ba191212d417fe172a5e3053d6d3c8cd6ecb8476694fca8a0610fd5359403e2f

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe
Size

1.4MB
MD5

b928060e9bace7d053ebd365da1bf906
SHA1

8717b2e30ece9dcbb7ecc947f9d57a54b8a1c596
SHA256

ba191212d417fe172a5e3053d6d3c8cd6ecb8476694fca8a0610fd5359403e2f
SHA512

addc872eb5ced67f11c5cfcb13348e8114db5a5d2b31e374d971b52612e433d9fe8ef453a39329d42ae659d49f9d2feea3f358c0cdc6d041fc00bb81ca07d243
SSDEEP

24576:QwzvROl35rKuwa5TwK8HEbMdtf7iImEbGbdvjyhlij6ghIr:JzvROh5GK5TB8ld9eRIyWfP

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002343f-40.dat	acprotect
behavioral2/files/0x000700000002343d-45.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3480	365web_setup_12.exe
4988	is-IQEJQ.tmp
4280	_RegDLL.tmp

Loads dropped DLL 3 IoCs

pid	Process
4280	_RegDLL.tmp
4280	_RegDLL.tmp
4280	_RegDLL.tmp

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002343f-40.dat	upx
behavioral2/memory/4280-44-0x0000000000950000-0x0000000000A88000-memory.dmp	upx
behavioral2/memory/4280-43-0x0000000000950000-0x0000000000A88000-memory.dmp	upx
behavioral2/files/0x000700000002343d-45.dat	upx
behavioral2/memory/4280-47-0x0000000060900000-0x000000006096F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\365web = "c:\\program files\\365web\\web365.exe"	is-IQEJQ.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}	_RegDLL.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1"	_RegDLL.tmp

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\365web\365web_setup_12.exe	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe
File created	C:\Program Files\365web\is-DS5D9.tmp	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-BDL5L.tmp	is-IQEJQ.tmp
File opened for modification	C:\Program Files\365web\unins000.dat	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-UVK5S.tmp	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-TGEO0.tmp	is-IQEJQ.tmp
File created	C:\Program Files (x86)\365web\del_bat.cmd	is-IQEJQ.tmp
File created	C:\Program Files\365web\unins000.dat	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-IBD3R.tmp	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-93G2U.tmp	is-IQEJQ.tmp
File created	C:\Program Files\365web\is-R85NG.tmp	is-IQEJQ.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-IQEJQ.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_RegDLL.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	365web_setup_12.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E667612-227C-4D60-AFCF-D3021CDCC73A}\ = "365Web Class"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\365web\\web365_v2.dll"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\web365.web365\Clsid	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{090E4D5E-942E-45E8-8893-749E0AFEEA4F}"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Iweb365"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{090E4D5E-942E-45E8-8893-749E0AFEEA4F}"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\web365.web365\ = "365web Object"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "web365.web365"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\web365.web365	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "365web Object"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{090E4D5E-942E-45E8-8893-749E0AFEEA4F}"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\365web\\WEB365~1.DLL"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E667612-227C-4D60-AFCF-D3021CDCC73A}	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Iweb365"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\365web\\"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\web365.web365\Clsid\ = "{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{090E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "web365 Library"	_RegDLL.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8963B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0"	_RegDLL.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9EED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0"	_RegDLL.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 3480	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	84
PID 980 wrote to memory of 3480	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	84
PID 980 wrote to memory of 3480	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	84
PID 980 wrote to memory of 3016	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	85
PID 980 wrote to memory of 3016	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	85
PID 980 wrote to memory of 3016	980	b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe	85
PID 3480 wrote to memory of 4988	3480	365web_setup_12.exe	87
PID 3480 wrote to memory of 4988	3480	365web_setup_12.exe	87
PID 3480 wrote to memory of 4988	3480	365web_setup_12.exe	87
PID 4988 wrote to memory of 1484	4988	is-IQEJQ.tmp	88
PID 4988 wrote to memory of 1484	4988	is-IQEJQ.tmp	88
PID 4988 wrote to memory of 1484	4988	is-IQEJQ.tmp	88
PID 4988 wrote to memory of 4280	4988	is-IQEJQ.tmp	91
PID 4988 wrote to memory of 4280	4988	is-IQEJQ.tmp	91
PID 4988 wrote to memory of 4280	4988	is-IQEJQ.tmp	91

C:\Users\Admin\AppData\Local\Temp\b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b928060e9bace7d053ebd365da1bf906_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:980
- C:\Program Files (x86)\365web\365web_setup_12.exe
  "C:\Program Files (x86)\365web\365web_setup_12.exe" /VERYSILENT
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\is-8V1E7.tmp\is-IQEJQ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8V1E7.tmp\is-IQEJQ.tmp" /SL4 $601FA "C:\Program Files (x86)\365web\365web_setup_12.exe" 1185053 52224 /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\365web\del_bat.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\is-0L247.tmp\_isetup\_RegDLL.tmp
      _RegDLL.tmp 1120 1212
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\365web\365web_setup_12.exe

Filesize
1.4MB

MD5
de19ec822e5904de2073e79e8147ce78

SHA1
c4329443921f94d70ce83edd769a595d9d8cb448

SHA256
d5b06d2524fa30df1714408f02bc2bf145305dc91d950600e73d78327a0a7eef

SHA512
3b19066ba6f1518782d54e8108040aa94261f60c12337a79edd3ff6e53ead506c7c960988491a3573a8d1c71ebb475f8622c626e1de2ec5fe7587172b36266a1

Download Submit
C:\Program Files (x86)\365web\del_bat.cmd

Filesize
194B

MD5
71c24d08467a812a54887e99a5a8733e

SHA1
c6a53ffd27bbfbb29aa1148e916b8722a620bb56

SHA256
878420d24f54f7f7c72ad512f2499318fd33dc6ba74cd6996b476a23d89c7d7c

SHA512
ddff2c269d8a9fa54353e2ed13d06853c713dfaf959738b2f88d6a9dd7aeb287ca87f25b4175ff0cc8b653dd7e94869679025e95a8b7b4f5340cc5330a9defa1

Download Submit
C:\Program Files\365web\sqlite3.dll

Filesize
275KB

MD5
628dbe2da64f076c3374afd130fb6535

SHA1
38dedb3c34e22d0f2680eaa34d15b592992de6f5

SHA256
997379bcd4b1ca17ef7f7b221810fd4d5959e9a7e6ec346661ca358790ab0313

SHA512
0dee2b51ce672a528cb555411fb22a6713153ecc2e469561ec9471450902006712edea886f71528e423a6eae6843cf63dbfa98e86e959a32fc790332ec7ae32b

Download Submit
C:\Program Files\365web\web365_v2.dll

Filesize
427KB

MD5
3c9939197fe54f5136620e5c70c01654

SHA1
3a706c7359e4f1b5414b3830dc333c908440f87a

SHA256
d8db618dfa36d0863fd3f602333412dc92f2440a80cd05748af965289dbaf1ae

SHA512
ba59ef2813aae28af3eb01c9d8db94ecbf461c38f8fc256c88c6775e914e9a8622b3b023cf619911e494e50cbafc38336aef661c6c0dd036f7a7b200e768331a

Download Submit
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

Filesize
285B

MD5
904c155e5324d551e991a658fcdfbf96

SHA1
168dae0610e19c9c204168050ee74d749088ea55

SHA256
c2e51df38c2b625fac7eb8ff54aac55aebad871c8d2e912bf0c44c02fd3c226a

SHA512
53923045586cc3f3734f19e6afb3006971db884a43aebc1d6a0679b6f4b4f2c739586bf514a7bd1614dad0b9d04221cd7b5f0e3f6cabfca708d531b6df488610

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0L247.tmp\_isetup\_RegDLL.tmp

Filesize
3KB

MD5
c594b792b9c556ea62a30de541d2fb03

SHA1
69e0207515e913243b94c2d3a116d232ff79af5f

SHA256
5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e

SHA512
387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8V1E7.tmp\is-IQEJQ.tmp

Filesize
656KB

MD5
a869a365e0ff7c15007d85fa990e5957

SHA1
a52ed4ed3bdbf1220a3388d7bbdd6a272f1924d3

SHA256
2ebc9a96cb4059f9217d9f007bbe2be971e472d28daa0edb2d547898016de776

SHA512
5d5201e5589ae467c00c7f637db4a78d9fed48fa134279d9757e98b87c8b1c3f44e625ae4e50f39c5bf7d45415ebe5e84419ec4d95fdee7b2a20356477159c1c

Download Submit
memory/3480-7-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3480-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3480-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4280-44-0x0000000000950000-0x0000000000A88000-memory.dmp

Filesize
1.2MB

Download
memory/4280-43-0x0000000000950000-0x0000000000A88000-memory.dmp

Filesize
1.2MB

Download
memory/4280-47-0x0000000060900000-0x000000006096F000-memory.dmp

Filesize
444KB

Download
memory/4988-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4988-52-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads