latentbot | 572e7490570d77c3f37b52fd65dfe7eaa4d46cd716581640b567662a1fbd4831

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe
Size

810KB
MD5

0eb8062d3c7a14a325a2e5d8c325f0ba
SHA1

18988994bee5da320a137e4e7bb4ec3ef67f4fd6
SHA256

572e7490570d77c3f37b52fd65dfe7eaa4d46cd716581640b567662a1fbd4831
SHA512

22012f6166f694e0407a87f741c4064a7f2acadf22104a63f47686977327f2c7b59d3e16db5b55b18042e2a9c5c7ffc906306c4253233504a98b450c7f8e7810
SSDEEP

12288:pC6Ut6RJ9mbupafIKsFzq3+lBxnX2Hf4CmmeKc1ett18n4SytyUkmgKGMsd28AeG:9MYMC2IBdUtCgiTyQdbHz3+SH4uG

Score

10^/10

latentbot evasion trojan upx

Malware Config

Extracted

Family

latentbot

2easydung69.zapto.org

3easydung69.zapto.org

4easydung69.zapto.org

5easydung69.zapto.org

6easydung69.zapto.org

7easydung69.zapto.org

8easydung69.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskmgr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskmgr.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\cvs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cvs.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	taskmgr.exe
2232	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2304-5-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-10-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-11-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-38-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-39-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-40-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-42-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-43-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-44-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-46-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-47-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-51-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-52-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/2304-55-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3664 set thread context of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3172	reg.exe
1472	reg.exe
3112	reg.exe
2648	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2304	taskmgr.exe
Token: SeCreateTokenPrivilege	2304	taskmgr.exe
Token: SeAssignPrimaryTokenPrivilege	2304	taskmgr.exe
Token: SeLockMemoryPrivilege	2304	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	2304	taskmgr.exe
Token: SeMachineAccountPrivilege	2304	taskmgr.exe
Token: SeTcbPrivilege	2304	taskmgr.exe
Token: SeSecurityPrivilege	2304	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2304	taskmgr.exe
Token: SeLoadDriverPrivilege	2304	taskmgr.exe
Token: SeSystemProfilePrivilege	2304	taskmgr.exe
Token: SeSystemtimePrivilege	2304	taskmgr.exe
Token: SeProfSingleProcessPrivilege	2304	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2304	taskmgr.exe
Token: SeCreatePagefilePrivilege	2304	taskmgr.exe
Token: SeCreatePermanentPrivilege	2304	taskmgr.exe
Token: SeBackupPrivilege	2304	taskmgr.exe
Token: SeRestorePrivilege	2304	taskmgr.exe
Token: SeShutdownPrivilege	2304	taskmgr.exe
Token: SeDebugPrivilege	2304	taskmgr.exe
Token: SeAuditPrivilege	2304	taskmgr.exe
Token: SeSystemEnvironmentPrivilege	2304	taskmgr.exe
Token: SeChangeNotifyPrivilege	2304	taskmgr.exe
Token: SeRemoteShutdownPrivilege	2304	taskmgr.exe
Token: SeUndockPrivilege	2304	taskmgr.exe
Token: SeSyncAgentPrivilege	2304	taskmgr.exe
Token: SeEnableDelegationPrivilege	2304	taskmgr.exe
Token: SeManageVolumePrivilege	2304	taskmgr.exe
Token: SeImpersonatePrivilege	2304	taskmgr.exe
Token: SeCreateGlobalPrivilege	2304	taskmgr.exe
Token: 31	2304	taskmgr.exe
Token: 32	2304	taskmgr.exe
Token: 33	2304	taskmgr.exe
Token: 34	2304	taskmgr.exe
Token: 35	2304	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2304	taskmgr.exe
2304	taskmgr.exe
2304	taskmgr.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 3664 wrote to memory of 2304	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	80
PID 2304 wrote to memory of 1108	2304	taskmgr.exe	81
PID 2304 wrote to memory of 1108	2304	taskmgr.exe	81
PID 2304 wrote to memory of 1108	2304	taskmgr.exe	81
PID 2304 wrote to memory of 2172	2304	taskmgr.exe	82
PID 2304 wrote to memory of 2172	2304	taskmgr.exe	82
PID 2304 wrote to memory of 2172	2304	taskmgr.exe	82
PID 2304 wrote to memory of 4208	2304	taskmgr.exe	83
PID 2304 wrote to memory of 4208	2304	taskmgr.exe	83
PID 2304 wrote to memory of 4208	2304	taskmgr.exe	83
PID 2304 wrote to memory of 1532	2304	taskmgr.exe	84
PID 2304 wrote to memory of 1532	2304	taskmgr.exe	84
PID 2304 wrote to memory of 1532	2304	taskmgr.exe	84
PID 3664 wrote to memory of 1588	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	89
PID 3664 wrote to memory of 1588	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	89
PID 3664 wrote to memory of 1588	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	89
PID 2172 wrote to memory of 1472	2172	cmd.exe	91
PID 2172 wrote to memory of 1472	2172	cmd.exe	91
PID 2172 wrote to memory of 1472	2172	cmd.exe	91
PID 4208 wrote to memory of 3112	4208	cmd.exe	92
PID 4208 wrote to memory of 3112	4208	cmd.exe	92
PID 4208 wrote to memory of 3112	4208	cmd.exe	92
PID 1532 wrote to memory of 2648	1532	cmd.exe	94
PID 1532 wrote to memory of 2648	1532	cmd.exe	94
PID 1532 wrote to memory of 2648	1532	cmd.exe	94
PID 1108 wrote to memory of 3172	1108	cmd.exe	93
PID 1108 wrote to memory of 3172	1108	cmd.exe	93
PID 1108 wrote to memory of 3172	1108	cmd.exe	93
PID 1588 wrote to memory of 3288	1588	vbc.exe	95
PID 1588 wrote to memory of 3288	1588	vbc.exe	95
PID 1588 wrote to memory of 3288	1588	vbc.exe	95
PID 3664 wrote to memory of 2232	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	96
PID 3664 wrote to memory of 2232	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	96
PID 3664 wrote to memory of 2232	3664	0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe	96

C:\Users\Admin\AppData\Local\Temp\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Roaming\taskmgr.exe
  C:\Users\Admin\AppData\Roaming\taskmgr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskmgr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskmgr.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cvs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cvs.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cvs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cvs.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2648
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a9nksqgq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc805205E07F924C4DBD925EA73A57B37F.TMP"
    3⤵
    PID:3288
- C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe
  "C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES52C3.tmp

Filesize
1KB

MD5
5662bda890ac6e3ebbc497ea43035c84

SHA1
9c1a2bf05f42caeea8fe48baf3c69f12a5c5bbd6

SHA256
63b8405938ec22458fdeb6b5133cca23e5ccd62ef2e5cf7faf54b3a760150d11

SHA512
bedf7f5ccc6bf40e9879acb69dc8c0ab0b624bcad1e8281288748dae4f71a3055efa2e660ee56fae9c28cf0626828256cb22bebb86861a2ccadc26f37f3b7b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9nksqgq.0.vb

Filesize
381B

MD5
1049a2311cdb66f3af6111ce8096a7c5

SHA1
84c6cb31407639351fe96203eeea848765b77e09

SHA256
3518c3c4d7186e037404595ecaab82f5eebafc00828fbe44a57a82166b0b3893

SHA512
5e33ac030c1fc83c0f67fcbaf018ad2abb7422dd3e032492179263984de4e608923d49cef35bfcb7fd488092671a0c2159cb04962b73038900ebfb94f1c7f74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9nksqgq.cmdline

Filesize
235B

MD5
630193a9473f23ac8ebbd47c1e45b484

SHA1
99ee169738efebaee34c3703966f5464b27a83e8

SHA256
e95f33afcd61d1e669f5eef9ba4acc62478c74468bfe9aca78b95c68dd782a81

SHA512
c473ea37b2f76fc2f914020fe9c0ef87d274b323b13e1347786072bb13d35a9e933795cbc08eb5f7d78bce2a631ad2370460bd967e8552c7e4781308073c8a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc805205E07F924C4DBD925EA73A57B37F.TMP

Filesize
804B

MD5
808f1f55b7a943e385b4a5e7381aa983

SHA1
23531226db4edf6d508d1ee474b475158fd99d44

SHA256
dda6580d45f9e572c9bb3b1faff4ec29d09fe191809d6388c1088b5bd3b94777

SHA512
419da80b6d2ed147bb4382adcc8f17395a703b4fdd5e8f590cd020de1314f461688a3a1cf9c5ed80c5a1e8b2f31d1aba45177b1417bd16f416570c8ba9a5ddca

Download Submit
C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes118.exe

Filesize
810KB

MD5
0eb8062d3c7a14a325a2e5d8c325f0ba

SHA1
18988994bee5da320a137e4e7bb4ec3ef67f4fd6

SHA256
572e7490570d77c3f37b52fd65dfe7eaa4d46cd716581640b567662a1fbd4831

SHA512
22012f6166f694e0407a87f741c4064a7f2acadf22104a63f47686977327f2c7b59d3e16db5b55b18042e2a9c5c7ffc906306c4253233504a98b450c7f8e7810

Download Submit
C:\Users\Admin\AppData\Roaming\0eb8062d3c7a14a325a2e5d8c325f0ba_JaffaCakes1181.exe

Filesize
6KB

MD5
17036855492b57ede33eb560df351f0e

SHA1
b75aee7abfa92ee312e3747061624cfd1669387a

SHA256
54aace3b7343c159fcdc8e5d762a90ad313a25b253339c241ffc5868010f9f0f

SHA512
0bcdb667e8c0ad14d2cc6dc0303d2913aced429e1f063454c11747837bd28436d9ad668629348cd827f3bbe170139f62621b612d890434c1ea72342c8f713f43

Download Submit
C:\Users\Admin\AppData\Roaming\taskmgr.exe

Filesize
12KB

MD5
d4d99a39dbcf8d2a6a3fd7c52a29ad68

SHA1
128301ca279d7cf9f0a5bd6b6105ff5d2f4e76f3

SHA256
04f15f3cd3bcde2293f5619a1e3bcafbaffb4e6a6be61d095dda319f181dcfbd

SHA512
314401336944460ec4bf9c2005d53f34fcdb871d345f62c10b28483a4b0663476b0d28757e857cd0eb6639eb36b10d2548343fde136f367b84ed13e0b2f9baf9

Download Submit
memory/2304-43-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-46-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-5-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-55-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-52-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-51-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-38-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-39-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-40-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-42-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-47-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-44-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2304-11-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3664-0-0x0000000074D52000-0x0000000074D53000-memory.dmp

Filesize
4KB

Download
memory/3664-1-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/3664-34-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download
memory/3664-2-0x0000000074D50000-0x0000000075301000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads