90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d

Reason

Remote task has failed: Machine shutdown

General

Target

repack by xatab.exe
Size

222KB
MD5

e2aaff3cf5f2b9fee6061eddf55620b9
SHA1

f780afcca44c836dc48619dece8374882521bbb1
SHA256

90413227e6a42728248b5adf7c8930491a3ef2c7ec3b21d93f5da52a8f126f6d
SHA512

8827152335018563b4091ed5aebac7d26ff0eae478a848eb8659c9fe9a4ffcd9599457587b3b4310253d85571fe385d3ac4499366e621326092be1b178039834

Score

10^/10

bootkit persistence ransomware upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\HOW TO DECRYPT FILES.txt

Ransom Note

The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key To purchase your key and restore your data, please follow these three easy steps: 1.Create btc wallet and send 350 $ to Happy walentine day nohing personal Please make my life easier write in the them of transaction your email adress

Signatures

Executes dropped EXE 4 IoCs

Processes:

DECRYPTOR V0.2D.EXEMISHA.EXEUPDATE.EXEUPDATE12.EXE

pid process

1880 DECRYPTOR V0.2D.EXE
2056 MISHA.EXE
2356 UPDATE.EXE
2664 UPDATE12.EXE

pid	process
1880	DECRYPTOR V0.2D.EXE
2056	MISHA.EXE
2356	UPDATE.EXE
2664	UPDATE12.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UPDATE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe"	UPDATE.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MISHA.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 MISHA.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MISHA.EXE

Drops file in Program Files directory 64 IoCs

Processes:

UPDATE.EXE

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\7-Zip\Lang\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-delete.avi	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickAnimation.avi	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-split.avi	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\correct.avi	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\History.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\HOW TO DECRYPT FILES.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	UPDATE.EXE
File opened for modification	C:\Program Files\7-Zip\readme.txt	UPDATE.EXE
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\HOW TO DECRYPT FILES.txt	UPDATE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4048 2664 WerFault.exe UPDATE12.EXE

pid	pid_target	process	target process
4048	2664	WerFault.exe	UPDATE12.EXE

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 10 IoCs

Processes:

UPDATE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\q3j7M8QHiu41t8O.exe,0"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open\command	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\DefaultIcon	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\shell\open	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "KCXHETCINNVXNCV"	UPDATE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV	UPDATE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\KCXHETCINNVXNCV\ = "CRYPTED!"	UPDATE.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

shutdown.exeshutdown.exe

description	pid	process
Token: SeShutdownPrivilege	2496	shutdown.exe
Token: SeRemoteShutdownPrivilege	2496	shutdown.exe
Token: SeShutdownPrivilege	2644	shutdown.exe
Token: SeRemoteShutdownPrivilege	2644	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

220 LogonUI.exe

pid	process
220	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

repack by xatab.exeMISHA.EXE

description	pid	process	target process
PID 3424 wrote to memory of 1880	3424	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 3424 wrote to memory of 1880	3424	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 3424 wrote to memory of 1880	3424	repack by xatab.exe	DECRYPTOR V0.2D.EXE
PID 3424 wrote to memory of 2056	3424	repack by xatab.exe	MISHA.EXE
PID 3424 wrote to memory of 2056	3424	repack by xatab.exe	MISHA.EXE
PID 3424 wrote to memory of 2056	3424	repack by xatab.exe	MISHA.EXE
PID 3424 wrote to memory of 2356	3424	repack by xatab.exe	UPDATE.EXE
PID 3424 wrote to memory of 2356	3424	repack by xatab.exe	UPDATE.EXE
PID 3424 wrote to memory of 2356	3424	repack by xatab.exe	UPDATE.EXE
PID 2056 wrote to memory of 2496	2056	MISHA.EXE	shutdown.exe
PID 2056 wrote to memory of 2496	2056	MISHA.EXE	shutdown.exe
PID 2056 wrote to memory of 2496	2056	MISHA.EXE	shutdown.exe
PID 2056 wrote to memory of 2644	2056	MISHA.EXE	shutdown.exe
PID 2056 wrote to memory of 2644	2056	MISHA.EXE	shutdown.exe
PID 2056 wrote to memory of 2644	2056	MISHA.EXE	shutdown.exe
PID 3424 wrote to memory of 2664	3424	repack by xatab.exe	UPDATE12.EXE
PID 3424 wrote to memory of 2664	3424	repack by xatab.exe	UPDATE12.EXE

C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe
"C:\Users\Admin\AppData\Local\Temp\repack by xatab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
"C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE"
2⤵
- Executes dropped EXE
PID:1880

C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
"C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:2356

C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
"C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE"
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2664 -s 700
3⤵
- Program crash
PID:4048

C:\Users\Admin\AppData\Local\Temp\MISHA.EXE
"C:\Users\Admin\AppData\Local\Temp\MISHA.EXE"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\shutdown.exe
shutdown.exe -r -f -t 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\shutdown.exe
C:\Windows\System32\shutdown.exe -r -f -t 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
MD5
921c02dd77c3725fa59905cae1d62ef4

SHA1
209e0fe763362b71399c079a441459bde0e8ba74

SHA256
8e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12

SHA512
c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DECRYPTOR V0.2D.EXE
MD5
921c02dd77c3725fa59905cae1d62ef4

SHA1
209e0fe763362b71399c079a441459bde0e8ba74

SHA256
8e0f3044d45b6ba6a1eab878f9197670bc7b2d93b61ef7830f97b5bb918c8c12

SHA512
c207cd799f4244d4d550e2df5a4625cdaf0e230cbf43e36a5f02e7ab786ede53d9069e4d615f144b84c3c79b955194ad64015b3f3adf235a0278de4664dd60d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MISHA.EXE
MD5
3702ab9f6561e836d97e1bc28f68543e

SHA1
5ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8

SHA256
58019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860

SHA512
d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MISHA.EXE
MD5
3702ab9f6561e836d97e1bc28f68543e

SHA1
5ebdcfb324eb0cca288c63e8f8d8b0fa3c92cbe8

SHA256
58019901083bce520e1e454ecc82e46f4de32dc721b546ab1e418328ef93f860

SHA512
d1bcc7649941b913000dd6d88d76d0eee6883fb81774c46c06e1043e9da026864cd3cb6c7b6aeda8079e264a95afab1c6732b1e8aba4f589379803c0a071562f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE.EXE
MD5
e4bb04fe99f81331aa57a5c17b4c9111

SHA1
989f8c30ceade5cc839100e673f0818c2070a107

SHA256
c70ed86ee62c96b7e5e78874810bc3050a2ecb6cda159bb556f830da720bd835

SHA512
2beea8f344f0cae1e2f6eb8b3420a3764db9c9361d86673a9a10971b1dfc9dafd616b8b26f79d27d3cbd7351d274c67b29ba114300f6cc78fa0a92afb1baec6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
MD5
5d85c23d3bcbba39ad63b98be64a688f

SHA1
bd7651d157480f122f106ae4991947c5f008d0cf

SHA256
06ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada

SHA512
82ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPDATE12.EXE
MD5
5d85c23d3bcbba39ad63b98be64a688f

SHA1
bd7651d157480f122f106ae4991947c5f008d0cf

SHA256
06ed693d7f86ea5b484efb53ef469292a69d682fe0a68b0dd7a69fad6a736ada

SHA512
82ed8436517aa412064ebe426f4125aa485996650f863d88fb8e7cd4c18cc4394441fde4ab9d24606a558d56e07d4c6f185978fe55ca27dfcac6d25c824856a3

Download Submit
memory/1880-130-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1880-114-0x0000000000000000-mapping.dmp

Download
memory/1880-133-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1880-132-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2056-117-0x0000000000000000-mapping.dmp

Download
memory/2356-119-0x0000000000000000-mapping.dmp

Download
memory/2496-121-0x0000000000000000-mapping.dmp

Download
memory/2644-122-0x0000000000000000-mapping.dmp

Download
memory/2664-123-0x0000000000000000-mapping.dmp

Download
memory/2664-128-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads