30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98

General

Target

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
Size

488KB
MD5

e5cb9f85899a9133ebddc238be517594
SHA1

5b5c6c28a03e9bf21fe2856f96d52841ede49b55
SHA256

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98
SHA512

fd0e67ac7cb25f78103d575a3d5bb5b15adf80743625e43fcc8f556e29d9282d77ffd3a640d988ae0f0e0d2a86769c35881ecbaf901793610fe1e94fe9fa9bb3
SSDEEP

12288:7NhQPh82gxvXJQhKe8f/MTUgTOej1+pdOeKaJKQ:7oP4XJU8f/MjT3wdOeTKQ

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1480	bcdedit.exe
2640	bcdedit.exe
2504	bcdedit.exe
3888	bcdedit.exe
3832	bcdedit.exe
2732	bcdedit.exe
3152	bcdedit.exe
1992	bcdedit.exe
4920	bcdedit.exe
1252	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

izfowi.exe

description ioc process

File created C:\Windows\system32\drivers\e5804fc.sys izfowi.exe
Executes dropped EXE 2 IoCs

Processes:

izfowi.exeizfowi.exe

pid process

3624 izfowi.exe
1852 izfowi.exe

description	ioc	process
File created	C:\Windows\system32\drivers\e5804fc.sys	izfowi.exe

pid	process
3624	izfowi.exe
1852	izfowi.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exeizfowi.exe

description	pid	process	target process
PID 1664 set thread context of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 3624 set thread context of 1852	3624	izfowi.exe	izfowi.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exeizfowi.exe

pid	process
4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
1852	izfowi.exe
1852	izfowi.exe
1852	izfowi.exe
1852	izfowi.exe
1852	izfowi.exe
1852	izfowi.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

izfowi.exe

description pid process

Token: SeShutdownPrivilege 1852 izfowi.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exeizfowi.exeLogonUI.exe

pid process

1664 30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
3624 izfowi.exe
4592 LogonUI.exe

pid	process
664

description	pid	process
Token: SeShutdownPrivilege	1852	izfowi.exe

pid	process
1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
3624	izfowi.exe
4592	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exeizfowi.exeizfowi.exe

description	pid	process	target process
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 1664 wrote to memory of 4088	1664	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
PID 4088 wrote to memory of 3624	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	izfowi.exe
PID 4088 wrote to memory of 3624	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	izfowi.exe
PID 4088 wrote to memory of 3624	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 3624 wrote to memory of 1852	3624	izfowi.exe	izfowi.exe
PID 4088 wrote to memory of 4896	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	cmd.exe
PID 4088 wrote to memory of 4896	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	cmd.exe
PID 4088 wrote to memory of 4896	4088	30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe	cmd.exe
PID 1852 wrote to memory of 1480	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 1480	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2640	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2640	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2504	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2504	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3888	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3888	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3832	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3832	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2732	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2732	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3152	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 3152	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 1992	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 1992	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 4920	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 4920	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 1252	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 1252	1852	izfowi.exe	bcdedit.exe
PID 1852 wrote to memory of 2460	1852	izfowi.exe	sihost.exe
PID 1852 wrote to memory of 2460	1852	izfowi.exe	sihost.exe
PID 1852 wrote to memory of 2460	1852	izfowi.exe	sihost.exe
PID 1852 wrote to memory of 2460	1852	izfowi.exe	sihost.exe
PID 1852 wrote to memory of 2460	1852	izfowi.exe	sihost.exe
PID 1852 wrote to memory of 2480	1852	izfowi.exe	svchost.exe
PID 1852 wrote to memory of 2480	1852	izfowi.exe	svchost.exe
PID 1852 wrote to memory of 2480	1852	izfowi.exe	svchost.exe
PID 1852 wrote to memory of 2480	1852	izfowi.exe	svchost.exe
PID 1852 wrote to memory of 2480	1852	izfowi.exe	svchost.exe
PID 1852 wrote to memory of 2656	1852	izfowi.exe	taskhostw.exe
PID 1852 wrote to memory of 2656	1852	izfowi.exe	taskhostw.exe
PID 1852 wrote to memory of 2656	1852	izfowi.exe	taskhostw.exe
PID 1852 wrote to memory of 2656	1852	izfowi.exe	taskhostw.exe
PID 1852 wrote to memory of 2656	1852	izfowi.exe	taskhostw.exe
PID 1852 wrote to memory of 2644	1852	izfowi.exe	Explorer.EXE
PID 1852 wrote to memory of 2644	1852	izfowi.exe	Explorer.EXE
PID 1852 wrote to memory of 2644	1852	izfowi.exe	Explorer.EXE
PID 1852 wrote to memory of 2644	1852	izfowi.exe	Explorer.EXE
PID 1852 wrote to memory of 2644	1852	izfowi.exe	Explorer.EXE

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3264

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
"C:\Users\Admin\AppData\Local\Temp\30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe
"C:\Users\Admin\AppData\Local\Temp\30f1628ecd7dcfa5d0163c6041607ec45d2ced3a8b146e09a9a1b65b9728ea98.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe
"C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe
"C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1480

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:2640

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:2504

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:3888

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:3832

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:2732

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:3152

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1992

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:4920

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
6⤵
- Modifies boot configuration data using bcdedit
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\PTBE1BD.bat"
4⤵
PID:4896

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2480

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39af055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe
Filesize
488KB

MD5
91ce10ccc7ea9923ffed8a43dfe253b8

SHA1
05c9d3e25db535c1b2385531ee657fdeeaa57009

SHA256
ae68a24fbfb631e830a722377089c4b9d0aabdcb1843534cbc769eca4c658fd6

SHA512
28a73c9e0b7a472eb57b3f43cdc991efb24f98ced3fe46d630532ea8b03a34f40097f8b596096b46781a73bd2ee17e4fa15c6555745501a2d93007be78c01623

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe
Filesize
488KB

MD5
91ce10ccc7ea9923ffed8a43dfe253b8

SHA1
05c9d3e25db535c1b2385531ee657fdeeaa57009

SHA256
ae68a24fbfb631e830a722377089c4b9d0aabdcb1843534cbc769eca4c658fd6

SHA512
28a73c9e0b7a472eb57b3f43cdc991efb24f98ced3fe46d630532ea8b03a34f40097f8b596096b46781a73bd2ee17e4fa15c6555745501a2d93007be78c01623

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mamuup\izfowi.exe
Filesize
488KB

MD5
91ce10ccc7ea9923ffed8a43dfe253b8

SHA1
05c9d3e25db535c1b2385531ee657fdeeaa57009

SHA256
ae68a24fbfb631e830a722377089c4b9d0aabdcb1843534cbc769eca4c658fd6

SHA512
28a73c9e0b7a472eb57b3f43cdc991efb24f98ced3fe46d630532ea8b03a34f40097f8b596096b46781a73bd2ee17e4fa15c6555745501a2d93007be78c01623

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTBE1BD.bat
Filesize
303B

MD5
14ae694fad78df85a99d76ebdcb7272d

SHA1
55ac06622e6ddc1f83ecc11e839ae0007671d358

SHA256
0e56c03b95acf3df40d9c5e369e87404ad93d4059fa7435c67ebaaacf9bcf295

SHA512
1084e9a96ccbe52eb84b5146e96ddf7c45d4e52204eca63af11846d9f16dd72ab632fc0c5c7c2338235a4ed8f0e15e9108f29fcd5724355132be4d47bf5099c3

Download Submit
memory/1252-166-0x0000000000000000-mapping.dmp

Download
memory/1480-157-0x0000000000000000-mapping.dmp

Download
memory/1852-154-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

Filesize
24KB

Download
memory/1852-167-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1852-168-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

Filesize
24KB

Download
memory/1852-146-0x0000000000000000-mapping.dmp

Download
memory/1852-149-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1852-150-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1852-151-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1992-164-0x0000000000000000-mapping.dmp

Download
memory/2504-159-0x0000000000000000-mapping.dmp

Download
memory/2640-158-0x0000000000000000-mapping.dmp

Download
memory/2732-162-0x0000000000000000-mapping.dmp

Download
memory/3152-163-0x0000000000000000-mapping.dmp

Download
memory/3624-141-0x0000000000000000-mapping.dmp

Download
memory/3832-161-0x0000000000000000-mapping.dmp

Download
memory/3888-160-0x0000000000000000-mapping.dmp

Download
memory/4088-155-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-152-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-134-0x0000000000000000-mapping.dmp

Download
memory/4088-140-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-139-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-138-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-137-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-136-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4088-135-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4896-153-0x0000000000000000-mapping.dmp

Download
memory/4920-165-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads