3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Size

158KB
MD5

3b51fab717e281580abca9c62aaa9685
SHA1

74cd77630ace2fa629405f0665f34f1bb86419c1
SHA256

3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e
SHA512

41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f
SSDEEP

3072:/23lko29IApHuGPdsNjMb5LjZpTSNLjXTp2zEVZNNSdAXb:/do+FuGPds1cLjLSBjDpUEzNNS+L

Score

10^/10

evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2895k76 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rt04lto.exe"	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rt04lto.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2972	rt04lto.exe
1628	rt04lto.exe
2872	rt04lto.exe

Loads dropped DLL 4 IoCs

pid	Process
1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
2972	rt04lto.exe
2972	rt04lto.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0011000000016cd4-11.dat	upx
behavioral1/memory/1900-29-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1628-34-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2972-41-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1628-42-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1628-43-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2872-56-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\osor.log	rt04lto.exe
File opened for modification	C:\Windows\SysWOW64\osor.log	rt04lto.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	Rundll32.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2948	sc.exe
3036	sc.exe
2388	sc.exe
1904	sc.exe
2764	sc.exe
2024	sc.exe
588	sc.exe
2200	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	rt04lto.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	rt04lto.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	rt04lto.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe
Token: SeRestorePrivilege	2760	Rundll32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
2972	rt04lto.exe
2972	rt04lto.exe
2972	rt04lto.exe
1628	rt04lto.exe
1628	rt04lto.exe
1628	rt04lto.exe
2872	rt04lto.exe
2872	rt04lto.exe
2872	rt04lto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2968	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2968	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2968	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2968	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	31
PID 1900 wrote to memory of 2388	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	33
PID 1900 wrote to memory of 2388	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	33
PID 1900 wrote to memory of 2388	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	33
PID 1900 wrote to memory of 2388	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	33
PID 1900 wrote to memory of 2800	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	34
PID 1900 wrote to memory of 2800	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	34
PID 1900 wrote to memory of 2800	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	34
PID 1900 wrote to memory of 2800	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	34
PID 1900 wrote to memory of 1904	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	35
PID 1900 wrote to memory of 1904	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	35
PID 1900 wrote to memory of 1904	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	35
PID 1900 wrote to memory of 1904	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	35
PID 1900 wrote to memory of 2972	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	39
PID 1900 wrote to memory of 2972	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	39
PID 1900 wrote to memory of 2972	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	39
PID 1900 wrote to memory of 2972	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	39
PID 2968 wrote to memory of 484	2968	net.exe	40
PID 2968 wrote to memory of 484	2968	net.exe	40
PID 2968 wrote to memory of 484	2968	net.exe	40
PID 2968 wrote to memory of 484	2968	net.exe	40
PID 2800 wrote to memory of 2808	2800	net.exe	41
PID 2800 wrote to memory of 2808	2800	net.exe	41
PID 2800 wrote to memory of 2808	2800	net.exe	41
PID 2800 wrote to memory of 2808	2800	net.exe	41
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 1900 wrote to memory of 2760	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	42
PID 2760 wrote to memory of 2284	2760	Rundll32.exe	43
PID 2760 wrote to memory of 2284	2760	Rundll32.exe	43
PID 2760 wrote to memory of 2284	2760	Rundll32.exe	43
PID 2760 wrote to memory of 2284	2760	Rundll32.exe	43
PID 1900 wrote to memory of 2680	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	44
PID 1900 wrote to memory of 2680	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	44
PID 1900 wrote to memory of 2680	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	44
PID 1900 wrote to memory of 2680	1900	3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe	44
PID 2284 wrote to memory of 3060	2284	runonce.exe	46
PID 2284 wrote to memory of 3060	2284	runonce.exe	46
PID 2284 wrote to memory of 3060	2284	runonce.exe	46
PID 2284 wrote to memory of 3060	2284	runonce.exe	46
PID 2972 wrote to memory of 1732	2972	rt04lto.exe	48
PID 2972 wrote to memory of 1732	2972	rt04lto.exe	48
PID 2972 wrote to memory of 1732	2972	rt04lto.exe	48
PID 2972 wrote to memory of 1732	2972	rt04lto.exe	48
PID 2972 wrote to memory of 2764	2972	rt04lto.exe	49
PID 2972 wrote to memory of 2764	2972	rt04lto.exe	49
PID 2972 wrote to memory of 2764	2972	rt04lto.exe	49
PID 2972 wrote to memory of 2764	2972	rt04lto.exe	49
PID 2972 wrote to memory of 1668	2972	rt04lto.exe	51
PID 2972 wrote to memory of 1668	2972	rt04lto.exe	51
PID 2972 wrote to memory of 1668	2972	rt04lto.exe	51
PID 2972 wrote to memory of 1668	2972	rt04lto.exe	51
PID 2972 wrote to memory of 2024	2972	rt04lto.exe	52
PID 2972 wrote to memory of 2024	2972	rt04lto.exe	52
PID 2972 wrote to memory of 2024	2972	rt04lto.exe	52
PID 2972 wrote to memory of 2024	2972	rt04lto.exe	52
PID 2972 wrote to memory of 1628	2972	rt04lto.exe	53

C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b51fab717e281580abca9c62aaa9685_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:484
- C:\Windows\SysWOW64\sc.exe
  sc config wscsvc start= DISABLED
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\SysWOW64\net.exe
  net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2808
- C:\Windows\SysWOW64\sc.exe
  sc config SharedAccess start= DISABLED
  2⤵
  - Launches sc.exe
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
  C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2764
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2024
- - C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
    C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dCBD824CE7ABD459AAE5F83A489CDDBDEE97C2353F694E52C107C166023F592FAAFD38D90077B4B1596E2E34C241ADBF374B7DD35B912D38FA891304C38472D5F531A43ECFAF22FC3B2F3377032C99298AB9C24682091E4E4A517A6CE87732BAD9DCA998B607ECB7B76B02077D013AAFF912CECDF580391A69EBCBBF54B35D564B2A41EB786C438FF99A880D35B9F0A9B6D806464CE3493AE67FCEEB104E5B663F693A5D8F89ECEE00E59772D70EEDC71C3A8FD4E2F0AE45E161B018E6D2994730F703E2C84C927DD0C7C66FCEC7D89CD58E66A2F6927BC2CFF1CF56583457AADE15D393537851CAD0607EF7EEC26BAF9310499B0A8DB9420B8080B83847FB0DB927C29835ED6C571B255F2CECD84589E9333BE875A7525BE1522C38BED40C0FA87CBDE2985CE7C41053B90EF2C328C6004D247FD2AA8685A2B18E0977A03720F642469D07AA6DA7134EE2B08E628BF634764E88A07C697BF50B261C62827D0540F8C1B5C4A18B76FB35A630719189A0963AE90C31E94294B185288DE359922C6AD998659421B2ECD395F1A97202005A29C7D7044DAE9D9A658D6D6B11E11F2E3A2F379C5EE7595CD
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1628
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      PID:1148
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:2664
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:588
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:608
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\rt04lto.exe
    C:\Users\Admin\AppData\Local\Temp\rt04lto.exe -dA9BA856F0CCB8F507382775089CD686D3BAE5F2F4E2CDE17C2AE4C3A4395127A374B011C2B5782DCAADE9B34C1FFD2FAC300749C07ACCC90B48D4834DBA4A5D76C259639CBC3826E0D4C490E2AD13A30A19698D463D25E5E08BA2B468E7A770335607F5F416A8E2C9A5C8BD7A96AF29BE15AA490D997350DDDF89EDF611778BAC0D934812362E82C8EC8A9C862B38908D231B0A41CE3327D8F0689EC9A78D902792A6EE54524110F65052D73BB15D173FF9A16A4223A77CCBBB91797BCFC0DD50E622621BCF5CA2DDDB1DF4859D4DC9935856F28206B641F3EEBB03B8E38C3196AA59569DE1B14A2F203C94620E3F9BC83B4938A8BFA9B59348EFD7614ECECB9BC5335893FB82F8BE208330A367ABB6F349D9CAB183EFC61FCB8E7A09334BA83703ABE4BB5F89EA1296EA7C9FFE3F20BD71CE329BCD3A88E320796EA90E79EEF337329905488208B855FEDCE21EFAE7236150163AB6A0028B35175D2D1DE48CCF370AFE87123B76FF21B0E6A818042D161ACCE9D5CD6A6C49CD62C7A59F5AA4EDCE8CA15A2FBA447AEC854D944443E99A4B9645B82827A024AC3A3C66FB2F4F35B0A318DBC27673F
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2872
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Security Center"
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        5⤵
        
        PID:2232
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= DISABLED
      4⤵
      Launches sc.exe
      PID:2948
  - - C:\Windows\SysWOW64\net.exe
      net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:2936
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
        5⤵
        
        PID:2292
  - - C:\Windows\SysWOW64\sc.exe
      sc config SharedAccess start= DISABLED
      4⤵
      Launches sc.exe
      PID:3036
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\mdinstall.inf
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\a2ga3dk8.bat
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a2ga3dk8.bat

Filesize
218B

MD5
bc686b5b5dfc9fe33f1b9298988ffea4

SHA1
0f4aa7406da22b81e1e8c0413ede8f4d6077e063

SHA256
134c6b80d275afa3ab4e52fd85b5cfe4e202fd2b52416c64b6b6a435712d9816

SHA512
6b425aad3c7d98083f2e0d0e817939a8617f2a6c89c50a5de942b22945b88a5e80f5fe43425ff2dbdfb83de83b9eb32714070f6abd9d1cdbd5e10f5e97ba6335

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdinstall.inf

Filesize
413B

MD5
ce1f2d7c8e36f3c085a5d281b9ebeb2f

SHA1
bbbfae948d625afe50f66f34282bda3974cfdce5

SHA256
312239a5c6333e6d1e8ba9f0e81856c37347be0f21d194741ae1d25538cd130c

SHA512
89f69b88bdfb391f58abaefbbae7e393571709c0ea6a268794c035200674ad3a8615a65944373559aead87e8d5ab09f334e2b1563c1bde912aa26a485b76357e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt04lto.exe

Filesize
158KB

MD5
3b51fab717e281580abca9c62aaa9685

SHA1
74cd77630ace2fa629405f0665f34f1bb86419c1

SHA256
3a309f51d3e4be8f3581b3e83534e19bfbdb1c002f57356ff84fbe4779a3504e

SHA512
41502d14ccb5c65aa72aaea0f91b4f7defe4f1293fed54d1ce9193d77884cb068943560c07f0118fbe0b92de09fab6cf0b2d1e7059ddf2ad9349d41dcee33d3f

Download Submit
memory/1628-37-0x00000000045D0000-0x000000000461F000-memory.dmp

Filesize
316KB

Download
memory/1628-39-0x0000000003C60000-0x0000000003C6D000-memory.dmp

Filesize
52KB

Download
memory/1628-43-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/1628-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1628-38-0x0000000004960000-0x00000000049BA000-memory.dmp

Filesize
360KB

Download
memory/1900-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1900-13-0x00000000047D0000-0x00000000047FA000-memory.dmp

Filesize
168KB

Download
memory/1900-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1900-3-0x0000000003A50000-0x0000000003C39000-memory.dmp

Filesize
1.9MB

Download
memory/1900-12-0x00000000047D0000-0x00000000047FA000-memory.dmp

Filesize
168KB

Download
memory/2872-52-0x0000000004770000-0x00000000047BF000-memory.dmp

Filesize
316KB

Download
memory/2872-53-0x0000000004760000-0x000000000479C000-memory.dmp

Filesize
240KB

Download
memory/2872-51-0x0000000004710000-0x0000000004768000-memory.dmp

Filesize
352KB

Download
memory/2872-55-0x00000000047E0000-0x000000000483A000-memory.dmp

Filesize
360KB

Download
memory/2872-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2972-33-0x00000000045D0000-0x00000000045FA000-memory.dmp

Filesize
168KB

Download
memory/2972-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads