5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5

Analysis

max time kernel
46s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 22:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
Size

50KB
MD5

381da20afb7a5cfd4c7574faea82da3a
SHA1

34458e430b147540a508474e6531016540bb4bf0
SHA256

5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5
SHA512

974258bb044869ceb6cc90062f1d10e8586a945cc87b106971d98686d50d43e95f41781be81e06161acd1c9d3fdac8229b02157311d13c0e8839411d3bf97451
SSDEEP

768:LZ+Zxe90i19C92eocaWTmNtY6coZOu5dGcTYKBZUkhkPZoMi/M6rm0ZO:LaiZ19C92eocaWTKtNJZOu5EFgZHQ816

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2188	bcdedit.exe
1184	bcdedit.exe
1908	bcdedit.exe
3388	bcdedit.exe
2396	bcdedit.exe
720	bcdedit.exe
508	bcdedit.exe
4728	bcdedit.exe
1084	bcdedit.exe
4852	bcdedit.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\e574d35.sys	ahweko.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	lcm.exe

Executes dropped EXE 3 IoCs

pid	Process
1960	lcm.exe
1196	lsias.exe
2688	ahweko.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ahweko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ijle\\ahweko.exe"	ahweko.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 2404	1196	lsias.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1220	1196	WerFault.exe	94

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "125"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1196	lsias.exe
1196	lsias.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe
2688	ahweko.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2688	ahweko.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2396	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 1960	2180	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	88
PID 2180 wrote to memory of 1960	2180	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	88
PID 2180 wrote to memory of 1960	2180	5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe	88
PID 1960 wrote to memory of 1196	1960	lcm.exe	94
PID 1960 wrote to memory of 1196	1960	lcm.exe	94
PID 1960 wrote to memory of 1196	1960	lcm.exe	94
PID 1196 wrote to memory of 2688	1196	lsias.exe	95
PID 1196 wrote to memory of 2688	1196	lsias.exe	95
PID 1196 wrote to memory of 2688	1196	lsias.exe	95
PID 2688 wrote to memory of 2188	2688	ahweko.exe	96
PID 2688 wrote to memory of 2188	2688	ahweko.exe	96
PID 2688 wrote to memory of 1084	2688	ahweko.exe	97
PID 2688 wrote to memory of 1084	2688	ahweko.exe	97
PID 2688 wrote to memory of 4728	2688	ahweko.exe	98
PID 2688 wrote to memory of 4728	2688	ahweko.exe	98
PID 2688 wrote to memory of 508	2688	ahweko.exe	99
PID 2688 wrote to memory of 508	2688	ahweko.exe	99
PID 2688 wrote to memory of 2396	2688	ahweko.exe	100
PID 2688 wrote to memory of 2396	2688	ahweko.exe	100
PID 2688 wrote to memory of 3388	2688	ahweko.exe	101
PID 2688 wrote to memory of 3388	2688	ahweko.exe	101
PID 2688 wrote to memory of 1908	2688	ahweko.exe	102
PID 2688 wrote to memory of 1908	2688	ahweko.exe	102
PID 2688 wrote to memory of 1184	2688	ahweko.exe	103
PID 2688 wrote to memory of 1184	2688	ahweko.exe	103
PID 2688 wrote to memory of 720	2688	ahweko.exe	105
PID 2688 wrote to memory of 720	2688	ahweko.exe	105
PID 2688 wrote to memory of 4852	2688	ahweko.exe	106
PID 2688 wrote to memory of 4852	2688	ahweko.exe	106
PID 2688 wrote to memory of 2836	2688	ahweko.exe	51
PID 2688 wrote to memory of 2836	2688	ahweko.exe	51
PID 2688 wrote to memory of 2836	2688	ahweko.exe	51
PID 2688 wrote to memory of 2836	2688	ahweko.exe	51
PID 2688 wrote to memory of 2836	2688	ahweko.exe	51
PID 2688 wrote to memory of 2920	2688	ahweko.exe	52
PID 2688 wrote to memory of 2920	2688	ahweko.exe	52
PID 2688 wrote to memory of 2920	2688	ahweko.exe	52
PID 2688 wrote to memory of 2920	2688	ahweko.exe	52
PID 2688 wrote to memory of 2920	2688	ahweko.exe	52
PID 2688 wrote to memory of 3080	2688	ahweko.exe	54
PID 2688 wrote to memory of 3080	2688	ahweko.exe	54
PID 2688 wrote to memory of 3080	2688	ahweko.exe	54
PID 2688 wrote to memory of 3080	2688	ahweko.exe	54
PID 2688 wrote to memory of 3080	2688	ahweko.exe	54
PID 2688 wrote to memory of 3496	2688	ahweko.exe	57
PID 2688 wrote to memory of 3496	2688	ahweko.exe	57
PID 2688 wrote to memory of 3496	2688	ahweko.exe	57
PID 2688 wrote to memory of 3496	2688	ahweko.exe	57
PID 2688 wrote to memory of 3496	2688	ahweko.exe	57
PID 2688 wrote to memory of 3612	2688	ahweko.exe	58
PID 2688 wrote to memory of 3612	2688	ahweko.exe	58
PID 2688 wrote to memory of 3612	2688	ahweko.exe	58
PID 2688 wrote to memory of 3612	2688	ahweko.exe	58
PID 2688 wrote to memory of 3612	2688	ahweko.exe	58
PID 2688 wrote to memory of 3816	2688	ahweko.exe	59
PID 2688 wrote to memory of 3816	2688	ahweko.exe	59
PID 2688 wrote to memory of 3816	2688	ahweko.exe	59
PID 2688 wrote to memory of 3816	2688	ahweko.exe	59
PID 2688 wrote to memory of 3816	2688	ahweko.exe	59
PID 2688 wrote to memory of 3908	2688	ahweko.exe	60
PID 2688 wrote to memory of 3908	2688	ahweko.exe	60
PID 2688 wrote to memory of 3908	2688	ahweko.exe	60
PID 2688 wrote to memory of 3908	2688	ahweko.exe	60
PID 2688 wrote to memory of 3908	2688	ahweko.exe	60

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2920

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe
  "C:\Users\Admin\AppData\Local\Temp\5de4db7670dd11f2f3e1873fe5a87349c2676739912fd92b671fa1432d4461f5.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\lcm.exe
    "C:\Users\Admin\AppData\Local\Temp\lcm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\lsias.exe
      "C:\Users\Admin\AppData\Local\Temp\lsias.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\Ijle\ahweko.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ijle\ahweko.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2188
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1084
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4728
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:508
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2396
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3388
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1908
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1184
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:720
      - C:\Windows\SYSTEM32\bcdedit.exe
        
        bcdedit.exe -set TESTSIGNING ON
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\WBE3847.bat"
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 796
        5⤵
        Program crash
        
        PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3228

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3652

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3928

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1840

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1196 -ip 1196
1⤵
PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3957055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ijle\ahweko.exe

Filesize
593KB

MD5
099b0c5fc2af83e084992921f23cbdc6

SHA1
d36d4e6d4b9f36062f98482d0122df4108c3564a

SHA256
d06016bad24f81d2feaa6ea03626c0d2f6a731c06ff55421d258ad7c1c979792

SHA512
04f2625ff11c7606515fd7b47b0b13e1a0a2f09d8acea8a499436ecc4fc050d3cc8e504ef83719fe3e249de505798beac6321a9dc5deb3452c487a7047df0609

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBE3847.bat

Filesize
185B

MD5
1ca7c65e40f7fa6e83c94a0451dbb89f

SHA1
d8317600278e474559924727c1afd127fa600811

SHA256
b4c39c651ea9edb140e645b521edf013205972991d7c0f3c08c03b5d6d22230e

SHA512
751f9eee985e9d5609b6ee72b9e75b11d2142e905a21d8c251f4f0a3896903b80ca691fca210eb1a69aa62d010b51304f8781d404daa627071e4331605b65c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcm.exe

Filesize
50KB

MD5
a3f062366e42df2ce2fbd7f73fb0c47c

SHA1
0f2f2277e12da12f21b7bf32c1716854a955c102

SHA256
9d5259b14ef67de963442801822d598c722667010d0c835847508b9b8aa3b50e

SHA512
9e6ac17121236129692d86d6a250e556459e013dba8e2df0b1d5c46d1b30caacde08df13269820d00651a97d931dcb8e035c8132dba87a12713b057ededc5077

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsias.exe

Filesize
593KB

MD5
b765fa6dafe847a21badd35b2db70ce0

SHA1
8de082342547052dbe43bf9d9df0ec5fc4586eb9

SHA256
b943dea63930db983b6d4524dbecf76bc94ece24bc68ee69a658c3e05164ffb9

SHA512
4ccdc9bad6e957f5df3f7ccb3cd11085b44fa234334dacbf042ec942ed67b244178681426f85d38d7ca4c5583d5b546a5c43ba6d6c098d5f63522ed06c99c674

Download Submit
memory/1196-65-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1196-44-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1196-21-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1196-25-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1196-19-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1196-47-0x0000000002250000-0x00000000022BD000-memory.dmp

Filesize
436KB

Download
memory/1196-46-0x0000000002250000-0x00000000022BD000-memory.dmp

Filesize
436KB

Download
memory/1196-38-0x0000000002250000-0x00000000022BD000-memory.dmp

Filesize
436KB

Download
memory/1196-42-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1196-39-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1196-43-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1196-41-0x0000000002250000-0x00000000022BD000-memory.dmp

Filesize
436KB

Download
memory/1196-40-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1196-20-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1196-45-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2180-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2404-60-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-63-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-66-0x0000000001360000-0x00000000013CD000-memory.dmp

Filesize
436KB

Download
memory/2404-57-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-58-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-59-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-64-0x0000000001360000-0x00000000013CD000-memory.dmp

Filesize
436KB

Download
memory/2404-61-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-62-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2404-52-0x0000000001360000-0x00000000013CD000-memory.dmp

Filesize
436KB

Download
memory/2688-50-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2688-37-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2688-51-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2688-31-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2688-68-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2688-69-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2688-70-0x0000000000480000-0x0000000000486000-memory.dmp

Filesize
24KB

Download
memory/2688-72-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads