125cc811640f95956f08e42173509d50755ab24280d26c10463cbbe3c5138018

Analysis

max time kernel
138s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
Size

62KB
MD5

caf7f0def54e59ca3718170062e6bffa
SHA1

fb88764219b5eb9b57251523b90965a9a88e31ec
SHA256

125cc811640f95956f08e42173509d50755ab24280d26c10463cbbe3c5138018
SHA512

f036270f7cc9c751e29beb8ba8faf0f700b9e174ced59efe11ecd58f29e9c9db0a28ea634ca5a2000059d79f0d8d736abbeea3753dfd9a8ab0fe2a511ada930a
SSDEEP

768:1m/QojCpHfx0lk6SLZRI+WE6F2UzpHjhm8f10+a8m/QojCpHfx0tJztvI:EQojY5LLI+W5ljGQojBtvI

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2372	winlogon.exe
108	AE 0124 BE.exe
1472	winlogon.exe
908	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
108	AE 0124 BE.exe
108	AE 0124 BE.exe
2372	winlogon.exe
2372	winlogon.exe
908	winlogon.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cfgbkend.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\dot4prt.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dpnet.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\oflc.rs.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnin004.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\mdmmoto1.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\chkdsk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ddraw.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\net8187se64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\FirewallControlPanel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tapiui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\apu.rom	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mssph.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUK.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\wialx003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph6xib64c1.inf_amd64_neutral_68c99681343e9b68\ph6xib64c1.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\AMDSBS.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msports.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Telnet-client-dl.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\at.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\wiabr006.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\odbcad32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\tapi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\nsisvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5100t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmutil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\hostname.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\SystemPropertiesAdvanced.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_profiles.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\EventViewer_EventDetails.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-BusinessScanning-Feature-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\netmsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\unimdm.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dot3gpclnt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Line_Editing.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winbrand.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~nb-NO~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\GroupPolicy-Admin-Gpedit-Snapin-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\hpf69002.icc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\Amd64\IFCP3036.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYPS250.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\esrb.rs.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ksxbar.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ws2_32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAHB-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\nshipsec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wstorvsc.inf_amd64_neutral_d7bf942e99bb1d41	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\DxpTaskSync.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\tapisrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_neutral_232b95977cf6d84c\hal.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDMAORI.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\RacEngn.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\replace.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wscisvif.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StickyNotes-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..trolpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1bfa7449838f6342	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\wizardCreateRoles.ascx.es.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dbf410c67f37f9c0	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..fe-catsrvut-comsvcs_31bf3856ad364e35_6.1.7600.16385_none_ceb756d4b98f01a4	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b28bdc527f6348af	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehchhime.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1beea3847e669739	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_it-it_85f6ad66bd1a90cb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_memory.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_67c5b920faae235e\pnpmem.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msmq-triggers-service_31bf3856ad364e35_6.1.7601.17514_none_864c8948d3a4b9f3\mqtgsvc.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_DriverNotFound.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\WindowsFileProtection.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..asks-sync.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4805475288b5b544	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-pnphotplugui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_319deb101e79659c	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\57be.msi	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..fications.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0fc41cf559e856fc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ca7c94c3f36ec340	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a6c8b69bbb7da85\imageres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_395924b0f41ad032\msident.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv30e99c02#	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Http.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.Wrapper.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9733a5a400ffbe57	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..es-spades.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b3b89151ccf0eda5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f23d96c52b159c2d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-snmp-agent-service_31bf3856ad364e35_6.1.7601.17514_none_555ae6d66ee2630d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-vsa_codedom_tlb_b03f5f7f11d50a3a_6.1.7600.16385_none_f8297aaff0309fa4	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\secpriv.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rmcast_31bf3856ad364e35_6.1.7601.17514_none_b2a3d1a09e8a89b1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_474fefd249f1db0e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_8be07ea283850f02	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0dced78afd81a001	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7f34e03ca270c79	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_flpydisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6ff932451b6f31d6\flpydisk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_hal.inf_31bf3856ad364e35_6.1.7600.16385_none_5f1101d221a06a37\hal.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\Microsoft.Office.Access.BusinessDataCatalog.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..kstvtuner.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4c26981680583f80\kstvtune.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\ICM.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_5da51703a4d4ef9c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-diskcopy.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_7026d42c1586eb03	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_faxca003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5b22e90423063cb5\faxca003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\gthrctr.h	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\fr\DropSqlPersistenceProviderSchema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\38c67260f10996153532695d39649e6b\Microsoft.VisualBasic.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wlanpref.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f4a2440848c3d8bf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-autochk.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fc92234d1c61b08a\autochk.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Serialization.Formatters.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..r-tlntsvr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ae0868c6b1eaf3f1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netvwifibus.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7bb34d7390074ab3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_91bd2af6eda69165\pcaui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..njifinderdictionary_31bf3856ad364e35_6.1.7600.16385_none_a20bb1f2cf82b3c4\IMJPKDIC.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Requests\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..ender-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e0f4d6e03e160be8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-autofmt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e3fe5c0648ad7a5d\Autofmt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..aultlocationpremium_31bf3856ad364e35_6.1.7601.17514_none_bd8dd0d1118eca96\defaultlocationcpl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ee5384e8731ae742\findUsers.aspx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..-agilevpn.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7b0b6b5efb3ac71b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..input-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1ad1c6efae966f2a\joy.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_71ab9a7e72245a72\OSProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_70fb624d1eb400d4\mssign32.dll.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418453549"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D117CCC1-F305-11EE-B671-4AE872E97954} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000924d0ee7c021e0aa30de22df996a29a7a64635aee96b7b683e7d14758a89b01e000000000e80000000020000200000003eb275006172b3fb75486bf7fe44dd84c32c396cfb70e7d325b49e81d74612de90000000e31e04ff93810bac3bcd9864928340beac1baf8ae14ab3abc075c8782d0dae6af029ec1c19bdd767e42bdda4cd1a3b14e1ff278a18799a0599caa0c54987c7c01b605d91ce3127bfa22a020690604a2c14ba8b1cedb47688b3b9627c97faf7d71660582112af6a5e3fa5ad6834495d43061094b1deef1ca7bf76d44dfc4b6626dac67cb2fe9d5cf98d6ab69f51f6be2b40000000acf4ca0d4a744e4ad0bec2c6fdd3c49d9bde99da1d9f925030fe7391a7fbf9b0e6b23773dbdbd3d4dd70a3583b8c111c2268cd7cfc596909a637a7e97567772e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000d560084702b208a6cba971e9d44bfc66f55a5e8a2bb6e9aac10ddefabeb0d63e000000000e8000000002000020000000b59667b12d01527af740ad0d3e28354b3592e389900ebbc53adf05e28d427a6a200000003bdaaaf941e96715976172528edcf511d893f14eb43b42f368d26463abcea9fc4000000045a2e7757d3ea7761532783c93f3064d58a97b6d9eccdc81534ae66f604e7d59b08341be425b61d67104c53ae97a86a6fc47619b63686047e778e315c2341c9f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07ddca61287da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
2984	iexplore.exe
2984	iexplore.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2372	winlogon.exe
108	AE 0124 BE.exe
908	winlogon.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2984	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	28
PID 2612 wrote to memory of 2984	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	28
PID 2612 wrote to memory of 2984	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	28
PID 2612 wrote to memory of 2984	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	28
PID 2984 wrote to memory of 2532	2984	iexplore.exe	29
PID 2984 wrote to memory of 2532	2984	iexplore.exe	29
PID 2984 wrote to memory of 2532	2984	iexplore.exe	29
PID 2984 wrote to memory of 2532	2984	iexplore.exe	29
PID 2612 wrote to memory of 2372	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2372	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2372	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	30
PID 2612 wrote to memory of 2372	2612	caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe	30
PID 2372 wrote to memory of 108	2372	winlogon.exe	31
PID 2372 wrote to memory of 108	2372	winlogon.exe	31
PID 2372 wrote to memory of 108	2372	winlogon.exe	31
PID 2372 wrote to memory of 108	2372	winlogon.exe	31
PID 108 wrote to memory of 908	108	AE 0124 BE.exe	32
PID 108 wrote to memory of 908	108	AE 0124 BE.exe	32
PID 108 wrote to memory of 908	108	AE 0124 BE.exe	32
PID 108 wrote to memory of 908	108	AE 0124 BE.exe	32
PID 2372 wrote to memory of 1472	2372	winlogon.exe	33
PID 2372 wrote to memory of 1472	2372	winlogon.exe	33
PID 2372 wrote to memory of 1472	2372	winlogon.exe	33
PID 2372 wrote to memory of 1472	2372	winlogon.exe	33

C:\Users\Admin\AppData\Local\Temp\caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\caf7f0def54e59ca3718170062e6bffa_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2532
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:908
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf41fa3c6e50d0eb4a3896595f125fe4

SHA1
e8985a13fce378ed150311396dee9cbe33dfb5da

SHA256
71e147d9cd79f230a6c3ed3531f72ae8513d34e9b552e78fcb6793e21cf56885

SHA512
5b557f0f0012ec809dc2902b87b961c14fcf542de20bcb58c1423ca758dbaafc99148075e14cd04ba0ce655f84849b98b0e72c909dd79b44f51dc0694b20d163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
822a011421dc7ce6f4b24113316fffdd

SHA1
ffa7a2170254640492bb3a10096c4f1fce925dc3

SHA256
282661d9e1ca6872664dfc49b1f0477cb8f5d19c2ee2136791af6ee792038122

SHA512
46b44cb81aafad07b7187c131e1e035304e72e9432c546b3fce3095eca96cd40a763b82ca775d7fec594a2793f915000df791fc54dd36519e49091deaa894101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff037f3feb0f9b552c3f9befd97c045c

SHA1
a73f1524392eeb7cb690f932b11dca19db1b0f97

SHA256
a5aa1588a01e7e5a2d0e98ccc4837b38a7889db47092564bb2bc388983c5eca0

SHA512
d74f8a91aed89dee952be7e00d5112effbf207446df4f441d8adf67368f2dd2cfa3b9601176955439f2acf211707e97e395aab695ec8c951b3f260fc73e94737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e03290720fbe0ff53770dba466e948c

SHA1
d6de110da3bfc066d1f7b5ffff1d27fa3b173bd0

SHA256
1a44b0f60e50f704c337ac344b97b46698c606e0003428b69b058e005522ef09

SHA512
c300d8e0f2258abb9b25079b5e4290aa0a411a2d852dba6a8be9156154f69b52de224e3385d54d13b876f44f94cc8ad5cc53aabdd8a7940c244ff2c83292137a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5708f819e2e8086674e9e765b5f1aeb

SHA1
06d5a1b21ce17c4cf2e69028c9e1fbb9b067bef5

SHA256
126d47a1e97ecdcf1a75b9b369119d9f4acc85d83d58d9f9213df6c7ff06ef4d

SHA512
ae82ca04dac5615120e485ec6541c9afb3b9776b59abc39bbcf8d4b34ea2dbb18a4a14ab798b02ac2cf3269f5a99723afb9b349e3683d1dbb6f457a210eb98fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8da3cd7825a078bcf7989bc8318c714a

SHA1
affb889525cd0bfbb6fda50306a6e7df7837f28d

SHA256
2b52bf084b54793e04a42fc647f03568ca7e87ea6112d5efdca58c7d4d87ac69

SHA512
1f049e65387334e4753e9fdb516cad098ecfc95122287a4ecadb86b7c1bc2bac5dc5596c200f40a33bc7063edc6fae73f979308a4bfcb92bd9be4aa39c65efe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb4968de839a2bf16ae43d06722b6494

SHA1
6ca7d32c0652f0f536227afeb1de53d3c06f3ecd

SHA256
ec208e15c5e0f7c1742d801d7dd28f32001db558395e555790ffe3db9e584da2

SHA512
68e8af5a6094067627a0cd9093980bbed699f2861075d5b3586779e43d97af95d003c984be36f1c2a81f72b00e3769b04fecd0adb91a2f896200d69fabdecf83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae5a17e3390a49e3b5a37897f3bb1253

SHA1
a9250b6975ca3197b5f99f88d2d29e1491ceb59c

SHA256
74065e537f20c5231560300806cec34092ed713e39d9f4d1911a7df3fc471d60

SHA512
1e2ea0912fcd2a4f1fb72feef8aa16b931ec252c2a72a36294db1a1276dcab412aab4fa7703592ed219dfb5b731ea9135eda0016df3be03180ec6033036a9297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9200a1888b438f2019f27845ea08126d

SHA1
7c88d9fa4c549b3216dd1e02fe9f7457f0228bb2

SHA256
0c70434242351b1c5bdff240886b35846e1710d58b24001c95a5effceec9df89

SHA512
801300a0eb64e589442b1c73e6114897d8e7834725c26ddd306bb34e5e29db63ec73bb69550bb89b0247d24a673b9838ee93256fe3da4d0196400273d729eb58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ba8fc83ee7cefcc71a587fc03862310

SHA1
7c238a644dff29dab6960c69674e5ee414aaf724

SHA256
041ba415a527bcb2bb9e409f5785f034a0ad35fe49e6da820b617ea983ab9782

SHA512
503236021f9a6ac42de9cb2906e003256722a37d92f435ee8e72c278905e466e5fe146f94c2d9964bdb11a2b93244d799b4df19031f8e49155be45cd5c6f869d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94e515aa3a56728447a083a18a6efe4c

SHA1
89597e7b9f07f3211123b7df0e93065bf40fb790

SHA256
f781e9e626910e81fd9884a80aa97b9e8f7cdebb89c33127ac0007437203e570

SHA512
331dcd8daa2cdfa9918a52d607ef181c96b37c58cd108d32521903c6ac61cdede2cd84e55984b50223a8757ea2110ea82855b9a164ad06304027eb7f8f95e5c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b79dbefea66b988fbd5349293c60753a

SHA1
71ea886bca6556b777c0097b37eeda05e489aa1a

SHA256
f1a5e3af5a68df44d4484cfff106f720a696dd8a833a10eaf61a767a6289047b

SHA512
8190d1b9fc845ae89207b09a80494101409b85990c05480427bc32e7b6642178e96d27fcdca0f1f6c31755f47859fd36205ae4e0f3c6291340549a1aab7e0039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6542442e9be8923d55649c360ff22153

SHA1
21c667e0fa6bc79f0fd729409018d883c748c98e

SHA256
5daef80a9b30af1471b04a914520df25f715b8d65016eba66d8e20f9f1680bc3

SHA512
c0c8c26e5d4b7e66a0afeee9adb153661e7b3024f687c5cf53a093f2e37c602aeb6832165a56ed015d0bd5e7eaa85b3e01404d4604e296a0b5cb7911b5469726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3dcb38bd73c0d908574b816906a014f5

SHA1
900fd15439e04bde722aef569962fd73245a2c68

SHA256
5b8920a437e0d60da4a2dc085c9e5a8e8380ba1e372716cbaff801d3b80506dc

SHA512
ea0b7adf8aeb9f68b63cc7bb153f531c46368f3a21a7aab8f37a0f6abb48f7977b48ffeb700d86696fb5845592081d8a008d86c083d2ff2a5d69730cd9da1c57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f052ca781beac5de61236ac0dfc833a

SHA1
504c107d1916e96b4db3e98773ca91345eaa26a3

SHA256
099983590eaf4a56ca1e77306fda8053291572acf610c691af0cbe0ccbcd2f69

SHA512
1bbe9eb348a519d779cba335347336621153f3a6349d5fe5d1aef683f7798848474f131de84866b2568b8aa2e2f657ac8c854fc6d87846718d80ab34d4097e6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
122fb94ea8b07fc55e5b0b92dbc7872d

SHA1
2e91b8e79cab6247b56bccd702b94a02d684d413

SHA256
b065430d38d6e1ae4d2c85f9b58d7c36fc4ffec258404c1823d48a0c4faf827a

SHA512
f9f157074bd8d4a4471c33d4e765267f6ef9058382777433a44d3ab31e898221fd8b361824dbe8196b9facb94f3ec38336af2a0b3cee66ce028fdac25e4a647f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0db223bd57f365aa486bf3a590cf9162

SHA1
e23e1e6ee0e5f9c9899ab9cb730020a20592350f

SHA256
28b4a62d0f7eb93cbdff57917d1a325d36d89deca57d801bbc7baca97632e2dd

SHA512
3c8780ab2407f18944b98323217be5519007659aa80cdeb09334091b9919ed040d87d2b105d05b1b165c8f43fa338db6f65782487f7ff74a09aa4be8ee12c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADFC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAECB.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAEFF.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
62KB

MD5
46dd0e82e31edc49b359602d5cd45fba

SHA1
7f96a9937cacbc4569881e31135bb259fcd204c8

SHA256
b230d931692ebb3aedd0ec3543355b6ab561bb26b118413695cb717791ed7a49

SHA512
b1bbb8cec3d72484df98eca9aa240b60ace3802369f5f0bfc5c29cd39a0590912991188d77f9f849b3e7e1c9ba805625e4a5c3dc749a9b9bbe84ffef736e90ff

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
122KB

MD5
a61d73c172c0e2a5d10dcd9d670c894a

SHA1
618ca2f20e6cbffc2ad8cd7a21bb0663837a7bdd

SHA256
f64b9ecacbecf3e618504b99157858241b7bcad4fb41ff1c00257bad1101082c

SHA512
8a1467c10e0fc61bfc73669e4a266a42e5720695f25597cf2207dac4fdd94b57217c6c511bb50bc17271c5e214c0e7f277205dcafcaa6152978757943e59ad28

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
120KB

MD5
955234385e9fa3669ba26e8b0648b454

SHA1
ed3b1dc334cc35e6131bcf833993cd0852a8c3d1

SHA256
8c6bab5818abcbec4770fea40ec782041812902e788f841c851fa8c5cc1908cc

SHA512
3b891660ffe266ab0861c377619f127e883f33a1d95875a3f028e786a2ddf70388bd59abe683196280092a0025cc40f6de60bf5fa13cbfc79ab2d320a8faf86e

Download Submit
memory/108-47-0x0000000002810000-0x00000000032CA000-memory.dmp

Filesize
10.7MB

Download
memory/2372-43-0x0000000002B90000-0x000000000364A000-memory.dmp

Filesize
10.7MB

Download
memory/2612-11-0x0000000002E50000-0x000000000390A000-memory.dmp

Filesize
10.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads