hellokitty | 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe

General

Target

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
Size

157KB
MD5

136bd70f7aa98f52861879d7dca03cf2
SHA1

fadd8d7c13a18c251ded1f645ffea18a37f1c2de
SHA256

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe
SHA512

919b81c6e062f26fef9f2f02f60af9493795ab1e74be0977210375598d2a17e37add7f7843f94c7cd6c44ba12af777a478c3744692ece2e31864b6aafd37e8df

Score

10^/10

hellokitty ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\read_me_lkd.txt

Ransom Note

Hello dear user. Your files have been encrypted. -- What does it mean?! Content of your files have been modified. Without special key you can't undo that operation. -- How to get special key? If you want to get it, you must pay us some money and we will help you. We will give you special decryption program and instructions. -- Ok, how i can pay you? 1) Download TOR browser, if you don't know how to do it you can google it. 2) Open this website in tor browser: http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0 3) Follow instructions in chat.

URLs

http://6x7dp6h3w6q3ugjv4yv5gycj3femb24kysgry5b44hhgfwc5ml5qrdad.onion/d87c3f9baf85b2e9ab2a824bb78868294e19992e2e26b54f248abfa73c42a7c0

Signatures

HelloKitty Ransomware
Ransomware family which has been active since late 2020, and in early 2021 a variant compromised the CDProjektRed game studio.
ransomware hellokitty

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\GetSkip.raw => C:\Users\Admin\Pictures\GetSkip.raw.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\WatchConvert.tiff => C:\Users\Admin\Pictures\WatchConvert.tiff.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File opened for modification	C:\Users\Admin\Pictures\WatchConvert.tiff	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\BlockRevoke.crw => C:\Users\Admin\Pictures\BlockRevoke.crw.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\EnableReset.tif => C:\Users\Admin\Pictures\EnableReset.tif.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\UpdateStart.tif => C:\Users\Admin\Pictures\UpdateStart.tif.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveExport.tiff	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\BackupClose.crw => C:\Users\Admin\Pictures\BackupClose.crw.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
File renamed	C:\Users\Admin\Pictures\ApproveExport.tiff => C:\Users\Admin\Pictures\ApproveExport.tiff.crypted	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 38 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1388	taskkill.exe
680	taskkill.exe
968	taskkill.exe
1640	taskkill.exe
1948	taskkill.exe
1540	taskkill.exe
920	taskkill.exe
340	taskkill.exe
2456	taskkill.exe
1844	taskkill.exe
856	taskkill.exe
1288	taskkill.exe
920	taskkill.exe
964	taskkill.exe
2080	taskkill.exe
900	taskkill.exe
268	taskkill.exe
1216	taskkill.exe
1228	taskkill.exe
1852	taskkill.exe
1128	taskkill.exe
300	taskkill.exe
2372	taskkill.exe
2700	taskkill.exe
3056	taskkill.exe
2280	taskkill.exe
2044	taskkill.exe
2516	taskkill.exe
1664	taskkill.exe
620	taskkill.exe
2108	taskkill.exe
2980	taskkill.exe
2520	taskkill.exe
1616	taskkill.exe
1232	taskkill.exe
1000	taskkill.exe
2056	taskkill.exe
1620	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

pid process

1496 501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

pid	process
1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	1540	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	300	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	680	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	920	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	340	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: 33	2740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2740	AUDIODG.EXE
Token: 33	2740	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2740	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe

description	pid	process	target process
PID 1496 wrote to memory of 1664	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1664	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1664	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1664	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1540	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1540	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1540	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1540	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 856	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 856	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 856	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 856	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1288	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1288	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1288	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1288	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1388	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1388	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1388	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1388	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 620	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 620	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 620	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 620	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1616	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1616	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1616	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1616	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1640	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1640	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1640	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1640	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 900	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 900	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 900	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 900	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1128	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1128	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1128	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1128	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1232	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1232	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1232	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1232	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 300	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 300	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 300	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 300	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 920	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 920	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 920	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 920	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 680	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 680	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 680	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 680	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1000	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1000	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1000	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1000	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1948	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1948	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1948	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe
PID 1496 wrote to memory of 1948	1496	501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe
"C:\Users\Admin\AppData\Local\Temp\501487b025f25ddf1ca32deb57a2b4db43ccf6635c1edc74b9cff54ce0e5bcfe.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im mysql*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im dsa*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Ntrtscan*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im ds_monitor*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Notifier*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im TmListen*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im iVPAgent*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im CNTAoSMgr*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im IBM*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im bes10*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im black*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im robo*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im copy*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im store.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im sql*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im vee*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im wrsa*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im wrsa.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im postg*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im sage*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
2⤵
PID:2208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
3⤵
PID:2724

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$ISARS
2⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
3⤵
PID:2792

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQL$MSFW
2⤵
PID:2444

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
3⤵
PID:2740

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$ISARS
2⤵
PID:2500

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
3⤵
PID:2700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLAgent$MSFW
2⤵
PID:2612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
3⤵
PID:2748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLBrowser
2⤵
PID:2644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
3⤵
PID:2964

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ReportServer$ISARS
2⤵
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
3⤵
PID:2980

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SQLWriter
2⤵
PID:2812

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
3⤵
PID:3000

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop WinDefend
2⤵
PID:2992

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop WinDefend
3⤵
PID:3064

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop mr2kserv
2⤵
PID:3024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mr2kserv
3⤵
PID:2668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeADTopology
2⤵
PID:3040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeADTopology
3⤵
PID:2704

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeFBA
2⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeFBA
3⤵
PID:2580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeIS
2⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeIS
3⤵
PID:2804

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSExchangeSA
2⤵
PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSExchangeSA
3⤵
PID:2624

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ShadowProtectSvc
2⤵
PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ShadowProtectSvc
3⤵
PID:2760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPAdminV4
2⤵
PID:2740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPAdminV4
3⤵
PID:2636

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPTimerV4
2⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTimerV4
3⤵
PID:2456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPTraceV4
2⤵
PID:2980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPTraceV4
3⤵
PID:3028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPUserCodeV4
2⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPUserCodeV4
3⤵
PID:2748

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPWriterV4
2⤵
PID:3000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPWriterV4
3⤵
PID:2712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop SPSearch4
2⤵
PID:2836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SPSearch4
3⤵
PID:2520

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop MSSQLServerADHelper100
2⤵
PID:3052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
3⤵
PID:2200

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop IISADMIN
2⤵
PID:3048

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
3⤵
PID:2452

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop firebirdguardiandefaultinstance
2⤵
PID:2656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop firebirdguardiandefaultinstance
3⤵
PID:2644

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop ibmiasrw
2⤵
PID:2620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ibmiasrw
3⤵
PID:3060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QBCFMonitorService
2⤵
PID:2660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService
3⤵
PID:2960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QBVSS
2⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
3⤵
PID:2072

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QBPOSDBServiceV12
2⤵
PID:2984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBPOSDBServiceV12
3⤵
PID:2480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "IBM Domino Server(CProgramFilesIBMDominodata)"
2⤵
PID:2796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Server(CProgramFilesIBMDominodata)"
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
2⤵
PID:2284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "IBM Domino Diagnostics(CProgramFilesIBMDomino)"
3⤵
PID:888

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop IISADMIN
2⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop IISADMIN
3⤵
PID:3028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "Simply Accounting Database Connection Manager"
2⤵
PID:1240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Simply Accounting Database Connection Manager"
3⤵
PID:524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB1
2⤵
PID:1232

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB1
3⤵
PID:3040

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB2
2⤵
PID:1052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB2
3⤵
PID:2104

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB3
2⤵
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB3
3⤵
PID:1568

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB4
2⤵
PID:2148

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB4
3⤵
PID:2488

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB5
2⤵
PID:2580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB5
3⤵
PID:2632

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB6
2⤵
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB6
3⤵
PID:2812

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB7
2⤵
PID:1384

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB7
3⤵
PID:2768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB8
2⤵
PID:2988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB8
3⤵
PID:2996

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB9
2⤵
PID:3020

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB9
3⤵
PID:2420

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB10
2⤵
PID:2740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB10
3⤵
PID:2640

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB11
2⤵
PID:2720

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB11
3⤵
PID:2600

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB12
2⤵
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB12
3⤵
PID:2976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB13
2⤵
PID:3044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB13
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB14
2⤵
PID:3012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB14
3⤵
PID:2760

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB15
2⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB15
3⤵
PID:2092

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB16
2⤵
PID:2724

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB16
3⤵
PID:3008

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB17
2⤵
PID:692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB17
3⤵
PID:524

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB18
2⤵
PID:2604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB18
3⤵
PID:2120

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB19
2⤵
PID:3028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB19
3⤵
PID:2392

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB21
2⤵
PID:2648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB21
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB20
2⤵
PID:792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB20
3⤵
PID:2612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB22
2⤵
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB22
3⤵
PID:2900

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB23
2⤵
PID:2356

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB23
3⤵
PID:2824

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB24
2⤵
PID:2360

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB24
3⤵
PID:2708

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop QuickBooksDB25
2⤵
PID:1660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QuickBooksDB25
3⤵
PID:2476

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "3028"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "3028"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "3028"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2648"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2648"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2648"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1064"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1064"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1064"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2356"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2356"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2356"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2360"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2360"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "2360"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1660"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1660"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /PID "1660"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1583539217-16513257095204628221026706312046926428944338860-821614704-1271230231"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5790384771827036527-9959659251879660144977178357-277053411-500689929-313144406"
1⤵
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "271997247-925682453482793044-21098484651199320203-1949851057-1063587328542557180"
1⤵
PID:2996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-77-0x0000000000000000-mapping.dmp

Download
memory/300-72-0x0000000000000000-mapping.dmp

Download
memory/620-66-0x0000000000000000-mapping.dmp

Download
memory/680-74-0x0000000000000000-mapping.dmp

Download
memory/856-63-0x0000000000000000-mapping.dmp

Download
memory/900-69-0x0000000000000000-mapping.dmp

Download
memory/920-73-0x0000000000000000-mapping.dmp

Download
memory/964-78-0x0000000000000000-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1128-70-0x0000000000000000-mapping.dmp

Download
memory/1232-71-0x0000000000000000-mapping.dmp

Download
memory/1288-64-0x0000000000000000-mapping.dmp

Download
memory/1388-65-0x0000000000000000-mapping.dmp

Download
memory/1496-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1540-62-0x0000000000000000-mapping.dmp

Download
memory/1616-67-0x0000000000000000-mapping.dmp

Download
memory/1640-68-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000000000-mapping.dmp

Download
memory/1948-76-0x0000000000000000-mapping.dmp

Download
memory/2080-79-0x0000000000000000-mapping.dmp

Download
memory/2108-80-0x0000000000000000-mapping.dmp

Download
memory/2200-101-0x0000000000000000-mapping.dmp

Download
memory/2200-123-0x0000000000000000-mapping.dmp

Download
memory/2208-81-0x0000000000000000-mapping.dmp

Download
memory/2400-82-0x0000000000000000-mapping.dmp

Download
memory/2444-83-0x0000000000000000-mapping.dmp

Download
memory/2456-120-0x0000000000000000-mapping.dmp

Download
memory/2476-102-0x0000000000000000-mapping.dmp

Download
memory/2488-110-0x0000000000000000-mapping.dmp

Download
memory/2500-84-0x0000000000000000-mapping.dmp

Download
memory/2580-106-0x0000000000000000-mapping.dmp

Download
memory/2612-85-0x0000000000000000-mapping.dmp

Download
memory/2624-111-0x0000000000000000-mapping.dmp

Download
memory/2636-112-0x0000000000000000-mapping.dmp

Download
memory/2644-86-0x0000000000000000-mapping.dmp

Download
memory/2656-124-0x0000000000000000-mapping.dmp

Download
memory/2668-103-0x0000000000000000-mapping.dmp

Download
memory/2700-87-0x0000000000000000-mapping.dmp

Download
memory/2704-105-0x0000000000000000-mapping.dmp

Download
memory/2724-88-0x0000000000000000-mapping.dmp

Download
memory/2740-109-0x0000000000000000-mapping.dmp

Download
memory/2740-89-0x0000000000000000-mapping.dmp

Download
memory/2744-108-0x0000000000000000-mapping.dmp

Download
memory/2748-122-0x0000000000000000-mapping.dmp

Download
memory/2748-90-0x0000000000000000-mapping.dmp

Download
memory/2756-91-0x0000000000000000-mapping.dmp

Download
memory/2760-113-0x0000000000000000-mapping.dmp

Download
memory/2772-104-0x0000000000000000-mapping.dmp

Download
memory/2792-92-0x0000000000000000-mapping.dmp

Download
memory/2804-107-0x0000000000000000-mapping.dmp

Download
memory/2812-93-0x0000000000000000-mapping.dmp

Download
memory/2836-117-0x0000000000000000-mapping.dmp

Download
memory/2964-94-0x0000000000000000-mapping.dmp

Download
memory/2968-115-0x0000000000000000-mapping.dmp

Download
memory/2980-95-0x0000000000000000-mapping.dmp

Download
memory/2980-114-0x0000000000000000-mapping.dmp

Download
memory/2992-97-0x0000000000000000-mapping.dmp

Download
memory/3000-96-0x0000000000000000-mapping.dmp

Download
memory/3000-116-0x0000000000000000-mapping.dmp

Download
memory/3024-98-0x0000000000000000-mapping.dmp

Download
memory/3028-121-0x0000000000000000-mapping.dmp

Download
memory/3040-99-0x0000000000000000-mapping.dmp

Download
memory/3048-119-0x0000000000000000-mapping.dmp

Download
memory/3052-118-0x0000000000000000-mapping.dmp

Download
memory/3064-100-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads