a90dd6dbe51e59516ef7f670f6b1fea727a2d9e4cbdd32dbeb207859a6e7a4dc

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 01:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
Size

244KB
MD5

b5e18b71f26eb7fdad3fcbdd9d0524ba
SHA1

6b61cfd0498addb5b4013f231028fe32383be0e3
SHA256

a90dd6dbe51e59516ef7f670f6b1fea727a2d9e4cbdd32dbeb207859a6e7a4dc
SHA512

6abebb546b04eb1c7fd7e19c3fb59e34c723fe8a65071ff08b955e94d68aa20b520252867f8fbe7cce63b44cbc21eead3b3bede33c0ed7df5bb208a15fb9acb2
SSDEEP

6144:csUFJRdw3a+wN0Css46AOYCDOvYstJzoYmyp8Cwd:csUFhw3a+V9aa0mkZ9Ca

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\update.exe = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\jqs.exe = "C:\\Users\\Admin\\AppData\\Roaming\\jqs.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2672	jqs.exe
2560	jqs.exe
2600	jqs.exe

Loads dropped DLL 7 IoCs

pid	Process
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
2672	jqs.exe
2672	jqs.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3024-0-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/files/0x0008000000016688-21.dat	upx
behavioral1/memory/3024-39-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2672-37-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2672-54-0x0000000002800000-0x00000000028C6000-memory.dmp	upx
behavioral1/memory/2600-57-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-62-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-60-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2672-59-0x0000000000400000-0x00000000004C6000-memory.dmp	upx
behavioral1/memory/2600-71-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-75-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-78-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-80-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-82-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-85-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-87-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-89-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-94-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2600-99-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javar Updates = "C:\\Users\\Admin\\AppData\\Roaming\\jqs.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2560	2672	jqs.exe	34
PID 2672 set thread context of 2600	2672	jqs.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2912	reg.exe
2908	reg.exe
2896	reg.exe
2092	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	jqs.exe
Token: 1	2600	jqs.exe
Token: SeCreateTokenPrivilege	2600	jqs.exe
Token: SeAssignPrimaryTokenPrivilege	2600	jqs.exe
Token: SeLockMemoryPrivilege	2600	jqs.exe
Token: SeIncreaseQuotaPrivilege	2600	jqs.exe
Token: SeMachineAccountPrivilege	2600	jqs.exe
Token: SeTcbPrivilege	2600	jqs.exe
Token: SeSecurityPrivilege	2600	jqs.exe
Token: SeTakeOwnershipPrivilege	2600	jqs.exe
Token: SeLoadDriverPrivilege	2600	jqs.exe
Token: SeSystemProfilePrivilege	2600	jqs.exe
Token: SeSystemtimePrivilege	2600	jqs.exe
Token: SeProfSingleProcessPrivilege	2600	jqs.exe
Token: SeIncBasePriorityPrivilege	2600	jqs.exe
Token: SeCreatePagefilePrivilege	2600	jqs.exe
Token: SeCreatePermanentPrivilege	2600	jqs.exe
Token: SeBackupPrivilege	2600	jqs.exe
Token: SeRestorePrivilege	2600	jqs.exe
Token: SeShutdownPrivilege	2600	jqs.exe
Token: SeDebugPrivilege	2600	jqs.exe
Token: SeAuditPrivilege	2600	jqs.exe
Token: SeSystemEnvironmentPrivilege	2600	jqs.exe
Token: SeChangeNotifyPrivilege	2600	jqs.exe
Token: SeRemoteShutdownPrivilege	2600	jqs.exe
Token: SeUndockPrivilege	2600	jqs.exe
Token: SeSyncAgentPrivilege	2600	jqs.exe
Token: SeEnableDelegationPrivilege	2600	jqs.exe
Token: SeManageVolumePrivilege	2600	jqs.exe
Token: SeImpersonatePrivilege	2600	jqs.exe
Token: SeCreateGlobalPrivilege	2600	jqs.exe
Token: 31	2600	jqs.exe
Token: 32	2600	jqs.exe
Token: 33	2600	jqs.exe
Token: 34	2600	jqs.exe
Token: 35	2600	jqs.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
2672	jqs.exe
2560	jqs.exe
2600	jqs.exe
2600	jqs.exe
2600	jqs.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2748	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2748	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2748	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2748	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	30
PID 2748 wrote to memory of 2564	2748	cmd.exe	32
PID 2748 wrote to memory of 2564	2748	cmd.exe	32
PID 2748 wrote to memory of 2564	2748	cmd.exe	32
PID 2748 wrote to memory of 2564	2748	cmd.exe	32
PID 3024 wrote to memory of 2672	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2672	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2672	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	33
PID 3024 wrote to memory of 2672	3024	b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe	33
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2560	2672	jqs.exe	34
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2672 wrote to memory of 2600	2672	jqs.exe	35
PID 2600 wrote to memory of 2860	2600	jqs.exe	36
PID 2600 wrote to memory of 2860	2600	jqs.exe	36
PID 2600 wrote to memory of 2860	2600	jqs.exe	36
PID 2600 wrote to memory of 2860	2600	jqs.exe	36
PID 2600 wrote to memory of 2276	2600	jqs.exe	37
PID 2600 wrote to memory of 2276	2600	jqs.exe	37
PID 2600 wrote to memory of 2276	2600	jqs.exe	37
PID 2600 wrote to memory of 2276	2600	jqs.exe	37
PID 2600 wrote to memory of 2252	2600	jqs.exe	39
PID 2600 wrote to memory of 2252	2600	jqs.exe	39
PID 2600 wrote to memory of 2252	2600	jqs.exe	39
PID 2600 wrote to memory of 2252	2600	jqs.exe	39
PID 2600 wrote to memory of 1696	2600	jqs.exe	40
PID 2600 wrote to memory of 1696	2600	jqs.exe	40
PID 2600 wrote to memory of 1696	2600	jqs.exe	40
PID 2600 wrote to memory of 1696	2600	jqs.exe	40
PID 2860 wrote to memory of 2912	2860	cmd.exe	44
PID 2860 wrote to memory of 2912	2860	cmd.exe	44
PID 2860 wrote to memory of 2912	2860	cmd.exe	44
PID 2860 wrote to memory of 2912	2860	cmd.exe	44
PID 2252 wrote to memory of 2908	2252	cmd.exe	45
PID 2252 wrote to memory of 2908	2252	cmd.exe	45
PID 2252 wrote to memory of 2908	2252	cmd.exe	45
PID 2252 wrote to memory of 2908	2252	cmd.exe	45
PID 1696 wrote to memory of 2896	1696	cmd.exe	46
PID 1696 wrote to memory of 2896	1696	cmd.exe	46
PID 1696 wrote to memory of 2896	1696	cmd.exe	46
PID 1696 wrote to memory of 2896	1696	cmd.exe	46
PID 2276 wrote to memory of 2092	2276	cmd.exe	47
PID 2276 wrote to memory of 2092	2276	cmd.exe	47
PID 2276 wrote to memory of 2092	2276	cmd.exe	47
PID 2276 wrote to memory of 2092	2276	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5e18b71f26eb7fdad3fcbdd9d0524ba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259477071.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Javar Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\jqs.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Users\Admin\AppData\Roaming\jqs.exe
  "C:\Users\Admin\AppData\Roaming\jqs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Roaming\jqs.exe
    "C:\Users\Admin\AppData\Roaming\jqs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Users\Admin\AppData\Roaming\jqs.exe
    "C:\Users\Admin\AppData\Roaming\jqs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\jqs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\jqs.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2276
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\jqs.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\jqs.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259477071.bat

Filesize
136B

MD5
e11116b3dbeb9b9633a8c49911f23f89

SHA1
7b76cf9f3820b82cd635e3213b40c29bc348b7a0

SHA256
279b48563945ce08810b09dcfe13567344aff7a3371905d4b4cf4972076c687b

SHA512
455f21ab1f89556f13b101d1c6191489b88f89ab36e5d3952efa02f4dc142e4eb1845d7b33b0c94232cc66b5b2b3de746e6c9fd62dd1a6b53b6a9e3dd14f0aad

Download Submit
\Users\Admin\AppData\Roaming\jqs.exe

Filesize
244KB

MD5
b5e18b71f26eb7fdad3fcbdd9d0524ba

SHA1
6b61cfd0498addb5b4013f231028fe32383be0e3

SHA256
a90dd6dbe51e59516ef7f670f6b1fea727a2d9e4cbdd32dbeb207859a6e7a4dc

SHA512
6abebb546b04eb1c7fd7e19c3fb59e34c723fe8a65071ff08b955e94d68aa20b520252867f8fbe7cce63b44cbc21eead3b3bede33c0ed7df5bb208a15fb9acb2

Download Submit
memory/2560-52-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-70-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-48-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-49-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2560-44-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2600-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-80-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-87-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-99-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-85-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-62-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-60-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-82-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-94-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-71-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2600-89-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2672-59-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2672-54-0x0000000002800000-0x00000000028C6000-memory.dmp

Filesize
792KB

Download
memory/2672-37-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3024-0-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3024-35-0x0000000003020000-0x00000000030E6000-memory.dmp

Filesize
792KB

Download
memory/3024-39-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads