14f70935dcd5146eea1d34a29b4fe4a61eb904898203a4aa15771ad72990074a

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe
Size

565KB
MD5

c13faad0d040729a86651441b98f7e4d
SHA1

652fd06b9761953a6f4f9ff2dc879a504c0c41ce
SHA256

14f70935dcd5146eea1d34a29b4fe4a61eb904898203a4aa15771ad72990074a
SHA512

db9be9ba501240455845620a72e923f2ebce9d9ea08bf71d811c3daa32b276523d0711fdf1e5d9dd9e3292f9f6690b665b507c781038d1810cd516f27e3fc65c
SSDEEP

12288:jJrg1Y6A9LLH00HsurSOk7vffkfKGHYwz6uqOYKsx0QaDFplH6w9RERJ:jaYpHVHTSx7vff6KG4wuuZ80v5e62J

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2220	KEYGEN-FFF.exe
2800	_KEYGEN-FFF.exe

Loads dropped DLL 9 IoCs

pid	Process
2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe
2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe
2220	KEYGEN-FFF.exe
2220	KEYGEN-FFF.exe
2220	KEYGEN-FFF.exe
2220	KEYGEN-FFF.exe
2220	KEYGEN-FFF.exe
2220	KEYGEN-FFF.exe
2800	_KEYGEN-FFF.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2960	icacls.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018c08-53.dat	upx
behavioral1/memory/2220-55-0x0000000000BB0000-0x0000000000C17000-memory.dmp	upx
behavioral1/memory/2800-59-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-65-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-66-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-67-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-68-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-69-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-70-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-71-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-72-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-73-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-74-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-75-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-76-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-77-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-78-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2800-79-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21297F0D-0322-280B-3012-0FBC70C517D9}	KEYGEN-FFF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{21297F0D-0322-280B-3012-0FBC70C517D9}\NoExplorer = "1"	KEYGEN-FFF.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\C_11047.NLS	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\dhcpcsvc66.dll	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\C_100079.NLS	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\l_iintl.nls	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\C_220838.NLS	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\RMMActivate.exe	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\drttransportt.dll	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\C__1256.NLS	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\AdmTTmpl.dll	KEYGEN-FFF.exe
File created	C:\Windows\SysWOW64\1098\inf1098.dat	KEYGEN-FFF.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_KEYGEN-FFF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KEYGEN-FFF.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21297F0D-0322-280B-3012-0FBC70C517D9}\ = "Groove GFS Browser Helper"	KEYGEN-FFF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21297F0D-0322-280B-3012-0FBC70C517D9}\InprocServer32	KEYGEN-FFF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21297F0D-0322-280B-3012-0FBC70C517D9}\InprocServer32\ = "C:\\Windows\\SysWOW64\\AdmTTmpl.dll"	KEYGEN-FFF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21297F0D-0322-280B-3012-0FBC70C517D9}\InprocServer32\ThreadingModel = "Apartment"	KEYGEN-FFF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21297F0D-0322-280B-3012-0FBC70C517D9}	KEYGEN-FFF.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2220	2176	c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2960	2220	KEYGEN-FFF.exe	31
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2864	2220	KEYGEN-FFF.exe	33
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2220 wrote to memory of 2800	2220	KEYGEN-FFF.exe	35
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36
PID 2864 wrote to memory of 2872	2864	cmd.exe	36

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	KEYGEN-FFF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\IgnoreFrameApprovalCheck = "1"	KEYGEN-FFF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	KEYGEN-FFF.exe

C:\Users\Admin\AppData\Local\Temp\c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c13faad0d040729a86651441b98f7e4d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYGEN-FFF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYGEN-FFF.exe 3175142229 RwZWsJSR Vq 0 5 3 cvx0408 DeviceMgr image118 PS3Export minneap _KEYGEN-FFF.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2220
- - C:\Windows\SysWOW64\icacls.exe
    C:\Windows\SysWOW64\icacls.exe C:\Windows\SysWOW64\1098 /setintegritylevel (OI)(CI)low /T /C
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c at 16:12 /every:Su "C:\Windows\SysWOW64\RMMActivate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\at.exe
      at 16:12 /every:Su "C:\Windows\SysWOW64\RMMActivate.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\_KEYGEN-FFF.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\..\_KEYGEN-FFF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3175142229

Filesize
56KB

MD5
e4ffca4552fe53e6cbba5a3d5c763a68

SHA1
f61f833b90778a16380383f40bc08eb08feadb0d

SHA256
058e78f5f7aa0f9de8678e7a17af35501c2e9018f449509d62ca89ef8378def4

SHA512
095a4ff2534277d0c3bab24d3e033b4334250da2abe1eec7c418f5ee7c576ec03253e6219a964a45f2cf931af74c6edd49fe7ec632a5cfc0f1ac582722b964bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DeviceMgr

Filesize
10KB

MD5
8d0dace48d089fd1f4b3bef931ea2e1a

SHA1
461358d15fbfa8e0ce3a15b1c9b481e4894c1b76

SHA256
7adc38ed97e9627c33fd3ece18aa5f3476545292acf2626a450fa290b2af0566

SHA512
2e7293735e2010447f2378b0e6cd0cc38f908a75821cf716c1ab7ce7bb8139a7d5f9413aea64a04a122975b8ce9507d059c9339087707563a94b010afeb459b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PS3Export

Filesize
20KB

MD5
91aae5e86c2dcdb161d325010f96b681

SHA1
da506439bb63299f7849177795268a13cbda4932

SHA256
2d7e43601123e480d4a1a790541655483e1f34cbc1b73c460558598460483be4

SHA512
f89cfe6171eddbb267677f0ef62b1b5d77e995c5174b2b6f3bd548bb9287babc514af2300c6b6ffc2808de5ed9d7b452444c75b9aaee7135f7b429955359bc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\_KEYGEN-FFF.exe

Filesize
98KB

MD5
2860f63a29430e313d38a4c6fc339910

SHA1
36e31c41c456a79ae3fb32636764cdac448ed049

SHA256
dd39b2ce1dc53e916c68306e75b00f30629d10bd61b199aa3fa22d388d9f3afc

SHA512
2816de42ed7e3aa61b0cd7f5687f97a280b78a1dba7525b4dc8b2e61b0b5dd5b900c49deaa734ad5b127db0842424a057f3b067d1ee07b98b5e693c7b2a95f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cvx0408

Filesize
35KB

MD5
eb25561fa87b08187a1037e47f84bf99

SHA1
2f8fd3e364b61566a29f5e495b70c4f70af1034b

SHA256
d95e6521dcd6be85881b83ec2675652efdbe69f4dcf42cfdf9db540d5685e434

SHA512
0c340a8afb15ba076b7414670c7b05924eaa6f10732fd45a9fe6de248608916d364b0a47b305d9b38c8a4b9fd757ab18411ee7ca7cd07b108454ce38cb857a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\image118

Filesize
87KB

MD5
93b0115ccbf3cc40f2c08a1f5b154bf5

SHA1
3d961312ba1fc632b7da1b54b8fad975c6a73ab6

SHA256
34335a33ebb1d599ff2c2ee81f028ed1e33d39833ee3e1466634002f23007c2e

SHA512
b0333eff87f00d15f34f1bfc7b4178fd8fd0a38494190b88c71ad4d5bb055604122fed263c2d50bb88db88bc6fdaf4bf8bcd13add3ad313a0b497485fe124600

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\minneap

Filesize
262KB

MD5
df9f94112f8bcde0affe2559fb334075

SHA1
846fcf4fed5cecfb2f3a47978d1ae1a4bf5df5a9

SHA256
10b410534e22e0d177598bc32ff424294292fcad920f3bc5be23db4a881d84ca

SHA512
6de063797b8e2c56bd98f4f22c8bd30fbef854b0ff1fe824859f0679960e15a7af10f6343d62d958598c7cfbd63ca95fbb8d3bc033f768077b3bffdf1bf398be

Download Submit
C:\Windows\SysWOW64\1098\inf1098.dat

Filesize
6KB

MD5
989e6a562a7766698f39319a12672c05

SHA1
72907263cd1b4e63e5df39164c4bde762967852f

SHA256
e274c988d62e3836f51d928f984d3d6f18af7be33d8b4fe063857a9f5316e496

SHA512
72580199c68fe0be8737be149d2ce90fe01c3ea4b132260d9a740414f586128674b8ccb065e3c9a14c11bf69551f19d55e84cdc600e12794dfb7aa3537eb3cc3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\482329.dll

Filesize
56KB

MD5
41262163ae2789dd86f00d9b337166a4

SHA1
6e25a4d134f2d565468f64da0f86c932da30ed6f

SHA256
7fecb4790c6e24e66354e4f0ccd64282e9d5ced1a232c8d59465bd71a876aae7

SHA512
362eed3296bd07252d52d7306f317d9805652b979038e43f6cd133d6c0204e8cec72615e0017c202e63722ff4aced3ef710d197c5dcdcf000e53978d4d51407f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYGEN-FFF.exe

Filesize
64KB

MD5
e98d618d4bc366d3ef905fef47e4a46e

SHA1
fdb194beedd3a298ded935e66b5f843266729df4

SHA256
05c680aeb6ec24d7ad9531adb7438d7b3ac32a2b5e4611149086ca6c4b2e5516

SHA512
e7e9c8e2445dab53a24750f60a6a13e185e14da6d93e5682bba4c829db79c4876c7ff21062f518d8930d3410a12241859bace3d9e61ab3b3a6e1ad88c81e9f83

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYGEN-FFF.exe.dll

Filesize
204KB

MD5
3b74d715ee3707fd6844cc0c155ae204

SHA1
a915fb9a6fc132609a890264167eeb7563d3db25

SHA256
b1db5d81d9b61aa38bee19b179db3458b9e7120d63b13c328c5465ca93a44b1f

SHA512
ff124b1b9e3b5355cfcd1f218d7852994c06808bdfdf8200c9409a186bbbe1388615eb8b031b98461c3d1d244e6465f6205a15292f4b8665c27a15a6bc79b74b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\KEYGEN-FFF.exe.dll.dll

Filesize
64KB

MD5
a310d6b12b85ec7450bb9a57f5d443c2

SHA1
ff6ba7b1f4704fa7d4595096d1d751cc0c09ee30

SHA256
af5f10d452d5fd31eb6f0ac24bb1b9833b0e27ae0265a7a69cfdd7d955cd343f

SHA512
2418c1953ca721df893dca4b2fc3fdb5a3073803672aab5c10fa74b9514bd3ca4d12e1df4a66dbdd5d7bd4d15c12b97fd413fa9b0469f9c76810e1276d6fcf70

Download Submit
memory/2220-57-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/2220-36-0x00000000004A0000-0x00000000004D5000-memory.dmp

Filesize
212KB

Download
memory/2220-41-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2220-55-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/2800-69-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-71-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-66-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-67-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-68-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-59-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-70-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-72-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-73-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-74-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-75-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-76-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-77-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-78-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2800-79-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads