64c4b96fb483138ace5ac80895bd30d1d95a7e1d526b8a8eb4fe1e2f57bd799a

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219d0916adff999e13abf180231ad552_JaffaCakes118.exe
Size

1.1MB
MD5

219d0916adff999e13abf180231ad552
SHA1

c2bc2c0358acf7ad957a52b1ab4d3a9305f8afe4
SHA256

64c4b96fb483138ace5ac80895bd30d1d95a7e1d526b8a8eb4fe1e2f57bd799a
SHA512

011383435e05883cdf884063ef5805fc7681641ab3e8ef4c192599d2c2210d09ece5c9a0b8777bc3e74177c705c605c36c821fbcce958fcea5c2ccda46aecdda
SSDEEP

12288:Q6t/08n6hkAW2adY8+QGXVfo/j0ofb2s0xmPMVqeAaPcP0bMDChZ4Pu+O6odlkNy:Q6S86badYrfGLzFPMVdAD0YCqO6ob06

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	InfoTab.exe

Loads dropped DLL 4 IoCs

pid	Process
2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
2204	InfoTab.exe
2760	regsvr32.exe
2600	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x0000000000400000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2368-15-0x0000000000400000-0x000000000050F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InfoTab = "C:\\Program Files (x86)\\InfoTab\\InfoTab.exe"	InfoTab.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{48F1AF48-D3C1-4980-8936-2606884FA24D}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{48F1AF48-D3C1-4980-8936-2606884FA24D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{48F1AF48-D3C1-4980-8936-2606884FA24D}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\InfoTab\InfoTab.exe	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
File created	C:\Program Files (x86)\InfoTab\InfoTab.dll	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
File created	C:\Program Files (x86)\InfoTab\uninstall.exe	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
File created	C:\Program Files (x86)\InfoTab\adc.dll	219d0916adff999e13abf180231ad552_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ = "IInfoTabCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\ = "InfoTabCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\InfoTab.DLL\AppID = "{C958CEF3-2ADB-4322-9B48-A3F61D95B723}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32\ = "C:\\Program Files (x86)\\InfoTab\\InfoTab.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\ = "InfoTab 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C958CEF3-2ADB-4322-9B48-A3F61D95B723}\ = "InfoTab"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\TypeLib\ = "{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\TypeLib\ = "{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl.1\ = "InfoTabCtl Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ProgID\ = "InfoTab.InfoTabCtl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\TypeLib\ = "{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\TypeLib\ = "{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C958CEF3-2ADB-4322-9B48-A3F61D95B723}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{C958CEF3-2ADB-4322-9B48-A3F61D95B723}\ = "InfoTab"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\InfoTab.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl.1\CLSID\ = "{48F1AF48-D3C1-4980-8936-2606884FA24D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ = "IInfoTabCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\CLSID\ = "{48F1AF48-D3C1-4980-8936-2606884FA24D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ = "InfoTabCtl Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\VersionIndependentProgID\ = "InfoTab.InfoTabCtl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl.1\ = "InfoTabCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ProgID\ = "InfoTab.InfoTabCtl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\InfoTab.DLL\AppID = "{C958CEF3-2ADB-4322-9B48-A3F61D95B723}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\ = "InfoTabCtl Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\VersionIndependentProgID\ = "InfoTab.InfoTabCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\0\win32\ = "C:\\Program Files (x86)\\InfoTab\\InfoTab.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\InfoTab"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoTab.InfoTabCtl\CurVer\ = "InfoTab.InfoTabCtl.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}\ = "InfoTabCtl Class"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe
2204	InfoTab.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2760	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	28
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2368 wrote to memory of 2204	2368	219d0916adff999e13abf180231ad552_JaffaCakes118.exe	29
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30
PID 2204 wrote to memory of 2600	2204	InfoTab.exe	30

C:\Users\Admin\AppData\Local\Temp\219d0916adff999e13abf180231ad552_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\219d0916adff999e13abf180231ad552_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\InfoTab\InfoTab.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2760
- C:\Program Files (x86)\InfoTab\InfoTab.exe
  "C:\Program Files (x86)\InfoTab\InfoTab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\InfoTab\InfoTab.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\InfoTab\InfoTab.dll

Filesize
102KB

MD5
60c65f44c089f32bf093e51bea6d804f

SHA1
f58ffcad9ad6117a774fd92682078990d3b28bd4

SHA256
142110c0aa74efd7819f79ef601e083646b6ac5f360ac24d9b03562a9bc89899

SHA512
62d77d75d3eeb73614947f7a52d93a6868662ade4219558c9e525f868f4eece75bb68a7d4dcc141cef6f1eac82062370574a1b58a5baf642217bd9bde3e426e9

Download Submit
C:\Program Files (x86)\InfoTab\adc.dll

Filesize
28KB

MD5
b5a015582916aaf5e054555fe357fd3c

SHA1
5cd3f3e861c039c67338f07a7a19eaa1fe7ecd71

SHA256
b7829e9f624aca60bf0662eaf6388e3db022520c759e758e289d5d308a012c05

SHA512
0414f82acc3c6ca8ff35d0f5e1ad72c43a8563612cc2f427583dc055e631fc0babffa67fd9629dd227d4aef3358be544d5af37e75a61744aacd42e56dca24e1a

Download Submit
\Program Files (x86)\InfoTab\InfoTab.exe

Filesize
305KB

MD5
27dd2fec09f518f5ba673c1463b08e32

SHA1
4975f168fc813f23d4ff8b9ad86732fcf39ee269

SHA256
c887b138b2c54cf8808aa0b54188a68ad6c8e023bcd8446a18ee7f4260f3e61b

SHA512
fe32360135d9a5769e7b714d06034fb998157947a3384fd71f19adca298162e4c7311dc1c1b69d29e443e1eeb3e826e3ee126c1ad7d8a0646e37ff56ba4c374c

Download Submit
memory/2368-0-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2368-15-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download