b61197c699ca9459b9cf8f6e9483939919f97b7a2bd88542e33fd9f3a8b92983

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe
Size

636KB
MD5

ddf4de59bbbcd5013be1dcf4f83e99c4
SHA1

c091d87ee9f79a46eacebf681dbd91182d09b941
SHA256

b61197c699ca9459b9cf8f6e9483939919f97b7a2bd88542e33fd9f3a8b92983
SHA512

1e7081ba933f07efe4ae0e082b299c44b62ae65ba9a8386984d3db5f6bb01827e957b328c2110c8bda4d676458238647dda89c6d0cdcbcbc0311c4445cbb57f0
SSDEEP

12288:0zpZEkh/OZUwFy3M18veFfQYLHc5LnawSMVicLkOfnhdalzGdvabB:7ry3SPQ5moQOppS

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
hahauranoob123

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3096	799ServerFUD.exe
2852	799ServerFUD.exe
1492	WinUpdate.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 2852	3096	799ServerFUD.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2952	2852	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	799ServerFUD.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1228	WINWORD.EXE
1228	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe
Token: SeDebugPrivilege	3096	799ServerFUD.exe
Token: SeDebugPrivilege	1492	WinUpdate.exe
Token: SeBackupPrivilege	5008	dw20.exe
Token: SeBackupPrivilege	5008	dw20.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE
1228	WINWORD.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 4544	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	83
PID 1944 wrote to memory of 4544	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	83
PID 1944 wrote to memory of 4544	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	83
PID 1944 wrote to memory of 3096	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	85
PID 1944 wrote to memory of 3096	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	85
PID 1944 wrote to memory of 3096	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	85
PID 1944 wrote to memory of 1228	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	86
PID 1944 wrote to memory of 1228	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	86
PID 3096 wrote to memory of 4532	3096	799ServerFUD.exe	87
PID 3096 wrote to memory of 4532	3096	799ServerFUD.exe	87
PID 3096 wrote to memory of 4532	3096	799ServerFUD.exe	87
PID 4544 wrote to memory of 3468	4544	csc.exe	89
PID 4544 wrote to memory of 3468	4544	csc.exe	89
PID 4544 wrote to memory of 3468	4544	csc.exe	89
PID 4532 wrote to memory of 652	4532	csc.exe	90
PID 4532 wrote to memory of 652	4532	csc.exe	90
PID 4532 wrote to memory of 652	4532	csc.exe	90
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 3096 wrote to memory of 2852	3096	799ServerFUD.exe	92
PID 1944 wrote to memory of 1492	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	99
PID 1944 wrote to memory of 1492	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	99
PID 1944 wrote to memory of 1492	1944	ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe	99
PID 1492 wrote to memory of 5008	1492	WinUpdate.exe	100
PID 1492 wrote to memory of 5008	1492	WinUpdate.exe	100
PID 1492 wrote to memory of 5008	1492	WinUpdate.exe	100

C:\Users\Admin\AppData\Local\Temp\ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ddf4de59bbbcd5013be1dcf4f83e99c4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\95o27wuv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F9B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\799ServerFUD.exe
  "C:\Users\Admin\AppData\Local\Temp\799ServerFUD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-afmxssf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA067.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA066.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:652
- - C:\Users\Admin\AppData\Roaming\799ServerFUD.exe
    C:\Users\Admin\AppData\Roaming\799ServerFUD.exe
    3⤵
    - Executes dropped EXE
    PID:2852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 12
      4⤵
      Program crash
      PID:2952
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\160PVHAX Database.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\Users\Admin\AppData\Roaming\WinUpdate.exe
  "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 888
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 2852
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-afmxssf.dll

Filesize
5KB

MD5
b01c6a33a389a5bb62291580467f01d3

SHA1
0f74275a74794cd2fa4095167c4fa6bf5f1694ab

SHA256
ef95192cf89a0f8b7e77718e70e4d5e6404936638b49c3266ec2d5217339cdfb

SHA512
fc202728655a769428a6b0a2ea5d9599e1798bccdad62c9388ea9b444e1623092a8870fc13a883d3b17a65e0246e9b00a3d22ff3612f185ef31041440c2e0a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\160PVHAX Database.docx

Filesize
41KB

MD5
a655b2a63acfb73fc51d38f2234b6305

SHA1
22ef59beb2255857c37761178bb28c0f91db2592

SHA256
1dfbe4cef121c32da0478c872e7a1279d9eec86c162303f3314c283114b45526

SHA512
202177c3da02681a6f52b131ec6a1c58ce26b4030e88186bb9e72f1f6205c2da9e7a60791a72c0b1541a137a56f570ae54741e62e4acf11ea1c722ed33c1c4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\799ServerFUD.exe

Filesize
332KB

MD5
ef0efed78e663ecfba34a03f1ceadd7d

SHA1
6b1ce72c94f8ab2cf6dd46cb5d5599234b91c4a2

SHA256
d8ae7273a8e8e88d6c47e998d127d54f9ac13fa4c76f0f13efb5d75d9e879a38

SHA512
73566ac19d585708a705e01264ae8db8a7b097eb76371fb66aab395878376f5708c38ad3d5abe3886bdbe3914b52b58311b8dccac26535dca11960a5b03464c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\95o27wuv.dll

Filesize
5KB

MD5
e8fffb9600d8ffd5883da89fa4f76c22

SHA1
4a7304c78cc1f21c31a5101aa62ea3f9cf972f3b

SHA256
9580e5cf26ec2733e083fafe89ff48d223e1cc259f95b5f81ecad513d4536bc4

SHA512
649f1e4bc02b2aa6bb3c50672a67cc7770626deee463787734700279cbf74f3aa87570e49eab552ca15474845cfd1145e2fe691f018e361a5fdd254824232e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F9C.tmp

Filesize
1KB

MD5
f2a6432487d268d2f0ed5c91b32a197e

SHA1
17b7bb669d366bec7e3393d134698ffdf3300bb7

SHA256
60d71c02a2bc26d2e8afdece48220f1bed3dac61a9a76ab83633684e16ce030f

SHA512
aa0f7793e2425897035c9f8f32ff00c80b1722f98cb8c9c3dcf7066bd49da987a1426e355efce2372b847d33e87487a024fee607555a4e2cf46119112114ef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA067.tmp

Filesize
1KB

MD5
25f32c2a19ecae2e3c3346b00860dfee

SHA1
4da8929453648c3852e07cd5b00a98d916f55cd7

SHA256
a828dfdd160dc79e4207a547101ce96c6d9599f7fbabb888dd633236e423dc43

SHA512
76052251428f1314839e1af258de8e25fd3c78c8ce241e19f7e8c5caacb148dc90faf390d22537bb1a87f68713bba87455be7b8dd5412c12a0aafc667abe3b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDE36F.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\799ServerFUD.exe

Filesize
6KB

MD5
d89fdbb4172cee2b2f41033e62c677d6

SHA1
c1917b579551f0915f1a0a8e8e3c7a6809284e6b

SHA256
2cbdc0ddc7901a9b89615cc338f63e1800f864db431e7a7a85749f73cba0b383

SHA512
48941f08ae00d342b52e3255b99ce36abb4e46a48075a760869bc86b1a32c0737eb2bd5e43d5ee665303ab134282f9732738755c4027043ed2d4f414faab63ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
636KB

MD5
ddf4de59bbbcd5013be1dcf4f83e99c4

SHA1
c091d87ee9f79a46eacebf681dbd91182d09b941

SHA256
b61197c699ca9459b9cf8f6e9483939919f97b7a2bd88542e33fd9f3a8b92983

SHA512
1e7081ba933f07efe4ae0e082b299c44b62ae65ba9a8386984d3db5f6bb01827e957b328c2110c8bda4d676458238647dda89c6d0cdcbcbc0311c4445cbb57f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-afmxssf.cmdline

Filesize
206B

MD5
62233901c2cf3c89625d760de4fc8cb1

SHA1
dc72888d202b52e0cfff797b32197cb7e30b3b82

SHA256
8737af9f471a27ee08111b39e0c1f82949387bca09b6f68e324d4fb9a6919402

SHA512
a5028348f8ac4cc074ce228f5df1eccdcd8eded80fc07e0ab5ba0a3f02c43196128d49c0ab8a40fbd49d25ca21d362d01c7dd00c9e1544eb3efe660241e28d68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\95o27wuv.0.cs

Filesize
5KB

MD5
cb25540570735d26bf391e8b54579396

SHA1
135651d49409214d21348bb879f7973384a7a8cb

SHA256
922ec415710a6e1465ed8553838ddf19c8deb32b75da6dfaca372c1067d2d743

SHA512
553ce9d3647b196ccbd6612c06d301afac992130ec5c80fe8fa8a42bab4250053fad651227ff97d9fab4ba8aaff562d421236dc0b2b5d0d4a17430985dd07080

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\95o27wuv.cmdline

Filesize
206B

MD5
2560252ec73bb783cd18eee750ae8b0f

SHA1
43986f5cdb12b9018b608df22f03b6b579ab4412

SHA256
a467ae8dbb19ee599e388392ed3a6f89957971a4ad35fc7a6ceb62bd1743bffa

SHA512
ff90c206d4d764dc6fe992e18adef994e2da1dddecea5facdde60dbf21a4eabe5073f4aca464a851aba3b3fb1a038d3edc80f5142d3f1a4d81e1dc154db3648f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F9B.tmp

Filesize
652B

MD5
31603ed889fbbf578f4d87be8b32c1cc

SHA1
a269be529c337611f3937de63aeb70230327b2e2

SHA256
bc24f2cf3780102b857b5d94d32381d4ae8697f1e79a5369d28a7253c33eb9b5

SHA512
e84ef2fbdd859e742ccb7ee400af68c69d159aea6e57eadc7a368d2b9e62e783197e7bd1fe3ab3cb2c3308fe6e17b856863f028c0b55e897a5343d5b8a7f2564

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA066.tmp

Filesize
652B

MD5
4f13cf1087ebd2e38f34f236a5522747

SHA1
2a4071dd21c2bf4ec3570d6fe3f7d15b96f3b4c0

SHA256
3585d5d9f0eeeec1e42b268a74676ff4e651adc0e9164b39ac679f1232c31b12

SHA512
6cec5df508bf613df50d1ec412f16c39e8d85133aa34554b5e14b22ae5ca58361be73cf6e7e94637aed2dd4f40d58e96e8e63ed7ab0b26c582597f3bdcdc8c08

Download Submit
memory/1228-30-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/1228-29-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/1228-39-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/1228-34-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/1228-28-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/1228-33-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/1228-50-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/1944-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

Filesize
4KB

Download
memory/1944-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1944-85-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3096-35-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3096-62-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3096-19-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/3096-24-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4544-44-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4544-36-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads