gandcrab | cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08

General

Target

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Size

244KB
MD5

cd0de24dd59d160507545851f4c0d917
SHA1

a78fca87aace910f8e59dd614664e082249b8a68
SHA256

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08
SHA512

130ac29407b1a5903c144684e846a8eabe54d47ed13ebcc676eb1d4b598b52c446c6f5021fdea2035d838e562b6a08e7f0578bfe3379824dbd1b5b9ce374e12d

Score

10^/10

gandcrab backdoor persistence ransomware

Malware Config

Signatures

GandCrab Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/504-115-0x0000000000400000-0x0000000000B4B000-memory.dmp	family_gandcrab
behavioral2/memory/504-118-0x00000000001D0000-0x00000000001E7000-memory.dmp	family_gandcrab

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\kjjjvmnddgt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xdffnq.exe\""	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	ioc	process
File opened (read-only)	\??\X:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\F:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\J:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\N:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\O:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\Q:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\W:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\A:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\G:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\H:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\M:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\P:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\Y:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\R:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\S:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\U:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\V:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\B:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\E:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\I:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\K:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\L:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\T:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
File opened (read-only)	\??\Z:	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Drops file in Windows directory 1 IoCs

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description ioc process

File opened for modification C:\Windows\win.ini cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

pid	process
504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	pid	process
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
Token: SeLoadDriverPrivilege	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe

description	pid	process	target process
PID 504 wrote to memory of 2344	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2344	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2344	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3576	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3576	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3576	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1196	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1196	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1196	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1488	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1488	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1488	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1856	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1856	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1856	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2200	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2200	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2200	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3268	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3268	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3268	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 900	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 900	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 900	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1872	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1872	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1872	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3804	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3804	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3804	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3204	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3204	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3204	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3880	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3880	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3880	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3664	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3664	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3664	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2580	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3788	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3788	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3788	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1376	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1376	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1376	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1920	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1920	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 1920	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2000	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2000	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2000	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2140	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2140	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2140	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3828	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3828	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 3828	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe
PID 504 wrote to memory of 2888	504	cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe
"C:\Users\Admin\AppData\Local\Temp\cc5f8dfc803b35d83f059f019c6d937fa2ce52e79d112f29630e9050aee2de08.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2344

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3576

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1196

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1488

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1856

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2200

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3268

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:900

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1872

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3804

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3204

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3880

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3664

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:580

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2580

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3788

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1376

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1920

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2000

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2140

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3828

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2888

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3040

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3168

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:664

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2588

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3876

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:948

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1212

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2088

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2156

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2968

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1384

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1936

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3200

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3888

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2432

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2480

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1308

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:744

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2320

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3760

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1472

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2172

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:64

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3616

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:584

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1528

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2212

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3572

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2584

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:4080

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2892

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1444

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1996

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:876

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1512

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1072

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3196

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3236

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2072

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2532

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1252

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3588

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3776

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1540

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1380

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1916

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1268

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1844

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2004

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1664

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3132

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2764

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2920

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2100

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3088

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1132

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2560

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:4040

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2148

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3916

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1204

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2876

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1644

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:916

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3176

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2216

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:640

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1136

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1312

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:4072

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2724

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1028

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3612

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1980

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2168

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3688

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1820

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3192

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1640

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2392

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:1492

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2576

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2324

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2908

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3608

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1852

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1700

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2036

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2728

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:3944

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:2108

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:2544

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3816

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:940

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:752

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1396

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:2572

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:1676

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:1228

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:1044

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:4060

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns1.wowservers.ru
2⤵
PID:2912

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns1.wowservers.ru
2⤵
PID:3592

C:\Windows\SysWOW64\nslookup.exe
nslookup ransomware.bit ns2.wowservers.ru
2⤵
PID:3648

C:\Windows\SysWOW64\nslookup.exe
nslookup carder.bit ns2.wowservers.ru
2⤵
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-163-0x0000000000000000-mapping.dmp

Download
memory/504-115-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download
memory/504-116-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download
memory/504-118-0x00000000001D0000-0x00000000001E7000-memory.dmp

Filesize
92KB

Download
memory/504-114-0x0000000000D56000-0x0000000000D72000-memory.dmp

Filesize
112KB

Download
memory/580-132-0x0000000000000000-mapping.dmp

Download
memory/584-165-0x0000000000000000-mapping.dmp

Download
memory/664-143-0x0000000000000000-mapping.dmp

Download
memory/744-158-0x0000000000000000-mapping.dmp

Download
memory/876-174-0x0000000000000000-mapping.dmp

Download
memory/900-126-0x0000000000000000-mapping.dmp

Download
memory/948-146-0x0000000000000000-mapping.dmp

Download
memory/1072-176-0x0000000000000000-mapping.dmp

Download
memory/1196-121-0x0000000000000000-mapping.dmp

Download
memory/1212-147-0x0000000000000000-mapping.dmp

Download
memory/1252-181-0x0000000000000000-mapping.dmp

Download
memory/1308-157-0x0000000000000000-mapping.dmp

Download
memory/1376-135-0x0000000000000000-mapping.dmp

Download
memory/1384-151-0x0000000000000000-mapping.dmp

Download
memory/1444-172-0x0000000000000000-mapping.dmp

Download
memory/1472-161-0x0000000000000000-mapping.dmp

Download
memory/1488-122-0x0000000000000000-mapping.dmp

Download
memory/1512-175-0x0000000000000000-mapping.dmp

Download
memory/1528-166-0x0000000000000000-mapping.dmp

Download
memory/1856-123-0x0000000000000000-mapping.dmp

Download
memory/1872-127-0x0000000000000000-mapping.dmp

Download
memory/1920-136-0x0000000000000000-mapping.dmp

Download
memory/1936-152-0x0000000000000000-mapping.dmp

Download
memory/1996-173-0x0000000000000000-mapping.dmp

Download
memory/2000-137-0x0000000000000000-mapping.dmp

Download
memory/2072-179-0x0000000000000000-mapping.dmp

Download
memory/2088-148-0x0000000000000000-mapping.dmp

Download
memory/2140-138-0x0000000000000000-mapping.dmp

Download
memory/2156-149-0x0000000000000000-mapping.dmp

Download
memory/2172-162-0x0000000000000000-mapping.dmp

Download
memory/2200-124-0x0000000000000000-mapping.dmp

Download
memory/2212-167-0x0000000000000000-mapping.dmp

Download
memory/2320-159-0x0000000000000000-mapping.dmp

Download
memory/2344-119-0x0000000000000000-mapping.dmp

Download
memory/2432-155-0x0000000000000000-mapping.dmp

Download
memory/2480-156-0x0000000000000000-mapping.dmp

Download
memory/2532-180-0x0000000000000000-mapping.dmp

Download
memory/2580-133-0x0000000000000000-mapping.dmp

Download
memory/2584-169-0x0000000000000000-mapping.dmp

Download
memory/2588-144-0x0000000000000000-mapping.dmp

Download
memory/2888-140-0x0000000000000000-mapping.dmp

Download
memory/2892-171-0x0000000000000000-mapping.dmp

Download
memory/2968-150-0x0000000000000000-mapping.dmp

Download
memory/3040-141-0x0000000000000000-mapping.dmp

Download
memory/3168-142-0x0000000000000000-mapping.dmp

Download
memory/3196-177-0x0000000000000000-mapping.dmp

Download
memory/3200-153-0x0000000000000000-mapping.dmp

Download
memory/3204-129-0x0000000000000000-mapping.dmp

Download
memory/3236-178-0x0000000000000000-mapping.dmp

Download
memory/3268-125-0x0000000000000000-mapping.dmp

Download
memory/3572-168-0x0000000000000000-mapping.dmp

Download
memory/3576-120-0x0000000000000000-mapping.dmp

Download
memory/3588-182-0x0000000000000000-mapping.dmp

Download
memory/3616-164-0x0000000000000000-mapping.dmp

Download
memory/3664-131-0x0000000000000000-mapping.dmp

Download
memory/3760-160-0x0000000000000000-mapping.dmp

Download
memory/3788-134-0x0000000000000000-mapping.dmp

Download
memory/3804-128-0x0000000000000000-mapping.dmp

Download
memory/3828-139-0x0000000000000000-mapping.dmp

Download
memory/3876-145-0x0000000000000000-mapping.dmp

Download
memory/3880-130-0x0000000000000000-mapping.dmp

Download
memory/3888-154-0x0000000000000000-mapping.dmp

Download
memory/4080-170-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads