buran | 576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

Analysis

max time kernel
4294183s
max time network
125s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe
Size

214KB
MD5

e609a4e0e0a91ebc8771fcc3f25c0990
SHA1

c552fbec8d6679017b5e9dedd4f03e29cb4c8718
SHA256

576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1
SHA512

0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Score

10^/10

buran persistence ransomware

Malware Config

Extracted

Path

C:\!!! HOW TO BACK YOUR FILES !!!.TXT

Family

buran

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: Your personal ID: 304-A75-56B Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

spoolsv.exespoolsv.exe

pid process

1016 spoolsv.exe
1984 spoolsv.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

spoolsv.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\UnprotectPublish.tiff spoolsv.exe

pid	process
1016	spoolsv.exe
1984	spoolsv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnprotectPublish.tiff	spoolsv.exe

Loads dropped DLL 3 IoCs

Processes:

576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exespoolsv.exe

pid	process
824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe
824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe
1016	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\spoolsv.exe\" -start"	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spoolsv.exe

description	ioc	process
File opened (read-only)	\??\E:	spoolsv.exe
File opened (read-only)	\??\B:	spoolsv.exe
File opened (read-only)	\??\X:	spoolsv.exe
File opened (read-only)	\??\Q:	spoolsv.exe
File opened (read-only)	\??\P:	spoolsv.exe
File opened (read-only)	\??\O:	spoolsv.exe
File opened (read-only)	\??\M:	spoolsv.exe
File opened (read-only)	\??\J:	spoolsv.exe
File opened (read-only)	\??\W:	spoolsv.exe
File opened (read-only)	\??\V:	spoolsv.exe
File opened (read-only)	\??\U:	spoolsv.exe
File opened (read-only)	\??\T:	spoolsv.exe
File opened (read-only)	\??\N:	spoolsv.exe
File opened (read-only)	\??\H:	spoolsv.exe
File opened (read-only)	\??\S:	spoolsv.exe
File opened (read-only)	\??\R:	spoolsv.exe
File opened (read-only)	\??\I:	spoolsv.exe
File opened (read-only)	\??\G:	spoolsv.exe
File opened (read-only)	\??\Z:	spoolsv.exe
File opened (read-only)	\??\Y:	spoolsv.exe
File opened (read-only)	\??\L:	spoolsv.exe
File opened (read-only)	\??\K:	spoolsv.exe
File opened (read-only)	\??\F:	spoolsv.exe
File opened (read-only)	\??\A:	spoolsv.exe

Drops file in Program Files directory 64 IoCs

Processes:

spoolsv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR40F.GIF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGHEADING.XML.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00013_.WMF.304-A75-56B	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171685.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152698.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.304-A75-56B	spoolsv.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+3	spoolsv.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETSM.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel	spoolsv.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\vlc.mo.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageSlice.gif	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107468.WMF	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNS.ICO	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.304-A75-56B	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF	spoolsv.exe

Drops file in Windows directory 1 IoCs

Processes:

spoolsv.exe

description ioc process

File created C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT spoolsv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

272 2024 WerFault.exe notepad.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1544 vssadmin.exe
1400 vssadmin.exe

description	ioc	process
File created	C:\Windows\!!! HOW TO BACK YOUR FILES !!!.TXT	spoolsv.exe

pid	pid_target	process	target process
272	2024	WerFault.exe	notepad.exe

pid	process
1544	vssadmin.exe
1400	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe
Token: SeBackupPrivilege	1716	vssvc.exe
Token: SeRestorePrivilege	1716	vssvc.exe
Token: SeAuditPrivilege	1716	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1560	WMIC.exe
Token: SeSecurityPrivilege	1560	WMIC.exe
Token: SeTakeOwnershipPrivilege	1560	WMIC.exe
Token: SeLoadDriverPrivilege	1560	WMIC.exe
Token: SeSystemProfilePrivilege	1560	WMIC.exe
Token: SeSystemtimePrivilege	1560	WMIC.exe
Token: SeProfSingleProcessPrivilege	1560	WMIC.exe
Token: SeIncBasePriorityPrivilege	1560	WMIC.exe
Token: SeCreatePagefilePrivilege	1560	WMIC.exe
Token: SeBackupPrivilege	1560	WMIC.exe
Token: SeRestorePrivilege	1560	WMIC.exe
Token: SeShutdownPrivilege	1560	WMIC.exe
Token: SeDebugPrivilege	1560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1560	WMIC.exe
Token: SeRemoteShutdownPrivilege	1560	WMIC.exe
Token: SeUndockPrivilege	1560	WMIC.exe
Token: SeManageVolumePrivilege	1560	WMIC.exe
Token: 33	1560	WMIC.exe
Token: 34	1560	WMIC.exe
Token: 35	1560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exespoolsv.execmd.execmd.execmd.exenotepad.exe

description	pid	process	target process
PID 824 wrote to memory of 1016	824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe	spoolsv.exe
PID 824 wrote to memory of 1016	824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe	spoolsv.exe
PID 824 wrote to memory of 1016	824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe	spoolsv.exe
PID 824 wrote to memory of 1016	824	576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe	spoolsv.exe
PID 1016 wrote to memory of 784	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 784	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 784	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 784	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 788	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 788	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 788	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 788	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1592	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1592	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1592	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1592	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1444	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1444	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1444	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1444	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1884	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1884	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1884	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1884	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1212	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1212	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1212	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1212	1016	spoolsv.exe	cmd.exe
PID 1016 wrote to memory of 1984	1016	spoolsv.exe	spoolsv.exe
PID 1016 wrote to memory of 1984	1016	spoolsv.exe	spoolsv.exe
PID 1016 wrote to memory of 1984	1016	spoolsv.exe	spoolsv.exe
PID 1016 wrote to memory of 1984	1016	spoolsv.exe	spoolsv.exe
PID 784 wrote to memory of 1272	784	cmd.exe	WMIC.exe
PID 784 wrote to memory of 1272	784	cmd.exe	WMIC.exe
PID 784 wrote to memory of 1272	784	cmd.exe	WMIC.exe
PID 784 wrote to memory of 1272	784	cmd.exe	WMIC.exe
PID 1212 wrote to memory of 1560	1212	cmd.exe	WMIC.exe
PID 1212 wrote to memory of 1560	1212	cmd.exe	WMIC.exe
PID 1212 wrote to memory of 1560	1212	cmd.exe	WMIC.exe
PID 1212 wrote to memory of 1560	1212	cmd.exe	WMIC.exe
PID 1884 wrote to memory of 1544	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 1544	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 1544	1884	cmd.exe	vssadmin.exe
PID 1884 wrote to memory of 1544	1884	cmd.exe	vssadmin.exe
PID 1212 wrote to memory of 1400	1212	cmd.exe	vssadmin.exe
PID 1212 wrote to memory of 1400	1212	cmd.exe	vssadmin.exe
PID 1212 wrote to memory of 1400	1212	cmd.exe	vssadmin.exe
PID 1212 wrote to memory of 1400	1212	cmd.exe	vssadmin.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 1016 wrote to memory of 2024	1016	spoolsv.exe	notepad.exe
PID 2024 wrote to memory of 272	2024	notepad.exe	WerFault.exe
PID 2024 wrote to memory of 272	2024	notepad.exe	WerFault.exe
PID 2024 wrote to memory of 272	2024	notepad.exe	WerFault.exe
PID 2024 wrote to memory of 272	2024	notepad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe
"C:\Users\Admin\AppData\Local\Temp\576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -start
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe" -agent 0
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:1444

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 196
4⤵
- Program crash
PID:272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
49f30697c634c40272e3aa13c370279f

SHA1
bd543555d20162a2afcfb3a0f85cde37b7faf0db

SHA256
c4b9272708e65c60dcd4d94a9e5f0327590963911bf3c66b27de9666a050cfe3

SHA512
ee541518a003f153492457e3dfae6d0f05ac6d2f93360dc5708ed8f81ba19df612b8ef5a77495c0313e59162220936e41b4687bbf6df62e9c917054925e248bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
C:\Users\Admin\Desktop\BlockReceive.contact.304-A75-56B
MD5
49492cb185e8cf9b4e965dfb7b727946

SHA1
264188c85a4e56e11493969f0e5d8033ae31981e

SHA256
447d62f4b2650c8904e5d5fc03408c2f497ff0af9ead58ff1f49c2074df538e9

SHA512
6dfa462d97b4fb90734bedf20c624026339e01a4d2736dc4f8b123d078edfbf5073ad43aad7e39cb7599d8733c03bfbdf6601dfb5a7342ee941734b990e98380

Download Submit
C:\Users\Admin\Desktop\CompareInvoke.ADT.304-A75-56B
MD5
0a4edcff685b13b1ca43e67d138cd936

SHA1
a31011a9888c9c8fbcc747008a8b0d167c5328fa

SHA256
2af7e4413e8d9425ea8096d200b9751b396ab852f8c362d4c8e6b99f5e31abb8

SHA512
7a56912a4e8d255981652380fd5045f8ed5ba7a80d5a8a3d57917899c831c6920741fb628c118233b7ca05043f450a25a6a2bc9a165c1bb160057b215a8d0dd4

Download Submit
C:\Users\Admin\Desktop\ConnectFormat.dwfx.304-A75-56B
MD5
982a636cd92d22b36059f35d14be955b

SHA1
dacdb77d734d38197e1f37d981d30d082263b3e3

SHA256
d5f4b00481cea259f2446eb704bc71c6ede0c11c1587cb85d64b14f5321ddcd3

SHA512
1e90e01faf065ab8f776ebe085a5c96d5c9c00ecdec50a48f1ecab25ba9387f34679157859cc1302d77ea84f90c99c21d27d0fa5b447116bfcae49c789775808

Download Submit
C:\Users\Admin\Desktop\ConnectJoin.rar.304-A75-56B
MD5
dcb552324084eae3d8b69575d1244a92

SHA1
95c6e000192a59baf59abf28e623ef54d1b7f65f

SHA256
27158f10d7d44d77a8b574b74166166dba6a5bf99730102c8e8f74bff1b55bea

SHA512
25090020e95bcfd7f6b4b371b22935c62222402ea7052512309f6ac13f37d54d9b8c708e99d395036708a14d1a44eb9078d3c1ed19a857be2bc444cd40dbc562

Download Submit
C:\Users\Admin\Desktop\ConvertSplit.ps1.304-A75-56B
MD5
7928a2455da76527ec79b36496208815

SHA1
a9baf159646842426a4558a135d347f5fb24814f

SHA256
724a642aadbd575b2be4315baf943f11968e4d186197bbe877fa510578732149

SHA512
cf577ec14926a7265be8deed3b047c99e79747f37e55d9deb9a3586f6756b161c7cd8625496fc4bd2167230cb8f3ed022556aab2b9f3671103e2b79e3bb09dca

Download Submit
C:\Users\Admin\Desktop\CopyMeasure.ADT.304-A75-56B
MD5
d0022d6adf99498a2f491caab3a5d608

SHA1
06e780933cc0c7920f7e76d169bd6891be2ac8e3

SHA256
a12e6e3cb7d83f3c6f9c13f1e1451e703303c5f50c3643a5dc371ecd941264b6

SHA512
7355f511eebb779e1063296cf5a384a22a56cde3fc72f74c871b6bb70d94014175515c13534ff2be615bf779edf2dd5d10ef09e32c6f428fe273911392a718e1

Download Submit
C:\Users\Admin\Desktop\DisableClose.mp2.304-A75-56B
MD5
29c04d16da91997f386a256ea6a46513

SHA1
8ba10be0a76e886e4708d920178924050df4b944

SHA256
e456b76c428ef429707f79972afc41a7ee88d307aa3a5a05e011446c893624bc

SHA512
006873683d7797419a1a6aca6a245b07323bbaff9d8bbcea86c6bee4332ce7c00edf16f69b04130da82892f35c8d87bbdbfa2034d2cf33792dd58f5fa4e695dc

Download Submit
C:\Users\Admin\Desktop\ExitImport.TTS.304-A75-56B
MD5
5771089cb03e66a49bb50c5fdfe976a1

SHA1
68da9b2d44bde2bdf68cd0a1bdb3115703585075

SHA256
74dbbd80c0383b883049e0b553403baa3e9eef7f1a53c2a6c11581e0dcf36996

SHA512
5fdd4aee46581bbbc361b10e513a245fc10e97a22ad976f10425571977c6a577e381ab6a2b39b035ec1631afc1f1e4346c7b9a76154eceeca5dbe5f45b38bd79

Download Submit
C:\Users\Admin\Desktop\MoveGet.dib.304-A75-56B
MD5
cef7db0170c6641f75c742df8a4ee005

SHA1
5608480affb44e3f8c81019205512d6d4e586876

SHA256
d25aed97b5cb3c6a491d30de00dd52ee2b9c8159bb36782f1389babeed0a5516

SHA512
fa05c1edce166b0a0deecd9a22fad727cc52ae9a0cd69e941aa209b2d7660dff6bc53eb2fd353cb469d86855810ba035b1d846b731134b266e1538f11b44222d

Download Submit
C:\Users\Admin\Desktop\PingUnprotect.wm.304-A75-56B
MD5
d3bce68134add255d984457275b521bf

SHA1
3608b22163ab49ac8441e8c3d0fb4f9a13b323ce

SHA256
e3c81f77d3febe681e37d630449f6b90da47ad3421734adc2f43de04b189dbdc

SHA512
24cd69c3f0e10fc55e63644f48e5296a4b928f5e9616a0814510e77c6fc52a3b7ffbb5fbe226b03d91b664a81aaa9d10093d435e188a9c40091fd7945d3f7726

Download Submit
C:\Users\Admin\Desktop\PopRedo.ex_.304-A75-56B
MD5
1df1ea681d2bb60b76736d0ae28d1436

SHA1
f549eb3a045a8860424c92618b8a26aa0f6cb015

SHA256
0f1baf4f8b7e5ba30d598e4649037b0d85be69fdd3e941a64b6a913e9bd5a304

SHA512
84593059ef0a49e98c13df38ff061011f4b35fb2c228e2b2dcedb6d4e58fbd531499c7d2af38025629237518c75477a74d2fc60e8a2ad03908791dc02a7a3b87

Download Submit
C:\Users\Admin\Desktop\RedoImport.xps.304-A75-56B
MD5
0e36bcd3a339faa441b691dd23374005

SHA1
b4f83102e886b5f294bca982f51b1a990278127c

SHA256
c44bb224e7b1370e6606fd302feb688262efe5a8febecff27a0bef239031ac30

SHA512
f5f502130ae0d74f4f0d8077bb2192186b14b9c34dedb298c8079024e08456ad147f670a8f08d2e803103f33aa29d50eae2f1fd8ed725fdfc9521816342bb559

Download Submit
C:\Users\Admin\Desktop\RepairCompare.ps1.304-A75-56B
MD5
ba71ac261379508967a0dde096fcf0fe

SHA1
bcd6f0286af2a436c4c5311e5a90fad894d053a8

SHA256
6ca896841d1da29c941e3d51360353b77b9ad8284868bb9153e63deccc27184b

SHA512
01698b0fba31fe1be9c94efca2efa9dd6eedd6444742df4ec758378343ce529946d086531b0d11ec60b7dc6d2cda4a9e6631520bad69fb7442e15f93f6e69597

Download Submit
C:\Users\Admin\Desktop\RepairStep.3g2.304-A75-56B
MD5
74ee91e8109f7a99a06fa3b59269c0d6

SHA1
64995bcf0b0ba5cc10d6b291c299a7c5a11230e2

SHA256
8c42d3992f97c6ab7f24c6efb70b688b69d210d7d8f384e3b8c782798bddf130

SHA512
7c975523b15f4446103182e59981be6d93a3d99e8449a06301dfb82469561136e6ac4011f91bce6a44a6601334579d2f9d04bf27fd32ff7ac1c35a1ef272d10e

Download Submit
C:\Users\Admin\Desktop\ResolveConvert.vssx.304-A75-56B
MD5
56e0d1771f9f15ff27d7755b43454e66

SHA1
691c32d5e3210f3643bf1096b829aebc62d725b2

SHA256
0686550c82965baf52643e5f61a6a4e0d674c9b8da1dff19e19745a4ad11bc13

SHA512
3c378c16ed649174493bc3ed68ec575a32d16f20a147ad07ad64369218dc583939de305a2390ad5809d4c1af160e66cc96478990bdc04ddb32c444af73d055ac

Download Submit
C:\Users\Admin\Desktop\RestoreLimit.ico.304-A75-56B
MD5
8fb6ad124ffdbd7ebeed5f6d979eabbc

SHA1
b88fa36402806233434720124f743636d6258336

SHA256
5b72b97fe3dfdaf733912d873cacd64fb9e6d927de1b110d3b7875f103e924fc

SHA512
d35b01f6aaef48f467935d16c929755ce191ff5426fce311bcf8a9e3cac9782715342352a3b5a6bca6b2ddca23aa42904284acf33e004dd5f6d30d035bc120d0

Download Submit
C:\Users\Admin\Desktop\SplitSync.png.304-A75-56B
MD5
3a06016d3281817196545d69e09534ca

SHA1
44ec616e0df03569198aabed023a0f8c342720d2

SHA256
79e933c45fe1af5a4febef7c1568a95f499f3b03baa7a4b2d8d7eae2e55c9658

SHA512
921b0faa92deec9ffe3d4ae6356b3a1b1e63abd9d43936e86eed81618ac358f3d52c57188ba08537ac3c6bb7fda3ee6dd9953ab3631d2d0f515ef9350e664135

Download Submit
C:\Users\Admin\Desktop\SuspendClear.3g2.304-A75-56B
MD5
23b67a0d448bcd56b3f4f1b14e40e0fe

SHA1
7d1c6b39393294e42ec9ded8ea815e6e5417d4df

SHA256
d2f89823dc9a128f8ad366e8689a7eb36ffee70e90d052d0b025c7ebd3950ec8

SHA512
1c81195080c58edea238f2554048dfa5c69f41c908ccf8c3f8df3cebc740f8eae240d28791296a9aaf62b76e814024c71095d94311cbedfc5ac345f6006f393f

Download Submit
C:\Users\Admin\Desktop\TraceMeasure.pcx.304-A75-56B
MD5
89e37399289718d2170a03d0127e989d

SHA1
5e7fa69feae074adb1353a8c823d6e1dee4401e0

SHA256
f44e163a14aa63c8402998e20950de1eb3789d2efeea0bd7a713939c1add421d

SHA512
07e056d0d86842cdbf5df85d99fd54347c7b752b3159581cb5bf9697ac059cd688445810afd29ea8967378dc0b84b560c51990ffd01d2eb1a7ccc369328330a2

Download Submit
C:\Users\Admin\Desktop\TraceOut.svg.304-A75-56B
MD5
27ababb6438df7622491fd179fb99ea8

SHA1
aa843fbeadeb840c381c92d42e06037d50875c33

SHA256
7d2d854185b0252b0fb31a8b367a0f7d8b61a7b567ff0e7811ff8b7d1d4e1879

SHA512
b5c9c4416041cad63db2c76b2b2128c5d737d6a37dfeeb3a63cb35d80331eabb5cbd5e670b425f0d30dec191635177a45e2ed1c82db09d649db7b023aa9865df

Download Submit
C:\Users\Admin\Desktop\UnprotectRestart.cfg.304-A75-56B
MD5
c7ea076fa0b2c3fa89ac741716671309

SHA1
850830f094c89ec4afa21f79c7255001785a538d

SHA256
c49cb60d8b1e7f2e54a62a46fe6ed0ee01427ebcaf61409e4ba7d20c877a243d

SHA512
e0910b0c0d5779c8acf5b46459969b33d512984d2169f9c0b48e6e04678e8219fd8dc6a989b37811897d280badabdf1471a39cda59932883b696abf69f956ac9

Download Submit
C:\Users\Admin\Desktop\WaitCopy.asp.304-A75-56B
MD5
9aaba58ce23f691aff6e6e0e06a3d2f0

SHA1
12576193b985d6e15025e19abe288fc57a11ef9c

SHA256
bfa3aab7f58071103e574844810f2353a9392aadc001ffa06f9719193db7765c

SHA512
6dee019969ad564893bf4661369f38fd3a802523c0a0bb3787cd6a6388a08bdf094f759cb4cb155323e9ea687f0fe4fbba10c81f6cae834151e55f22e89391b9

Download Submit
C:\Users\Admin\Desktop\WaitRevoke.edrwx.304-A75-56B
MD5
ca3e436783cebac0662e7b7d5f275b38

SHA1
2e257d4ad1a306e660542a3f70fb2e43adf9853d

SHA256
a49ea6f8baf0b5ffe1f2403d219469d0a9bd0e9d4f7dd45444ef1cb7ebc47c80

SHA512
13120af08263367161a9adb4cf8bae9d374e04cdd5abbd72899635d5e45a2494493cce9db10be088cd5dd65e95bd2f3dd13a0cb899bad37d4a384ca66d3ea313

Download Submit
C:\Users\Admin\Desktop\WriteWatch.jtx.304-A75-56B
MD5
1e28ae53cfd05afa33b8b829f83f128c

SHA1
9594fcce461b2728ef644460a8454b01ade98fb6

SHA256
d464d73225cc5c7755db09fbc9aab2e1b75a59c121d16148e3b525294a9853f5

SHA512
f62e82b001d8e88c9dd17dd57853e54dee18bfa5c5cc2e1dedcbe2093c708c4a2261c30cf9ed4b285c67b27a5d45d80382439a3eb567f43471e3c107b163c05b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\spoolsv.exe
MD5
e609a4e0e0a91ebc8771fcc3f25c0990

SHA1
c552fbec8d6679017b5e9dedd4f03e29cb4c8718

SHA256
576b9b0e6da2715dc02068b053b4203b9bfda1eb0feca8bddcdfc0827c5db7d1

SHA512
0fab0c68eec67ce7e54b28651b0c85f6fd0401888e83e7b2346acc95a802d283185a77790cdb98f3850350a190cfe30b7e9d757fcfb95a8012adc34393eeffda

Download Submit
memory/824-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

Filesize
8KB

Download
memory/2024-88-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads