cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1

General

Target

cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
Size

503KB
MD5

aaf1572112e467c4667ab84bcdee33b2
SHA1

a1b4610140a1901995bedacb82ac1392d0890067
SHA256

cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1
SHA512

3f86ed1eb5a123a93c789c6165784f92ddd389ff680e3b0d96a0d334e31650c7bf21bd2dd973c697446d83d02427aea729574a61e80ac787e574eef4d958b0c9
SSDEEP

12288:mN7OjRhWIqHcFED5g3GrkppAkpmRhW3J8lBhZLTt2:eOllqHcCF2IHWZ8ltLTt2

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1288	bcdedit.exe
5000	bcdedit.exe
4184	bcdedit.exe
2680	bcdedit.exe
3640	bcdedit.exe
1592	bcdedit.exe
3532	bcdedit.exe
4108	bcdedit.exe
4116	bcdedit.exe
396	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

kaas.exe

description ioc process

File created C:\Windows\system32\drivers\e57b95d.sys kaas.exe
Executes dropped EXE 2 IoCs

Processes:

kaas.exekaas.exe

pid process

768 kaas.exe
1756 kaas.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e57b95d.sys	kaas.exe

pid	process
768	kaas.exe
1756	kaas.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kaas.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run	kaas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kaas = "C:\\Users\\Admin\\AppData\\Roaming\\Qiuxt\\kaas.exe"	kaas.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exekaas.exe

description	pid	process	target process
PID 4216 set thread context of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 768 set thread context of 1756	768	kaas.exe	kaas.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

kaas.exe

pid process

1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
1756 kaas.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kaas.exe

description pid process

Token: SeShutdownPrivilege 1756 kaas.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exekaas.exeLogonUI.exe

pid process

4216 cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
768 kaas.exe
896 LogonUI.exe

pid	process
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe
1756	kaas.exe

pid	process
664

description	pid	process
Token: SeShutdownPrivilege	1756	kaas.exe

pid	process
4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
768	kaas.exe
896	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.execf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exekaas.exekaas.exe

description	pid	process	target process
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 4216 wrote to memory of 220	4216	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
PID 220 wrote to memory of 768	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	kaas.exe
PID 220 wrote to memory of 768	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	kaas.exe
PID 220 wrote to memory of 768	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 768 wrote to memory of 1756	768	kaas.exe	kaas.exe
PID 220 wrote to memory of 5012	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cmd.exe
PID 220 wrote to memory of 5012	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cmd.exe
PID 220 wrote to memory of 5012	220	cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe	cmd.exe
PID 1756 wrote to memory of 1288	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 1288	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 5000	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 5000	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4184	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4184	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 2680	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 2680	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 3640	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 3640	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 1592	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 1592	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 3532	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 3532	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4108	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4108	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4116	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 4116	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 396	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 396	1756	kaas.exe	bcdedit.exe
PID 1756 wrote to memory of 2632	1756	kaas.exe	sihost.exe
PID 1756 wrote to memory of 2632	1756	kaas.exe	sihost.exe
PID 1756 wrote to memory of 2632	1756	kaas.exe	sihost.exe
PID 1756 wrote to memory of 2632	1756	kaas.exe	sihost.exe
PID 1756 wrote to memory of 2632	1756	kaas.exe	sihost.exe
PID 1756 wrote to memory of 2760	1756	kaas.exe	svchost.exe
PID 1756 wrote to memory of 2760	1756	kaas.exe	svchost.exe
PID 1756 wrote to memory of 2760	1756	kaas.exe	svchost.exe
PID 1756 wrote to memory of 2760	1756	kaas.exe	svchost.exe
PID 1756 wrote to memory of 2760	1756	kaas.exe	svchost.exe
PID 1756 wrote to memory of 2912	1756	kaas.exe	taskhostw.exe
PID 1756 wrote to memory of 2912	1756	kaas.exe	taskhostw.exe
PID 1756 wrote to memory of 2912	1756	kaas.exe	taskhostw.exe
PID 1756 wrote to memory of 2912	1756	kaas.exe	taskhostw.exe
PID 1756 wrote to memory of 2912	1756	kaas.exe	taskhostw.exe
PID 1756 wrote to memory of 2552	1756	kaas.exe	Explorer.EXE
PID 1756 wrote to memory of 2552	1756	kaas.exe	Explorer.EXE
PID 1756 wrote to memory of 2552	1756	kaas.exe	Explorer.EXE
PID 1756 wrote to memory of 2552	1756	kaas.exe	Explorer.EXE
PID 1756 wrote to memory of 2552	1756	kaas.exe	Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3412

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:628

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:404

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
"C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe
"C:\Users\Admin\AppData\Local\Temp\cf0eed4a772ddce4823d434ecad5b4296a0af94d057535d0a18e762ce79f81e1.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe
"C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe
"C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1288

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:5000

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:4184

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:2680

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:3640

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1592

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:3532

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:4108

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:4116

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\JFNF894.bat"
4⤵
PID:5012

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2760

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2632

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JFNF894.bat

Filesize
303B

MD5
9a1f52b5e2951ad3f973182f9e0d0e92

SHA1
1d95f7a92c0e1b7e9f7e87405703256b7ade76f7

SHA256
9d03f148587073ded6b54e08eee121dd2980208b79e85a934bfad63f05f95b0d

SHA512
e44270b40241729e930d29e243bb5caac90a4068d5eb3029b9b88aede8e46ef568629327a425bbde85f9c0ca0769f87611b67e7e5a172b8577526ffab8c46842

Download Submit
C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe

Filesize
503KB

MD5
1a0a58c64f798d4ad8df9004bd6607e6

SHA1
379213bfd251b1758f5cebfc30ea0da396dcffd5

SHA256
7caa45621094494a9df8ed1f4da334d6dcb67afea45500b2baad2e997c3b5059

SHA512
fb4eec9b1af9be190166eb270ebd314419794ce81aa3ec33bc57a788c2dc03e46ad6685228757eb615bb80d4817def6afebf6b6b5aa670de4498c99b163f4031

Download Submit
C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe

Filesize
503KB

MD5
1a0a58c64f798d4ad8df9004bd6607e6

SHA1
379213bfd251b1758f5cebfc30ea0da396dcffd5

SHA256
7caa45621094494a9df8ed1f4da334d6dcb67afea45500b2baad2e997c3b5059

SHA512
fb4eec9b1af9be190166eb270ebd314419794ce81aa3ec33bc57a788c2dc03e46ad6685228757eb615bb80d4817def6afebf6b6b5aa670de4498c99b163f4031

Download Submit
C:\Users\Admin\AppData\Roaming\Qiuxt\kaas.exe

Filesize
503KB

MD5
1a0a58c64f798d4ad8df9004bd6607e6

SHA1
379213bfd251b1758f5cebfc30ea0da396dcffd5

SHA256
7caa45621094494a9df8ed1f4da334d6dcb67afea45500b2baad2e997c3b5059

SHA512
fb4eec9b1af9be190166eb270ebd314419794ce81aa3ec33bc57a788c2dc03e46ad6685228757eb615bb80d4817def6afebf6b6b5aa670de4498c99b163f4031

Download Submit
memory/220-141-0x00000000021C0000-0x00000000021C6000-memory.dmp

Filesize
24KB

Download
memory/220-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-140-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-142-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-155-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-138-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-136-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-135-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/220-134-0x0000000000000000-mapping.dmp

Download
memory/396-167-0x0000000000000000-mapping.dmp

Download
memory/768-143-0x0000000000000000-mapping.dmp

Download
memory/1288-157-0x0000000000000000-mapping.dmp

Download
memory/1592-163-0x0000000000000000-mapping.dmp

Download
memory/1756-151-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1756-156-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/1756-169-0x0000000000600000-0x0000000000606000-memory.dmp

Filesize
24KB

Download
memory/1756-168-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1756-148-0x0000000000000000-mapping.dmp

Download
memory/1756-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1756-154-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2680-160-0x0000000000000000-mapping.dmp

Download
memory/3532-164-0x0000000000000000-mapping.dmp

Download
memory/3640-161-0x0000000000000000-mapping.dmp

Download
memory/4108-165-0x0000000000000000-mapping.dmp

Download
memory/4116-166-0x0000000000000000-mapping.dmp

Download
memory/4184-159-0x0000000000000000-mapping.dmp

Download
memory/5000-158-0x0000000000000000-mapping.dmp

Download
memory/5012-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads