latentbot | e4e243d911cc3c0d1fc1b9c4d95e777b9b3f882d11c4c81d1381337b9f01e8db

Analysis

max time kernel
144s
max time network
136s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe
Size

1.3MB
MD5

680c0b2f25eab7d5a39b62a0cc874473
SHA1

92a5d2651b64e8bfed7f10ccea883ae772fb77c9
SHA256

e4e243d911cc3c0d1fc1b9c4d95e777b9b3f882d11c4c81d1381337b9f01e8db
SHA512

8e3bbbe20b210a0899cc903746d644f5220bc31ba9fa26f37cc3b125f5446630ffa89248dd6f0ddb36b4b53eff483b3bd59d9ed654f8879ece09e98debad793e
SSDEEP

24576:VvZFbOYu0bR70JAWXB6CuGh4A2UpqVLWzr80+5OS+cPs7LMxLt:VvZFbOYTR706WxNuGuA29Wzri5n+nLc

Score

10^/10

latentbot discovery persistence trojan

Malware Config

Extracted

Family

latentbot

fly4butterfly.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Print Services = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5FE5DBB-C34A-C4DE-B063-1DF00B9A2F9D}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5FE5DBB-C34A-C4DE-B063-1DF00B9A2F9D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5FE5DBB-C34A-C4DE-B063-1DF00B9A2F9D}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components\{F5FE5DBB-C34A-C4DE-B063-1DF00B9A2F9D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Print Services = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Print Services = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2064	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	vlc.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2612	vbc.exe
Token: SeCreateTokenPrivilege	2612	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2612	vbc.exe
Token: SeLockMemoryPrivilege	2612	vbc.exe
Token: SeIncreaseQuotaPrivilege	2612	vbc.exe
Token: SeMachineAccountPrivilege	2612	vbc.exe
Token: SeTcbPrivilege	2612	vbc.exe
Token: SeSecurityPrivilege	2612	vbc.exe
Token: SeTakeOwnershipPrivilege	2612	vbc.exe
Token: SeLoadDriverPrivilege	2612	vbc.exe
Token: SeSystemProfilePrivilege	2612	vbc.exe
Token: SeSystemtimePrivilege	2612	vbc.exe
Token: SeProfSingleProcessPrivilege	2612	vbc.exe
Token: SeIncBasePriorityPrivilege	2612	vbc.exe
Token: SeCreatePagefilePrivilege	2612	vbc.exe
Token: SeCreatePermanentPrivilege	2612	vbc.exe
Token: SeBackupPrivilege	2612	vbc.exe
Token: SeRestorePrivilege	2612	vbc.exe
Token: SeShutdownPrivilege	2612	vbc.exe
Token: SeDebugPrivilege	2612	vbc.exe
Token: SeAuditPrivilege	2612	vbc.exe
Token: SeSystemEnvironmentPrivilege	2612	vbc.exe
Token: SeChangeNotifyPrivilege	2612	vbc.exe
Token: SeRemoteShutdownPrivilege	2612	vbc.exe
Token: SeUndockPrivilege	2612	vbc.exe
Token: SeSyncAgentPrivilege	2612	vbc.exe
Token: SeEnableDelegationPrivilege	2612	vbc.exe
Token: SeManageVolumePrivilege	2612	vbc.exe
Token: SeImpersonatePrivilege	2612	vbc.exe
Token: SeCreateGlobalPrivilege	2612	vbc.exe
Token: 31	2612	vbc.exe
Token: 32	2612	vbc.exe
Token: 33	2612	vbc.exe
Token: 34	2612	vbc.exe
Token: 35	2612	vbc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe
2064	vlc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2612	vbc.exe
2612	vbc.exe
2064	vlc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2616	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2612	2676	680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe	31
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 2616 wrote to memory of 3024	2616	rundll32.exe	32
PID 3024 wrote to memory of 2064	3024	rundll32.exe	34
PID 3024 wrote to memory of 2064	3024	rundll32.exe	34
PID 3024 wrote to memory of 2064	3024	rundll32.exe	34
PID 3024 wrote to memory of 2064	3024	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\680c0b2f25eab7d5a39b62a0cc874473_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Titanium.Backup.PRO.v3.7.4.1.rar
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Titanium.Backup.PRO.v3.7.4.1.rar
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Titanium.Backup.PRO.v3.7.4.1.rar"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2064
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Titanium.Backup.PRO.v3.7.4.1.rar

Filesize
1.9MB

MD5
226482579dcb8db851ab411d308f1d55

SHA1
d88280c153e008f6f03c6aa06c7ddda76bed27dd

SHA256
276edb00457b5280597119cd9e5c08afb1a4bc846c4e9725e8e98ec1c82399be

SHA512
b7087f574268c370456afc41b00d93039c9da7af6f5142f9834634571b2c4564940e83d299e59c9350b7e35ea24d07a3dc491bf60d0a0500cf74187bf3114473

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Uh2064

Filesize
216B

MD5
38870f101e7f8bf29bbdf299448e259c

SHA1
9720754b51ce16e571e37fac2b9b1a93f81c259c

SHA256
10aca19a17db4fea07b6c96479dd2a3c9e027549fb87f32230b9f45d179c2e9d

SHA512
95e8e10e77bfcdfe806f865e8704c76ed955d505fb4f288e95cd8fb5a49bba538219bc634532140e2c00bb2f3876a8b9b7c7b549e68c5fcf96fbc2845566b931

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
cebfe8b37dae9cfaf1c9d15f653605d0

SHA1
105c41d1fc48452fff70608d600f451aa487fd51

SHA256
a01a5fc5358ae85d4c96f32ba49d00fa25f5a12af59bed71ad5a79a006da345b

SHA512
24cac23a9b7bcf15938d17fc80793772921ec69a5bc98b887e2d1d8f8b4905cdec63b0d05fbcbf7c3ae679271c796db1a1a8a8f35b1afc471d278d44d9bdd3ba

Download Submit
memory/2064-79-0x000007FEF1ED0000-0x000007FEF1EE1000-memory.dmp

Filesize
68KB

Download
memory/2064-40-0x000007FEFAB30000-0x000007FEFAB47000-memory.dmp

Filesize
92KB

Download
memory/2064-77-0x000007FEF3810000-0x000007FEF3822000-memory.dmp

Filesize
72KB

Download
memory/2064-48-0x000007FEF64C0000-0x000007FEF6501000-memory.dmp

Filesize
260KB

Download
memory/2064-49-0x000007FEF6490000-0x000007FEF64B1000-memory.dmp

Filesize
132KB

Download
memory/2064-50-0x000007FEF7010000-0x000007FEF7028000-memory.dmp

Filesize
96KB

Download
memory/2064-51-0x000007FEF5FC0000-0x000007FEF5FD1000-memory.dmp

Filesize
68KB

Download
memory/2064-52-0x000007FEF5AC0000-0x000007FEF5AD1000-memory.dmp

Filesize
68KB

Download
memory/2064-53-0x000007FEF5AA0000-0x000007FEF5AB1000-memory.dmp

Filesize
68KB

Download
memory/2064-37-0x000007FEFA9A0000-0x000007FEFA9D4000-memory.dmp

Filesize
208KB

Download
memory/2064-36-0x000000013F8C0000-0x000000013F9B8000-memory.dmp

Filesize
992KB

Download
memory/2064-42-0x000007FEFAAF0000-0x000007FEFAB07000-memory.dmp

Filesize
92KB

Download
memory/2064-41-0x000007FEFAB10000-0x000007FEFAB21000-memory.dmp

Filesize
68KB

Download
memory/2064-75-0x000007FEF3860000-0x000007FEF3876000-memory.dmp

Filesize
88KB

Download
memory/2064-43-0x000007FEFAAD0000-0x000007FEFAAE1000-memory.dmp

Filesize
68KB

Download
memory/2064-39-0x000007FEFAC90000-0x000007FEFACA8000-memory.dmp

Filesize
96KB

Download
memory/2064-45-0x000007FEFAA90000-0x000007FEFAAA1000-memory.dmp

Filesize
68KB

Download
memory/2064-44-0x000007FEFAAB0000-0x000007FEFAACD000-memory.dmp

Filesize
116KB

Download
memory/2064-38-0x000007FEF5CF0000-0x000007FEF5FA6000-memory.dmp

Filesize
2.7MB

Download
memory/2064-46-0x000007FEF5AE0000-0x000007FEF5CEB000-memory.dmp

Filesize
2.0MB

Download
memory/2064-76-0x000007FEF3830000-0x000007FEF385A000-memory.dmp

Filesize
168KB

Download
memory/2064-83-0x000007FEF1E60000-0x000007FEF1E76000-memory.dmp

Filesize
88KB

Download
memory/2064-87-0x000007FEF1C60000-0x000007FEF1CCD000-memory.dmp

Filesize
436KB

Download
memory/2064-86-0x000007FEF1CD0000-0x000007FEF1D32000-memory.dmp

Filesize
392KB

Download
memory/2064-85-0x000007FEF1D40000-0x000007FEF1D82000-memory.dmp

Filesize
264KB

Download
memory/2064-84-0x000007FEF1D90000-0x000007FEF1E55000-memory.dmp

Filesize
788KB

Download
memory/2064-82-0x000007FEF1E80000-0x000007FEF1E91000-memory.dmp

Filesize
68KB

Download
memory/2064-81-0x000007FEF1EA0000-0x000007FEF1ECF000-memory.dmp

Filesize
188KB

Download
memory/2064-80-0x000007FEFACF0000-0x000007FEFAD00000-memory.dmp

Filesize
64KB

Download
memory/2064-54-0x000007FEF5A80000-0x000007FEF5A9B000-memory.dmp

Filesize
108KB

Download
memory/2064-78-0x000007FEF1EF0000-0x000007FEF1F11000-memory.dmp

Filesize
132KB

Download
memory/2064-55-0x000007FEF5A60000-0x000007FEF5A71000-memory.dmp

Filesize
68KB

Download
memory/2064-56-0x000007FEF5A40000-0x000007FEF5A58000-memory.dmp

Filesize
96KB

Download
memory/2064-73-0x000007FEF38A0000-0x000007FEF38B2000-memory.dmp

Filesize
72KB

Download
memory/2064-72-0x000007FEF38C0000-0x000007FEF38D1000-memory.dmp

Filesize
68KB

Download
memory/2064-71-0x000007FEF38E0000-0x000007FEF38F1000-memory.dmp

Filesize
68KB

Download
memory/2064-70-0x000007FEF3900000-0x000007FEF3A0E000-memory.dmp

Filesize
1.1MB

Download
memory/2064-74-0x000007FEF3880000-0x000007FEF3898000-memory.dmp

Filesize
96KB

Download
memory/2064-69-0x000007FEF5760000-0x000007FEF5773000-memory.dmp

Filesize
76KB

Download
memory/2064-68-0x000007FEF5780000-0x000007FEF57A1000-memory.dmp

Filesize
132KB

Download
memory/2064-67-0x000007FEF57B0000-0x000007FEF57C2000-memory.dmp

Filesize
72KB

Download
memory/2064-66-0x000007FEF57D0000-0x000007FEF57E1000-memory.dmp

Filesize
68KB

Download
memory/2064-65-0x000007FEF57F0000-0x000007FEF5813000-memory.dmp

Filesize
140KB

Download
memory/2064-64-0x000007FEF5820000-0x000007FEF5838000-memory.dmp

Filesize
96KB

Download
memory/2064-63-0x000007FEF5840000-0x000007FEF5864000-memory.dmp

Filesize
144KB

Download
memory/2064-62-0x000007FEF5870000-0x000007FEF5898000-memory.dmp

Filesize
160KB

Download
memory/2064-61-0x000007FEF58A0000-0x000007FEF58F7000-memory.dmp

Filesize
348KB

Download
memory/2064-60-0x000007FEF5900000-0x000007FEF5911000-memory.dmp

Filesize
68KB

Download
memory/2064-59-0x000007FEF5920000-0x000007FEF599C000-memory.dmp

Filesize
496KB

Download
memory/2064-58-0x000007FEF59A0000-0x000007FEF5A07000-memory.dmp

Filesize
412KB

Download
memory/2064-57-0x000007FEF5A10000-0x000007FEF5A40000-memory.dmp

Filesize
192KB

Download
memory/2612-6-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-8-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-34-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-15-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2612-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2676-1-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-0-0x00000000740A1000-0x00000000740A2000-memory.dmp

Filesize
4KB

Download
memory/2676-2-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/2676-19-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads