56e55b9bfeb685b21f6b50ec887a9f5892f4eb447defb85efc7ca4380549200e

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
Size

364KB
MD5

eeb01fa0743d3b3a4349e1fb2a498acc
SHA1

2ff4536446d7d4b8c973b3d28b612217c3099538
SHA256

56e55b9bfeb685b21f6b50ec887a9f5892f4eb447defb85efc7ca4380549200e
SHA512

b79869caa921420d4f28200ab43e64f3dab85cd360ce8cb1aa3a6bfa637959ff88de420185280e58643f9236bcaa6c6829e34c570fc7816512a903aca0e55a1a
SSDEEP

6144:3Xc2XtsXWX7DEXs1yq/c1SWOXVGQSmPWwNWcCuqZXzXgTi13lLFNSFAhaQ5q:c2XtsXWXfu1yF3S5ZXzXgT0V8E

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Startup\\svchost.exe"	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2968	reg.exe
2604	reg.exe
2980	reg.exe
2044	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
Token: 1	3064	svchost.exe
Token: SeCreateTokenPrivilege	3064	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	3064	svchost.exe
Token: SeLockMemoryPrivilege	3064	svchost.exe
Token: SeIncreaseQuotaPrivilege	3064	svchost.exe
Token: SeMachineAccountPrivilege	3064	svchost.exe
Token: SeTcbPrivilege	3064	svchost.exe
Token: SeSecurityPrivilege	3064	svchost.exe
Token: SeTakeOwnershipPrivilege	3064	svchost.exe
Token: SeLoadDriverPrivilege	3064	svchost.exe
Token: SeSystemProfilePrivilege	3064	svchost.exe
Token: SeSystemtimePrivilege	3064	svchost.exe
Token: SeProfSingleProcessPrivilege	3064	svchost.exe
Token: SeIncBasePriorityPrivilege	3064	svchost.exe
Token: SeCreatePagefilePrivilege	3064	svchost.exe
Token: SeCreatePermanentPrivilege	3064	svchost.exe
Token: SeBackupPrivilege	3064	svchost.exe
Token: SeRestorePrivilege	3064	svchost.exe
Token: SeShutdownPrivilege	3064	svchost.exe
Token: SeDebugPrivilege	3064	svchost.exe
Token: SeAuditPrivilege	3064	svchost.exe
Token: SeSystemEnvironmentPrivilege	3064	svchost.exe
Token: SeChangeNotifyPrivilege	3064	svchost.exe
Token: SeRemoteShutdownPrivilege	3064	svchost.exe
Token: SeUndockPrivilege	3064	svchost.exe
Token: SeSyncAgentPrivilege	3064	svchost.exe
Token: SeEnableDelegationPrivilege	3064	svchost.exe
Token: SeManageVolumePrivilege	3064	svchost.exe
Token: SeImpersonatePrivilege	3064	svchost.exe
Token: SeCreateGlobalPrivilege	3064	svchost.exe
Token: 31	3064	svchost.exe
Token: 32	3064	svchost.exe
Token: 33	3064	svchost.exe
Token: 34	3064	svchost.exe
Token: 35	3064	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3064	svchost.exe
3064	svchost.exe
3064	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2192	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2192	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2192	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	31
PID 3024 wrote to memory of 2192	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	31
PID 2192 wrote to memory of 2760	2192	csc.exe	33
PID 2192 wrote to memory of 2760	2192	csc.exe	33
PID 2192 wrote to memory of 2760	2192	csc.exe	33
PID 2192 wrote to memory of 2760	2192	csc.exe	33
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3024 wrote to memory of 3064	3024	eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe	34
PID 3064 wrote to memory of 2716	3064	svchost.exe	35
PID 3064 wrote to memory of 2716	3064	svchost.exe	35
PID 3064 wrote to memory of 2716	3064	svchost.exe	35
PID 3064 wrote to memory of 2716	3064	svchost.exe	35
PID 3064 wrote to memory of 2588	3064	svchost.exe	36
PID 3064 wrote to memory of 2588	3064	svchost.exe	36
PID 3064 wrote to memory of 2588	3064	svchost.exe	36
PID 3064 wrote to memory of 2588	3064	svchost.exe	36
PID 3064 wrote to memory of 2596	3064	svchost.exe	38
PID 3064 wrote to memory of 2596	3064	svchost.exe	38
PID 3064 wrote to memory of 2596	3064	svchost.exe	38
PID 3064 wrote to memory of 2596	3064	svchost.exe	38
PID 3064 wrote to memory of 2544	3064	svchost.exe	39
PID 3064 wrote to memory of 2544	3064	svchost.exe	39
PID 3064 wrote to memory of 2544	3064	svchost.exe	39
PID 3064 wrote to memory of 2544	3064	svchost.exe	39
PID 2716 wrote to memory of 2968	2716	cmd.exe	43
PID 2716 wrote to memory of 2968	2716	cmd.exe	43
PID 2716 wrote to memory of 2968	2716	cmd.exe	43
PID 2716 wrote to memory of 2968	2716	cmd.exe	43
PID 2544 wrote to memory of 2044	2544	cmd.exe	45
PID 2544 wrote to memory of 2044	2544	cmd.exe	45
PID 2544 wrote to memory of 2044	2544	cmd.exe	45
PID 2544 wrote to memory of 2044	2544	cmd.exe	45
PID 2588 wrote to memory of 2604	2588	cmd.exe	44
PID 2588 wrote to memory of 2604	2588	cmd.exe	44
PID 2588 wrote to memory of 2604	2588	cmd.exe	44
PID 2588 wrote to memory of 2604	2588	cmd.exe	44
PID 2596 wrote to memory of 2980	2596	cmd.exe	46
PID 2596 wrote to memory of 2980	2596	cmd.exe	46
PID 2596 wrote to memory of 2980	2596	cmd.exe	46
PID 2596 wrote to memory of 2980	2596	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb01fa0743d3b3a4349e1fb2a498acc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rc25wexf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF162.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF161.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF162.tmp

Filesize
1KB

MD5
fb661ca1191504345632d03fb340ef1f

SHA1
7786770f6a21cbc10c18bb9b42a60504449ad63b

SHA256
eff837fbeecb09e1b8156311c5fd1dc1d79d31716754df33ad8813a39743ed3f

SHA512
9c9d0fbc086bee7ed5658cc90af105181b2dec7f80af48433c65e591e05150464b79eec2736bd0bd3aecb89bdc2d9c271da4df39ff6f9b676a4a90dd2bc20c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc25wexf.dll

Filesize
5KB

MD5
8f62b18c9be9604df08adddbacd87aac

SHA1
26e705db38fce5800d330738d3f37cfb8aa49276

SHA256
a594a2550941f923a09d59def1fcc7d2c70cac970069994561cc92d7ec61c700

SHA512
29ac29db5e73c32bcbfd2239284c9ead231b0dfb50c8856b73175abc244400ef32d16010eba7ec5a8c8365e29eeec08e4d71bb36bb722f5f310a5a934495eb2a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF161.tmp

Filesize
652B

MD5
2855f9f1c0102a2916c78ee15c452e24

SHA1
f9b3bf87d3b84095b6e2a097e2dc8f6f1560610f

SHA256
48b02f2c46f0da3ba6ef6368afdb2fc63ae6cf12893b0e100f5cfb1ff6b9047f

SHA512
9298788909837e0f598d803ba91abda17b31a34048adfa95891ee8b56c59afcadf04d04b7348658798a90473b7de04b63e4e421594f0357c5c158c4a757ed5d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc25wexf.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc25wexf.cmdline

Filesize
206B

MD5
f58c04aeb3be10d256b562505ea12dd0

SHA1
873bbcb191a2689daaf9954234248e82719c273e

SHA256
d3542d7434a9a51f6d925be1e8e7e38f9c149bcb79b2bc01be97b8cda2a5287c

SHA512
4cbb7ee425bcc3240a9fe6869038cfed7ea76f2f5110f810e5fb40b2e6c9ffdb6452b81628ff98376ab1ee3934810b7c77247060b97c19ad605a9f8b955ff21a

Download Submit
memory/2192-8-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-15-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-0-0x00000000747D1000-0x00000000747D2000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-40-0x00000000747D0000-0x0000000074D7B000-memory.dmp

Filesize
5.7MB

Download
memory/3064-32-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-29-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-42-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-46-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-47-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-49-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-51-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-54-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3064-58-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads