latentbot | cf18818e3649505901847ab4a1e5a03f987e1e58010c81dba17dca93e1e75e0b

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
Size

323KB
MD5

178faae911b71743d137d895cc7c9369
SHA1

433e95f11f3528eebce56c85a817a0498537f5ab
SHA256

cf18818e3649505901847ab4a1e5a03f987e1e58010c81dba17dca93e1e75e0b
SHA512

8209d24f8eaaea0f6480bde76fab76360067d355b0d70e48aed84380b83ae8bac04ebd8e18b8a45250601971ed54754580d63fc257a6bcd99032c2920111981e
SSDEEP

6144:mBN28vnwMSG6ZQda0N1Qf3fp+Aa5SHJKQDkevgh69Ih92i7+A1C7KovEoS:mNvnwMgZ8p1Qf3MASeKQDkqO2iyAq1MZ

Score

10^/10

latentbot evasion persistence trojan upx

Malware Config

Extracted

Family

latentbot

addonupdates.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\NTT_Technologies.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\windowslogin.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	windowslogin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\javacpl.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe"	windowslogin.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCAFDB7-8BDD-BA9D-EE26-AA6FBFCA9A23}	windowslogin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCAFDB7-8BDD-BA9D-EE26-AA6FBFCA9A23}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe"	windowslogin.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8BCAFDB7-8BDD-BA9D-EE26-AA6FBFCA9A23}	windowslogin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Active Setup\Installed Components\{8BCAFDB7-8BDD-BA9D-EE26-AA6FBFCA9A23}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe"	windowslogin.exe

Executes dropped EXE 3 IoCs

pid	Process
2768	windowslogin.exe
3036	windowslogin.exe
2432	windowslogin.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000400000-0x000000000077A000-memory.dmp	upx
behavioral1/files/0x00260000000144d4-24.dat	upx
behavioral1/memory/2768-43-0x0000000000400000-0x000000000077A000-memory.dmp	upx
behavioral1/memory/2020-45-0x0000000000400000-0x000000000077A000-memory.dmp	upx
behavioral1/memory/3036-49-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-54-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-52-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2432-63-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2768-65-0x0000000000400000-0x000000000077A000-memory.dmp	upx
behavioral1/memory/2432-61-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3036-68-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2432-69-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3036-70-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-71-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-73-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-75-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-77-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-82-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-84-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-86-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3036-91-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowslogin = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\windowslogin.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\javacpl.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe"	windowslogin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\javacpl.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NTT_Technologies.exe"	windowslogin.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 3036	2768	windowslogin.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2756	reg.exe
2760	reg.exe
2236	reg.exe
1296	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: 1	3036	windowslogin.exe
Token: SeCreateTokenPrivilege	3036	windowslogin.exe
Token: SeAssignPrimaryTokenPrivilege	3036	windowslogin.exe
Token: SeLockMemoryPrivilege	3036	windowslogin.exe
Token: SeIncreaseQuotaPrivilege	3036	windowslogin.exe
Token: SeMachineAccountPrivilege	3036	windowslogin.exe
Token: SeTcbPrivilege	3036	windowslogin.exe
Token: SeSecurityPrivilege	3036	windowslogin.exe
Token: SeTakeOwnershipPrivilege	3036	windowslogin.exe
Token: SeLoadDriverPrivilege	3036	windowslogin.exe
Token: SeSystemProfilePrivilege	3036	windowslogin.exe
Token: SeSystemtimePrivilege	3036	windowslogin.exe
Token: SeProfSingleProcessPrivilege	3036	windowslogin.exe
Token: SeIncBasePriorityPrivilege	3036	windowslogin.exe
Token: SeCreatePagefilePrivilege	3036	windowslogin.exe
Token: SeCreatePermanentPrivilege	3036	windowslogin.exe
Token: SeBackupPrivilege	3036	windowslogin.exe
Token: SeRestorePrivilege	3036	windowslogin.exe
Token: SeShutdownPrivilege	3036	windowslogin.exe
Token: SeDebugPrivilege	3036	windowslogin.exe
Token: SeAuditPrivilege	3036	windowslogin.exe
Token: SeSystemEnvironmentPrivilege	3036	windowslogin.exe
Token: SeChangeNotifyPrivilege	3036	windowslogin.exe
Token: SeRemoteShutdownPrivilege	3036	windowslogin.exe
Token: SeUndockPrivilege	3036	windowslogin.exe
Token: SeSyncAgentPrivilege	3036	windowslogin.exe
Token: SeEnableDelegationPrivilege	3036	windowslogin.exe
Token: SeManageVolumePrivilege	3036	windowslogin.exe
Token: SeImpersonatePrivilege	3036	windowslogin.exe
Token: SeCreateGlobalPrivilege	3036	windowslogin.exe
Token: 31	3036	windowslogin.exe
Token: 32	3036	windowslogin.exe
Token: 33	3036	windowslogin.exe
Token: 34	3036	windowslogin.exe
Token: 35	3036	windowslogin.exe
Token: SeDebugPrivilege	3036	windowslogin.exe
Token: SeDebugPrivilege	2432	windowslogin.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
2768	windowslogin.exe
3036	windowslogin.exe
3036	windowslogin.exe
3036	windowslogin.exe
2432	windowslogin.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2672	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	29
PID 2020 wrote to memory of 2672	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	29
PID 2672 wrote to memory of 2852	2672	cmd.exe	31
PID 2672 wrote to memory of 2852	2672	cmd.exe	31
PID 2672 wrote to memory of 2852	2672	cmd.exe	31
PID 2672 wrote to memory of 2852	2672	cmd.exe	31
PID 2020 wrote to memory of 2768	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2768	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2768	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2768	2020	178faae911b71743d137d895cc7c9369_JaffaCakes118.exe	32
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 2768 wrote to memory of 3036	2768	windowslogin.exe	33
PID 3036 wrote to memory of 2896	3036	windowslogin.exe	34
PID 3036 wrote to memory of 2896	3036	windowslogin.exe	34
PID 3036 wrote to memory of 2896	3036	windowslogin.exe	34
PID 3036 wrote to memory of 2896	3036	windowslogin.exe	34
PID 3036 wrote to memory of 2912	3036	windowslogin.exe	35
PID 3036 wrote to memory of 2912	3036	windowslogin.exe	35
PID 3036 wrote to memory of 2912	3036	windowslogin.exe	35
PID 3036 wrote to memory of 2912	3036	windowslogin.exe	35
PID 3036 wrote to memory of 2924	3036	windowslogin.exe	36
PID 3036 wrote to memory of 2924	3036	windowslogin.exe	36
PID 3036 wrote to memory of 2924	3036	windowslogin.exe	36
PID 3036 wrote to memory of 2924	3036	windowslogin.exe	36
PID 3036 wrote to memory of 2720	3036	windowslogin.exe	37
PID 3036 wrote to memory of 2720	3036	windowslogin.exe	37
PID 3036 wrote to memory of 2720	3036	windowslogin.exe	37
PID 3036 wrote to memory of 2720	3036	windowslogin.exe	37
PID 2912 wrote to memory of 2236	2912	cmd.exe	41
PID 2912 wrote to memory of 2236	2912	cmd.exe	41
PID 2912 wrote to memory of 2236	2912	cmd.exe	41
PID 2912 wrote to memory of 2236	2912	cmd.exe	41
PID 2720 wrote to memory of 2760	2720	cmd.exe	42
PID 2720 wrote to memory of 2760	2720	cmd.exe	42
PID 2720 wrote to memory of 2760	2720	cmd.exe	42
PID 2720 wrote to memory of 2760	2720	cmd.exe	42
PID 2896 wrote to memory of 2756	2896	cmd.exe	43
PID 2896 wrote to memory of 2756	2896	cmd.exe	43
PID 2896 wrote to memory of 2756	2896	cmd.exe	43
PID 2896 wrote to memory of 2756	2896	cmd.exe	43
PID 2924 wrote to memory of 1296	2924	cmd.exe	45
PID 2924 wrote to memory of 1296	2924	cmd.exe	45
PID 2924 wrote to memory of 1296	2924	cmd.exe	45
PID 2924 wrote to memory of 1296	2924	cmd.exe	45
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46
PID 2768 wrote to memory of 2432	2768	windowslogin.exe	46

C:\Users\Admin\AppData\Local\Temp\178faae911b71743d137d895cc7c9369_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\178faae911b71743d137d895cc7c9369_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\QSGzu.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "windowslogin" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2852
- C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe
  "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe
    False
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NTT_Technologies.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NTT_Technologies.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\NTT_Technologies.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\NTT_Technologies.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2760
- - C:\Users\Admin\AppData\Roaming\Directory\windowslogin.exe
    False
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QSGzu.bat

Filesize
154B

MD5
31b338bb0d8d8398bf8ecc285123834f

SHA1
5dbb46128efdb4405fa0e038d34bf2117e6e5a15

SHA256
311f433ecb141c22b03fe8925828caaebc55b72a3b5e6aefac21ef7435ee89fb

SHA512
4106e70600d126dc53213d9f5f0a715457e07cbe0603bf3d53972eee66de4c174ea561499b7020d999fed447960609dcf37781c09545f246eff9c211d9009a62

Download Submit
\Users\Admin\AppData\Roaming\Directory\windowslogin.exe

Filesize
323KB

MD5
178faae911b71743d137d895cc7c9369

SHA1
433e95f11f3528eebce56c85a817a0498537f5ab

SHA256
cf18818e3649505901847ab4a1e5a03f987e1e58010c81dba17dca93e1e75e0b

SHA512
8209d24f8eaaea0f6480bde76fab76360067d355b0d70e48aed84380b83ae8bac04ebd8e18b8a45250601971ed54754580d63fc257a6bcd99032c2920111981e

Download Submit
memory/2020-42-0x0000000007370000-0x00000000076EA000-memory.dmp

Filesize
3.5MB

Download
memory/2020-6-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2020-45-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2020-40-0x0000000007370000-0x00000000076EA000-memory.dmp

Filesize
3.5MB

Download
memory/2020-39-0x0000000007370000-0x00000000076EA000-memory.dmp

Filesize
3.5MB

Download
memory/2020-38-0x0000000007370000-0x00000000076EA000-memory.dmp

Filesize
3.5MB

Download
memory/2020-0-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2432-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2432-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2432-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2768-43-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2768-65-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/3036-52-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-54-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-68-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-49-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-70-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-71-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-73-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-75-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-77-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-82-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-84-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-86-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3036-91-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads