gandcrab | 19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c

General

Target

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Size

181KB
MD5

4a12911191d436aa3a2e7760d3ad61a3
SHA1

6ae081144769492edb4dc82a6c3aeeb7bd71583b
SHA256

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c
SHA512

c5a6cbd11fc23dfa9bdf4b321e5a840f0c9d681d4935e20d71ad30ddfbdab9124fe42071a0d59ee276286281c1f95bdd5f5f56764a74e597ffa005c1a0cb81c9

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1048-62-0x0000000000510000-0x0000000000527000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\llibnmakwdf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\crsyvf.exe\""	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

description	ioc	process
File opened (read-only)	\??\J:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\L:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\A:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\H:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\I:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\M:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\O:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\U:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\W:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\X:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\E:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\F:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\G:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\Y:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\Z:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\R:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\B:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\P:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\Q:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\T:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\V:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\K:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\N:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
File opened (read-only)	\??\S:	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

pid	process
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

pid	process
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe

description	pid	process	target process
PID 1048 wrote to memory of 560	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 560	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 560	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 560	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 832	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 832	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 832	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 832	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1516	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1516	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1516	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1516	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1636	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1636	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1636	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1636	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 772	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 772	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 772	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 772	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 612	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 612	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 612	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 612	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 276	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 276	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 276	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 276	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1052	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1052	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1052	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1052	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1784	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1784	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1784	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1784	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1520	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1520	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1520	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1520	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1724	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1724	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1724	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1724	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 972	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 972	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 972	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 972	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1868	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1868	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1868	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1868	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 892	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 892	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 892	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 892	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1764	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1764	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1764	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 1764	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 2036	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 2036	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 2036	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe
PID 1048 wrote to memory of 2036	1048	19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe
"C:\Users\Admin\AppData\Local\Temp\19a20164cbd7f6c532d7a6a3886cf0b60ecad0dba6d2d2fe60123c9f6ad2c89c.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:560

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:832

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1516

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1636

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:772

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:612

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:276

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1052

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1784

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1520

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1724

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:972

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1868

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:892

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1764

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:2036

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:608

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1984

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1712

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1704

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1296

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:592

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1760

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:112

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:2024

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1260

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1624

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1384

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1264

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:572

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:684

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:912

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:976

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1560

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1368

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:540

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1428

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1904

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1584

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:288

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:964

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:2032

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1364

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1596

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1620

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1016

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1556

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:456

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:804

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:796

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1552

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1544

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1528

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1796

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1880

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:960

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1500

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1576

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1732

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1672

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1820

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1928

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1668

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1600

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:836

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1316

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1132

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1120

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:768

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1072

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:268

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1816

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1336

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1640

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1164

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1912

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1608

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1664

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1068

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1148

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1688

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1988

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1280

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1380

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1232

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1572

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:984

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1272

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:956

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1064

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:340

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1036

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:1312

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:756

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:272

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:1828

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:548

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:1392

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1480

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.corp-servers.ru
2⤵
PID:472

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns1.corp-servers.ru
2⤵
PID:844

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.corp-servers.ru
2⤵
PID:672

C:\Windows\SysWOW64\nslookup.exe
nslookup zonealarm.bit ns2.corp-servers.ru
2⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-86-0x0000000000000000-mapping.dmp

Download
memory/276-69-0x0000000000000000-mapping.dmp

Download
memory/288-102-0x0000000000000000-mapping.dmp

Download
memory/456-110-0x0000000000000000-mapping.dmp

Download
memory/540-98-0x0000000000000000-mapping.dmp

Download
memory/560-63-0x0000000000000000-mapping.dmp

Download
memory/572-92-0x0000000000000000-mapping.dmp

Download
memory/592-84-0x0000000000000000-mapping.dmp

Download
memory/608-79-0x0000000000000000-mapping.dmp

Download
memory/612-68-0x0000000000000000-mapping.dmp

Download
memory/684-93-0x0000000000000000-mapping.dmp

Download
memory/772-67-0x0000000000000000-mapping.dmp

Download
memory/796-112-0x0000000000000000-mapping.dmp

Download
memory/804-111-0x0000000000000000-mapping.dmp

Download
memory/832-64-0x0000000000000000-mapping.dmp

Download
memory/892-76-0x0000000000000000-mapping.dmp

Download
memory/912-94-0x0000000000000000-mapping.dmp

Download
memory/960-118-0x0000000000000000-mapping.dmp

Download
memory/964-103-0x0000000000000000-mapping.dmp

Download
memory/972-74-0x0000000000000000-mapping.dmp

Download
memory/976-95-0x0000000000000000-mapping.dmp

Download
memory/1016-108-0x0000000000000000-mapping.dmp

Download
memory/1048-62-0x0000000000510000-0x0000000000527000-memory.dmp

Filesize
92KB

Download
memory/1048-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-60-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1052-70-0x0000000000000000-mapping.dmp

Download
memory/1260-88-0x0000000000000000-mapping.dmp

Download
memory/1264-91-0x0000000000000000-mapping.dmp

Download
memory/1296-83-0x0000000000000000-mapping.dmp

Download
memory/1364-105-0x0000000000000000-mapping.dmp

Download
memory/1368-97-0x0000000000000000-mapping.dmp

Download
memory/1384-90-0x0000000000000000-mapping.dmp

Download
memory/1428-99-0x0000000000000000-mapping.dmp

Download
memory/1500-119-0x0000000000000000-mapping.dmp

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1520-72-0x0000000000000000-mapping.dmp

Download
memory/1528-115-0x0000000000000000-mapping.dmp

Download
memory/1544-114-0x0000000000000000-mapping.dmp

Download
memory/1552-113-0x0000000000000000-mapping.dmp

Download
memory/1556-109-0x0000000000000000-mapping.dmp

Download
memory/1560-96-0x0000000000000000-mapping.dmp

Download
memory/1576-120-0x0000000000000000-mapping.dmp

Download
memory/1584-101-0x0000000000000000-mapping.dmp

Download
memory/1596-106-0x0000000000000000-mapping.dmp

Download
memory/1600-126-0x0000000000000000-mapping.dmp

Download
memory/1620-107-0x0000000000000000-mapping.dmp

Download
memory/1624-89-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1668-125-0x0000000000000000-mapping.dmp

Download
memory/1672-122-0x0000000000000000-mapping.dmp

Download
memory/1704-82-0x0000000000000000-mapping.dmp

Download
memory/1712-81-0x0000000000000000-mapping.dmp

Download
memory/1724-73-0x0000000000000000-mapping.dmp

Download
memory/1732-121-0x0000000000000000-mapping.dmp

Download
memory/1760-85-0x0000000000000000-mapping.dmp

Download
memory/1764-77-0x0000000000000000-mapping.dmp

Download
memory/1784-71-0x0000000000000000-mapping.dmp

Download
memory/1796-116-0x0000000000000000-mapping.dmp

Download
memory/1820-123-0x0000000000000000-mapping.dmp

Download
memory/1868-75-0x0000000000000000-mapping.dmp

Download
memory/1880-117-0x0000000000000000-mapping.dmp

Download
memory/1904-100-0x0000000000000000-mapping.dmp

Download
memory/1928-124-0x0000000000000000-mapping.dmp

Download
memory/1984-80-0x0000000000000000-mapping.dmp

Download
memory/2024-87-0x0000000000000000-mapping.dmp

Download
memory/2032-104-0x0000000000000000-mapping.dmp

Download
memory/2036-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads