10d8c92c49c753ba4aa9698b275c2e33ff86bb402a0c1158c081e1b54d171f75

General

Target

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Size

913KB
MD5

6a00033258f0238ae0d551f730690ce6
SHA1

243167691fe5e344f605bb318beefbc01c632332
SHA256

10d8c92c49c753ba4aa9698b275c2e33ff86bb402a0c1158c081e1b54d171f75
SHA512

2349c3473884823094230f78cd6543d090b37d256936ed3f3414ae142e6d71b51fa0443bfcad4db23061316b1d3a7d339fd78e451fa110e5924d5c0b04bac4d6
SSDEEP

24576:T2oSaf5lTlufs3zjVpx1NsOG6/1mfWuBzT02xyJPy0p:T2oSaf5lTlufs3PVpx16cpEzTRgJa

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-2-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-3-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-48-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-50-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-51-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-52-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-53-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-54-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-55-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-56-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-57-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-58-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2604-59-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2352-60-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2604-61-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/2604-62-0x0000000000B60000-0x0000000000DC9000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

pid process

2352 6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604 6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe = "11001"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe = "11001"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

Modifies registry class 44 IoCs

Processes:

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ = "Setup.Application"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS\ = "0"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\ = "Setup.Application"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\FLAGS	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe\""	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\ = "Setup"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe\""	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application\CLSID\ = "{017E057B-DACF-4A07-B878-E294565E3F90}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\InprocHandler32\ = "ole32.dll"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Application	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\HELPDIR\	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ = "ISetup"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\Version = "1.0"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{017E057B-DACF-4A07-B878-E294565E3F90}\ProgID\ = "Setup.Application"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F126C9FC-9299-40F2-BD42-C59023AD1E7F}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{237FDFDB-3722-470E-8BA8-90196DABE967}\TypeLib\ = "{F126C9FC-9299-40F2-BD42-C59023AD1E7F}"	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

pid	process
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
2604	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

description	pid	process	target process
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
PID 2352 wrote to memory of 2604	2352	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe	6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a00033258f0238ae0d551f730690ce6_JaffaCakes118.exe" /adm /recovermode
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempDir\Chrome17759_Local State
Filesize
129KB

MD5
4984c92711d21e80f33eeb593761a28a

SHA1
04099a7c35aa16d60f09e3e5ab51d53208889cbb

SHA256
8481d9b5dfc8e7863632e5dd051f6c6a9cf60bd6cc7697ec3064d3e3f75aba04

SHA512
d493dc8c0d6c199e0ce1aeb69066b78dd5f062dbf3e1da88bed92472fc985b75b50263061d5eed537ddfb3716fb63b1f0f117ba2cb140b28d62cb6536b0a78d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempDir\Firefox17681_profiles.ini
Filesize
301B

MD5
9f4f243e231432d610bc80a0271b8088

SHA1
26850166aa02dbb1f411ed4c918f0801e480ec34

SHA256
d47347e88234b02f9052c65c70c906272532ac789756405c97b2c96fb7957f25

SHA512
37706bfd31f6c15a337431851080bd5cd59954d0ba53184b323d648f8aa314c19585f4a839dfaa54eb016517746a7dc8e37683d00220cc20062accd330ddb720

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L2WF6DHS.txt
Filesize
108B

MD5
54deb1d4030a538b8e5da0eaf25562a0

SHA1
c9da4d000e62f81c2609cd4e73dc5713a2f2fdb2

SHA256
e8c6711f72a56dcef5753ac20d9267b3d165c9632429bcfdd66cfdb2af6e028b

SHA512
931f3c18b0c292bfba661f0e98e028696df59f0bcd33d895711c017119cf5783992157af8f6d7fb24df74e66c54ee787e9d849859a25c8eebd97fbdbe4ff6010

Download Submit
memory/2352-54-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-56-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-48-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-50-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-51-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-52-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-53-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-0-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-55-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-3-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-57-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-58-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-2-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2352-60-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2604-61-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2604-62-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download
memory/2604-59-0x0000000000B60000-0x0000000000DC9000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads