708658fe6c3fa65e026f739c1a58a4b69fb4a1162a230eac765f490e83387cc2

Analysis

max time kernel
147s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
Size

432KB
MD5

ea91db5818e63b7f37e7b6e9f4bdb5bc
SHA1

df083c0d2c4414bd916509a146e7fde3c036daee
SHA256

708658fe6c3fa65e026f739c1a58a4b69fb4a1162a230eac765f490e83387cc2
SHA512

5179f00d2a4ce2bd96832719be92b342b87dbd247ded38eba9c2fbdd422ce9957fcb5234f585cb70af6dad6ff5910030a0078a792f4bd1203101e9c669402bfb
SSDEEP

12288:vrLQZgH3MQkrBYP4VM1fAdHSTOfBRgGOiRtmrdCVtNp+h:vHyCwmP4CS94OfBRgeRt6UNs

Score

7^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2296	windowsupdate.exe
2356	windowsupdate.exe
1712	windowsupdate.exe
2572	windowsupdate.exe
2688	windowsupdate.exe
2328	windowsupdate.exe
2112	windowsupdate.exe
2040	windowsupdate.exe
1888	windowsupdate.exe
2344	windowsupdate.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	windowsupdate.exe

Loads dropped DLL 40 IoCs

pid	Process
2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
2296	windowsupdate.exe
2296	windowsupdate.exe
2296	windowsupdate.exe
2296	windowsupdate.exe
2356	windowsupdate.exe
2356	windowsupdate.exe
2356	windowsupdate.exe
2356	windowsupdate.exe
1712	windowsupdate.exe
1712	windowsupdate.exe
1712	windowsupdate.exe
1712	windowsupdate.exe
2572	windowsupdate.exe
2572	windowsupdate.exe
2572	windowsupdate.exe
2572	windowsupdate.exe
2688	windowsupdate.exe
2688	windowsupdate.exe
2688	windowsupdate.exe
2688	windowsupdate.exe
2328	windowsupdate.exe
2328	windowsupdate.exe
2328	windowsupdate.exe
2328	windowsupdate.exe
2112	windowsupdate.exe
2112	windowsupdate.exe
2112	windowsupdate.exe
2112	windowsupdate.exe
2040	windowsupdate.exe
2040	windowsupdate.exe
2040	windowsupdate.exe
2040	windowsupdate.exe
1888	windowsupdate.exe
1888	windowsupdate.exe
1888	windowsupdate.exe
1888	windowsupdate.exe
2344	windowsupdate.exe
2344	windowsupdate.exe
2344	windowsupdate.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File opened for modification	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe
File created	C:\Windows\SysWOW64\windowsupdate.exe	windowsupdate.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2296	2560	ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe	30
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2296 wrote to memory of 2356	2296	windowsupdate.exe	32
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 2356 wrote to memory of 1712	2356	windowsupdate.exe	33
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 1712 wrote to memory of 2572	1712	windowsupdate.exe	34
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2572 wrote to memory of 2688	2572	windowsupdate.exe	35
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2688 wrote to memory of 2328	2688	windowsupdate.exe	36
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2328 wrote to memory of 2112	2328	windowsupdate.exe	37
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2112 wrote to memory of 2040	2112	windowsupdate.exe	38
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 2040 wrote to memory of 1888	2040	windowsupdate.exe	39
PID 1888 wrote to memory of 2344	1888	windowsupdate.exe	40

C:\Users\Admin\AppData\Local\Temp\ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\windowsupdate.exe
  C:\Windows\system32\windowsupdate.exe 616 "C:\Users\Admin\AppData\Local\Temp\ea91db5818e63b7f37e7b6e9f4bdb5bc_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\windowsupdate.exe
    C:\Windows\system32\windowsupdate.exe 752 "C:\Windows\SysWOW64\windowsupdate.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\windowsupdate.exe
      C:\Windows\system32\windowsupdate.exe 760 "C:\Windows\SysWOW64\windowsupdate.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 756 "C:\Windows\SysWOW64\windowsupdate.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 772 "C:\Windows\SysWOW64\windowsupdate.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 768 "C:\Windows\SysWOW64\windowsupdate.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 788 "C:\Windows\SysWOW64\windowsupdate.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 776 "C:\Windows\SysWOW64\windowsupdate.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 764 "C:\Windows\SysWOW64\windowsupdate.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\windowsupdate.exe
        
        C:\Windows\system32\windowsupdate.exe 784 "C:\Windows\SysWOW64\windowsupdate.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\windowsupdate.exe

Filesize
432KB

MD5
ea91db5818e63b7f37e7b6e9f4bdb5bc

SHA1
df083c0d2c4414bd916509a146e7fde3c036daee

SHA256
708658fe6c3fa65e026f739c1a58a4b69fb4a1162a230eac765f490e83387cc2

SHA512
5179f00d2a4ce2bd96832719be92b342b87dbd247ded38eba9c2fbdd422ce9957fcb5234f585cb70af6dad6ff5910030a0078a792f4bd1203101e9c669402bfb

Download Submit
memory/1712-50-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1712-51-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1712-57-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1888-125-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1888-115-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1888-114-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-103-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-107-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-104-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-106-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-113-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-100-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-101-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2040-105-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-94-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-92-0x0000000000AD0000-0x0000000000C1C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-91-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-88-0x0000000000AD0000-0x0000000000C1C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-84-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-93-0x0000000000AD0000-0x0000000000C1C000-memory.dmp

Filesize
1.3MB

Download
memory/2112-102-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-30-0x0000000004BE0000-0x0000000004D2C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-20-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-19-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-18-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-21-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-23-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-24-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-38-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-25-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-28-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-26-0x0000000000940000-0x0000000000A8C000-memory.dmp

Filesize
1.3MB

Download
memory/2296-27-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-78-0x0000000000A50000-0x0000000000B9C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-90-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-81-0x0000000000A50000-0x0000000000B9C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-80-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-75-0x0000000000A50000-0x0000000000B9C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-79-0x0000000000A50000-0x0000000000B9C000-memory.dmp

Filesize
1.3MB

Download
memory/2328-77-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-129-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-128-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-123-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-122-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-121-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-130-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-126-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-127-0x0000000000C50000-0x0000000000D9C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-35-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-40-0x0000000000550000-0x000000000069C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-36-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-39-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-49-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-43-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-42-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2356-41-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-13-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-1-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/2560-9-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-2-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-17-0x0000000004850000-0x000000000499C000-memory.dmp

Filesize
1.3MB

Download
memory/2560-3-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2572-66-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2572-58-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2572-59-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2688-69-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2688-67-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2688-65-0x0000000000B50000-0x0000000000C9C000-memory.dmp

Filesize
1.3MB

Download
memory/2688-68-0x0000000000B50000-0x0000000000C9C000-memory.dmp

Filesize
1.3MB

Download
memory/2688-76-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads