73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2

General

Target

81aa05ab45e06efb51d79d4f83e43b80.exe
Size

162KB
MD5

81aa05ab45e06efb51d79d4f83e43b80
SHA1

949645fb5252cab46004dfa1f8a27c7b439f0c04
SHA256

73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2
SHA512

0721f4691b2a6b0336e01f8f2ae0ddc8b2e245db56b4fb04d83bf16f4f3f8df561d1306d06ff8fa1a9bdf83839205b592d7026a5cac66ca9db77064e9cd7c5cf
SSDEEP

3072:REyXoN1VwNS1Jorf5qAHi6M0Lu/OIoZUlqhkZfsAS8dmFJ/geIOXBdFr8qq0Zv8:rXoN1SR3FLcNlu0Ef8ODIKB410C

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Bafnfo.exeBafnfo.exeBafnfo.exe

pid process

968 Bafnfo.exe
3968 Bafnfo.exe
2880 Bafnfo.exe
Loads dropped DLL 2 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80.exeBafnfo.exe

pid process

3184 81aa05ab45e06efb51d79d4f83e43b80.exe
968 Bafnfo.exe

pid	process
968	Bafnfo.exe
3968	Bafnfo.exe
2880	Bafnfo.exe

pid	process
3184	81aa05ab45e06efb51d79d4f83e43b80.exe
968	Bafnfo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

81aa05ab45e06efb51d79d4f83e43b80.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bafnfo = "C:\\Users\\Admin\\AppData\\Roaming\\Bafnfo.exe"	81aa05ab45e06efb51d79d4f83e43b80.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80.exe81aa05ab45e06efb51d79d4f83e43b80.exeBafnfo.exeBafnfo.exe

description	pid	process	target process
PID 3184 set thread context of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 set thread context of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 968 set thread context of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 3968 set thread context of 2880	3968	Bafnfo.exe	Bafnfo.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31085378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3239421751"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31085378"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3239421751"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413359856"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3241452339"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31085378"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31085378"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ECAC1998-BF35-11EE-BD28-5EB4A22F4468} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3241452339"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80.exe

pid process

3640 81aa05ab45e06efb51d79d4f83e43b80.exe
3640 81aa05ab45e06efb51d79d4f83e43b80.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bafnfo.exeIEXPLORE.EXE

description pid process

Token: SeDebugPrivilege 2880 Bafnfo.exe
Token: SeDebugPrivilege 5068 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

4928 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

4928 IEXPLORE.EXE
4928 IEXPLORE.EXE
5068 IEXPLORE.EXE
5068 IEXPLORE.EXE
5068 IEXPLORE.EXE
5068 IEXPLORE.EXE

pid	process
3640	81aa05ab45e06efb51d79d4f83e43b80.exe
3640	81aa05ab45e06efb51d79d4f83e43b80.exe

description	pid	process
Token: SeDebugPrivilege	2880	Bafnfo.exe
Token: SeDebugPrivilege	5068	IEXPLORE.EXE

pid	process
4928	IEXPLORE.EXE

pid	process
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
5068	IEXPLORE.EXE
5068	IEXPLORE.EXE
5068	IEXPLORE.EXE
5068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80.exe81aa05ab45e06efb51d79d4f83e43b80.exe81aa05ab45e06efb51d79d4f83e43b80.exeBafnfo.exeBafnfo.exeBafnfo.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3184 wrote to memory of 3552	3184	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3552 wrote to memory of 3640	3552	81aa05ab45e06efb51d79d4f83e43b80.exe	81aa05ab45e06efb51d79d4f83e43b80.exe
PID 3640 wrote to memory of 968	3640	81aa05ab45e06efb51d79d4f83e43b80.exe	Bafnfo.exe
PID 3640 wrote to memory of 968	3640	81aa05ab45e06efb51d79d4f83e43b80.exe	Bafnfo.exe
PID 3640 wrote to memory of 968	3640	81aa05ab45e06efb51d79d4f83e43b80.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 968 wrote to memory of 3968	968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 3968 wrote to memory of 2880	3968	Bafnfo.exe	Bafnfo.exe
PID 2880 wrote to memory of 1536	2880	Bafnfo.exe	iexplore.exe
PID 2880 wrote to memory of 1536	2880	Bafnfo.exe	iexplore.exe
PID 2880 wrote to memory of 1536	2880	Bafnfo.exe	iexplore.exe
PID 1536 wrote to memory of 4928	1536	iexplore.exe	IEXPLORE.EXE
PID 1536 wrote to memory of 4928	1536	iexplore.exe	IEXPLORE.EXE
PID 4928 wrote to memory of 5068	4928	IEXPLORE.EXE	IEXPLORE.EXE
PID 4928 wrote to memory of 5068	4928	IEXPLORE.EXE	IEXPLORE.EXE
PID 4928 wrote to memory of 5068	4928	IEXPLORE.EXE	IEXPLORE.EXE
PID 2880 wrote to memory of 5068	2880	Bafnfo.exe	IEXPLORE.EXE
PID 2880 wrote to memory of 5068	2880	Bafnfo.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe
"C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe
  "C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe
    "C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Users\Admin\AppData\Roaming\Bafnfo.exe
      "C:\Users\Admin\AppData\Roaming\Bafnfo.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:968
    - - C:\Users\Admin\AppData\Roaming\Bafnfo.exe
        
        "C:\Users\Admin\AppData\Roaming\Bafnfo.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Users\Admin\AppData\Roaming\Bafnfo.exe
        
        "C:\Users\Admin\AppData\Roaming\Bafnfo.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4928 CREDAT:17410 /prefetch:2
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
f707892eea2389f9570075e7e0b2ba49

SHA1
20c62e10bbf4210c8d4c7966785344f29c4a8024

SHA256
49f24b1fd45db9778b10ec10d9c85ef0746828225855255f3617ed06c485c1ba

SHA512
c7b662eab0356715eecedae5ecacc260731f131f2e2c388ed9c91c6c1a7ce23aa02965ffb2f3ccf041fb249c3f6d713a19d7292b6afa4f5091d3fd5a4c2e054e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
3832a75f99a20d0800e3f0a0371b6aea

SHA1
e917d0c94682bd8b6acfaddd02f5bf9192a374fa

SHA256
81927c581be03aea9e626c7de6ddc92f3baa503398dbc0be0a8d72bb1fcfa23f

SHA512
732098d69d61541fdcd171a9641ba9256322f6431bb6f82aea999a0cc52f48581b68fbe870f6e6b55ae20ad145a1a78ba55f7c76121f062fad3516d1b6f214a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verEE96.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ekg7afHe415gIxsl6af.tmp

Filesize
3KB

MD5
10a714b195635d9dea52883188903080

SHA1
488b06541880da79a4594bd1535cb2319dcdf262

SHA256
f49075fc33b842978a08a923dd2411f7dfbac0169e732b3fe44a2a1e07e22a00

SHA512
877945f6e2e43c3663ebd7abb534becd70af2b7ff84e3ea93cce14db90edaed1e7dd50b5f8f59c855285cb8add27aa791a8ea2299544599e2d8b922badb2a047

Download Submit
C:\Users\Admin\AppData\Roaming\Bafnfo.exe

Filesize
162KB

MD5
81aa05ab45e06efb51d79d4f83e43b80

SHA1
949645fb5252cab46004dfa1f8a27c7b439f0c04

SHA256
73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2

SHA512
0721f4691b2a6b0336e01f8f2ae0ddc8b2e245db56b4fb04d83bf16f4f3f8df561d1306d06ff8fa1a9bdf83839205b592d7026a5cac66ca9db77064e9cd7c5cf

Download Submit
memory/2880-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2880-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3552-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3552-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3552-6-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3640-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3640-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3640-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3640-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads