0e82c3446ead43c5802479045460e6d8db1229c10a9620e68e6ab828d4b17fff

General

Target

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Size

2.4MB
MD5

01fed012786da9458880cd8ad023ccab
SHA1

b10c8f3c7c7a5b71bf958359c5b4da54a5a98056
SHA256

0e82c3446ead43c5802479045460e6d8db1229c10a9620e68e6ab828d4b17fff
SHA512

2be3676cf86458574db17c62420020cdf2d4aa82621c5dec640a300a998180cab8fa3cc6011dda7c6b0122895c513d7aa718e564dbe3193a9dca64f9b4e2b54c
SSDEEP

49152:kJxNHabdDlGc/za1rlFQFigZL+l63UBU3EWttCwYXn6CQqilfG1M3FB:kOLa1ZFU6l0YU3l3QCjgMVB

Score

9^/10

persistence ransomware spyware stealer upx

Malware Config

Signatures

Renames multiple (219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

Processes:

Logo1_.exe01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	acprotect

Executes dropped EXE 2 IoCs

Processes:

Logo1_.exe01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

pid process

1396 Logo1_.exe
2476 01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Loads dropped DLL 1 IoCs

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

pid process

2476 01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1396	Logo1_.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

pid	process
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe.exe	upx
behavioral2/memory/2476-16-0x0000000000400000-0x00000000006F2000-memory.dmp	upx
C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx	upx
behavioral2/memory/2476-23-0x0000000073F30000-0x0000000074430000-memory.dmp	upx
behavioral2/memory/2476-38-0x0000000000400000-0x00000000006F2000-memory.dmp	upx
behavioral2/memory/2476-40-0x0000000073F30000-0x0000000074430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exeLogo1_.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	Logo1_.exe
File created	C:\Program Files\dotnet\dotnet.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\keytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Logo1_.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\uninstall\rundl132.exe	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

Modifies registry class 64 IoCs

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS\ = "2"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1\ = "205201"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version\ = "6.0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0\ = "Properties,0,2"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Version	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID\ = "Lodop.LodopX"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control\	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ = "LodopX Control"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ProgID	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ = "ILodopXEvents"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid\ = "{2105C259-1E0C-4534-8141-A753534CB4CA}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\HELPDIR	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ThreadingModel = "Apartment"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx,0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Control	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\Verb\0	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\ = "LodopX Control"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\ToolboxBitmap32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\ = "0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\FLAGS	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\0\win32\ = "C:\\Program Files (x86)\\MountTaiSoftware\\Lodop\\CAOSOFT_WEB_PRINT_lodop.ocx"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\MiscStatus\1	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\ProxyStubClsid32	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\TypeLib\ = "{0F9014E9-F31C-408E-9CBA-C484B39066ED}"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib\Version = "6.0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2105C259-1E0C-4534-8141-A753534CB4CA}\InprocServer32\ = "C:\\PROGRA~2\\MOUNTT~1\\Lodop\\CAOSOF~1.OCX"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lodop.LodopX\Clsid	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0F9014E9-F31C-408E-9CBA-C484B39066ED}\6.0\ = "Lodop"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\ = "ILodopX"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{409D8542-9C63-4719-8DF6-ABDA44494A4E}\TypeLib\Version = "6.0"	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC96C68-587A-486E-93D8-7BA1EAF5B9CB}\TypeLib	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe01fed012786da9458880cd8ad023ccab_JaffaCakes118.exeLogo1_.exe

pid	process
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
2476	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe
1396	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

01fed012786da9458880cd8ad023ccab_JaffaCakes118.exenet.execmd.exeLogo1_.exenet.exenet.exe

description	pid	process	target process
PID 2308 wrote to memory of 4976	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	net.exe
PID 2308 wrote to memory of 4976	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	net.exe
PID 2308 wrote to memory of 4976	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	net.exe
PID 4976 wrote to memory of 4600	4976	net.exe	net1.exe
PID 4976 wrote to memory of 4600	4976	net.exe	net1.exe
PID 4976 wrote to memory of 4600	4976	net.exe	net1.exe
PID 2308 wrote to memory of 4268	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 4268	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 4268	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	cmd.exe
PID 2308 wrote to memory of 1396	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	Logo1_.exe
PID 2308 wrote to memory of 1396	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	Logo1_.exe
PID 2308 wrote to memory of 1396	2308	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe	Logo1_.exe
PID 4268 wrote to memory of 2476	4268	cmd.exe	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
PID 4268 wrote to memory of 2476	4268	cmd.exe	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
PID 4268 wrote to memory of 2476	4268	cmd.exe	01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
PID 1396 wrote to memory of 4448	1396	Logo1_.exe	net.exe
PID 1396 wrote to memory of 4448	1396	Logo1_.exe	net.exe
PID 1396 wrote to memory of 4448	1396	Logo1_.exe	net.exe
PID 4448 wrote to memory of 4656	4448	net.exe	net1.exe
PID 4448 wrote to memory of 4656	4448	net.exe	net1.exe
PID 4448 wrote to memory of 4656	4448	net.exe	net1.exe
PID 1396 wrote to memory of 516	1396	Logo1_.exe	net.exe
PID 1396 wrote to memory of 516	1396	Logo1_.exe	net.exe
PID 1396 wrote to memory of 516	1396	Logo1_.exe	net.exe
PID 516 wrote to memory of 5012	516	net.exe	net1.exe
PID 516 wrote to memory of 5012	516	net.exe	net1.exe
PID 516 wrote to memory of 5012	516	net.exe	net1.exe
PID 1396 wrote to memory of 3476	1396	Logo1_.exe	Explorer.EXE
PID 1396 wrote to memory of 3476	1396	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a378B.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:4656

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MountTaiSoftware\Lodop\CAOSOFT_WEB_PRINT_lodop.ocx
Filesize
1.5MB

MD5
230c8f87850fd67b6b3024da50f360bb

SHA1
f3a629ece2b85aee9a88b3caebc54ac66053330a

SHA256
3b30b5a1a4561ce2ef9b7fd0f2aa97e533f35c2bdbdb534995cc44066ae0f90a

SHA512
5dfdedebe4a0e3843d68a3d93a44e54979f8a637902f499c278b5bb91c3a61561f3ed5de510c54405dd4f093128b9b69e175f6b63f9be2b000bbe381f6a2c3eb

Download Submit
C:\Program Files\CompareUndo.exe.Exe
Filesize
802KB

MD5
7ad0d12028368959378bb78136a1b902

SHA1
985e54fe919d19a6828c953ef756398730885ac5

SHA256
5ff1f06d320611e67022ed105d65a0ff4f1131e9f9d23eac96a38fc2b342adf1

SHA512
2e108a6fe6e43db73485e394c7a10f29b06868f2fa424b9376bb21cdcc189bbdfcbe2cbed5630706d74171aa5ea069549e6c398e36c9a144be8fec3737154564

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a378B.bat
Filesize
614B

MD5
1da0c8d5bf58b7bf2563ba9e1d8cc2f8

SHA1
d9c1ca5c7819838321047036eff8c3f671e0a388

SHA256
5e169d04ed12228c55927529813b3f6fbe3b4149935cb0ca24fa96d14dcd0125

SHA512
7cc0bc0ead721dd792ccd2311d63d62f9368bc12990633a190f9ffdd9e62a3e6ce4a408fa1195b2c75a9c3990807347c11f10363900568aabae6af628e8c6ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\01fed012786da9458880cd8ad023ccab_JaffaCakes118.exe.exe
Filesize
2.3MB

MD5
cee0d7092ec83373078d0045a0c74c40

SHA1
74359367f95990e189e485cac12532a5bf1053bb

SHA256
99658a950b0acbee61b56609690efd98b8c3a5b2dfa09eb47cca3ef31d8cdb77

SHA512
73f48e633735acc4098a5b85be4792db8c979ab5ba39eb6d67e971064f8d6b903c71e86cef027a0d96d50f5dd2eddc89f257a77a3007bdee82af683df6461ad0

Download Submit
C:\Windows\Logo1_.exe
Filesize
54KB

MD5
68d9f79334a728b64d4fb7118ca9ed44

SHA1
68fd2b791a55cfc8ae6a59fd0c710016e7ddae68

SHA256
cd5d6a9067696241fc09aed06561bf2f57ec3a7547e06a0924b1e1e68279b783

SHA512
e9859b0a6f8ce15c9935a7b2f68087f0347ce19ea58eb31f31e697889a14a43ec5547649c1ad085adecdb5cb78fa35514e47653a341240c0fd20aa8970bbce58

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
memory/1396-12-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1396-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-1-0x0000000000510000-0x0000000000530000-memory.dmp

Filesize
128KB

Download
memory/2308-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-17-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2476-38-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download
memory/2476-23-0x0000000073F30000-0x0000000074430000-memory.dmp

Filesize
5.0MB

Download
memory/2476-40-0x0000000073F30000-0x0000000074430000-memory.dmp

Filesize
5.0MB

Download
memory/2476-42-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2476-16-0x0000000000400000-0x00000000006F2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads