0000000000000000-mapping.dmp

Download
memory/504-11-0x0000000000000000-mapping.dmp

Download
memory/1080-9-0x0000000000000000-mapping.dmp

Download
memory/1380-5-0x0000000000000000-mapping.dmp

Download
memory/1504-8-0x0000000000000000-mapping.dmp

Download
memory/2296-16-0x0000000000000000-mapping.dmp

Download
memory/2684-2-0x0000000000000000-mapping.dmp

Download
memory/2968-6-0x0000000000000000-mapping.dmp

Download
memory/3064-15-0x0000000000000000-mapping.dmp

Download
memory/3808-7-0x0000000000000000-mapping.dmp

Download
memory/3988-17-0x0000000000000000-mapping.dmp

Download
memory/4064-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads