fc934c506b0cce167f120e88ed6fffe7871c5030d401c63a191a0d2618badf2b

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
Size

404KB
MD5

dad47a460675a66c16ecbdea84234b2a
SHA1

a831f4958b847755d83cdc290a48e0d53747e8c7
SHA256

fc934c506b0cce167f120e88ed6fffe7871c5030d401c63a191a0d2618badf2b
SHA512

603afa0e2a7da75709c42d34ab48a54707a5ff8796d106584b7f34dec655324a15be1b468b875db2944bcfcc3d4dbed7e8f8d5e0b5e5cf64ae89284ef1c02173
SSDEEP

6144:hoM95zztwBfrRZhQvv+D+EbolDa8TjI2GUq1uDvVO:lzzcfrb+vvDDxjLGU1TVO

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Windows\\addins\\lrass.exe"	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000195c2-26.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2440	Vcs3.exe
2592	LRASS.exe

Loads dropped DLL 8 IoCs

pid	Process
2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
2592	LRASS.exe
2592	LRASS.exe
2592	LRASS.exe
2592	LRASS.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2592-23-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/files/0x00060000000195c6-22.dat	upx
behavioral1/memory/2568-17-0x0000000000230000-0x000000000024E000-memory.dmp	upx
behavioral1/files/0x00070000000195c2-26.dat	upx
behavioral1/memory/2592-30-0x0000000022170000-0x0000000022196000-memory.dmp	upx
behavioral1/memory/2592-31-0x0000000022170000-0x0000000022196000-memory.dmp	upx
behavioral1/memory/2592-33-0x0000000022170000-0x0000000022196000-memory.dmp	upx
behavioral1/memory/2592-34-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2592-48-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Vcs3.exe	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\addins\DirectX_log.txt	LRASS.exe
File opened for modification	C:\Windows\addins\MSWINSCK.ocx	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
File opened for modification	C:\Windows\addins\syslong.dll	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
File opened for modification	C:\Windows\addins\LRASS.exe	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LRASS.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\addins\\MSWINSCK.OCX"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\addins\\MSWINSCK.OCX, 1"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	LRASS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0 (SP6)"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\addins\\MSWINSCK.OCX"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	LRASS.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\addins\\MSWINSCK.OCX"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	LRASS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	LRASS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	LRASS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
2592	LRASS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2440	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2440	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2440	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2440	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2592	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2592	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2592	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2592	2568	dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dad47a460675a66c16ecbdea84234b2a_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\Vcs3.exe
  C:\Windows\system32\Vcs3.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\addins\LRASS.exe
  C:\Windows\addins\LRASS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\addins\LRASS.exe

Filesize
29KB

MD5
986e791c2da7fe0019582a32f761e7cf

SHA1
c0a8f974656f0d3e4a46e0d03dcda1308d6cf56e

SHA256
3ea725b4284e817e74eb95adc8628ce8fc4b71d134fef1e71f6d01e24e9eaa15

SHA512
a1d6f5989fb557ef648770110286618ace7ee7be84c0fd848abf6719fa29097159e43ee4824df7806ae3073ce869995ffcc5903e9d0c3a5561b3ed81db47e545

Download Submit
C:\Windows\addins\MSWINSCK.OCX

Filesize
81KB

MD5
e24a4b5cf0f2e84ac51f35f8bfbe22cf

SHA1
8914ca4dd085553a2994afd59fe1a82d833fb58a

SHA256
a8695e5caf40e0c90c2420b399331d05c5bc362b0f73aced42715a9c212d26bc

SHA512
ca978bc52c2bd4bc33fc5ae35fecc1d9352feb488747a17f17654e9c8d0d53538aece9b5fe5e8d6396eab802193a9feb08524a7375b6b74b028134fa4fbfe454

Download Submit
\Windows\SysWOW64\Vcs3.exe

Filesize
135KB

MD5
44768e309b772a09485f4ee6fee70808

SHA1
f7b974988d568314c709803197d5c9b1643a0fdd

SHA256
ce431eff07ed38ae7cb280c62e6e16a605287fd2af0ef7b586d2e28b3bc7add9

SHA512
6233bdf8460213e51681eec4528ed6f439be578b6106aac2f60260138e737a19209e807eb2df33ca105e9ed30f08f420c55681d45c8dc7247ee6244fb3b02834

Download Submit
memory/2440-14-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2568-8-0x0000000002BC0000-0x0000000002C3E000-memory.dmp

Filesize
504KB

Download
memory/2568-17-0x0000000000230000-0x000000000024E000-memory.dmp

Filesize
120KB

Download
memory/2592-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-30-0x0000000022170000-0x0000000022196000-memory.dmp

Filesize
152KB

Download
memory/2592-31-0x0000000022170000-0x0000000022196000-memory.dmp

Filesize
152KB

Download
memory/2592-33-0x0000000022170000-0x0000000022196000-memory.dmp

Filesize
152KB

Download
memory/2592-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2592-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads