f24dd9c54ee30ce5ea624eb8b51f24adfef2b196cceda2064d721d8b723d24ab

Analysis

max time kernel
127s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
Size

19KB
MD5

4258ff976538ddb6eba552017de1cc88
SHA1

642c7c0641302e626b3896aaaa29154ef6e17e60
SHA256

f24dd9c54ee30ce5ea624eb8b51f24adfef2b196cceda2064d721d8b723d24ab
SHA512

72631e69e044395a3bc23118e388094a5555a081482845d5fb6cc1c591b6a1c5ca10a4ebafcb52f250114d66e245c39528b63d1fb4205a833ab896dbaacd60fa
SSDEEP

384:QXWuX7KLLfrbrA2ZZJNAfE2J/aFTDuhXkrWHiOtDUvDHB181:QmuX7cNr0E2JmahXaWHiAYvD8

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2268	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\Common Files\\Services\\svchost.exe"	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\P:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\W:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\K:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\L:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\O:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\S:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\U:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\T:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\B:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\J:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\M:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\N:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\R:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\V:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\X:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\Y:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\E:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\G:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\H:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\I:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\Q:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened (read-only)	\??\Z:	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File created	C:\autorun.inf	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DirectX10.dll	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DirectX10.dll	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\svchost.exe	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Services\svchost.exe	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "2023942073"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF298A01-412F-11EF-ABF5-46A49AEEEEC8} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
Token: SeDebugPrivilege	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3044	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 264	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	31
PID 2728 wrote to memory of 264	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	31
PID 2728 wrote to memory of 264	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	31
PID 2728 wrote to memory of 264	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	31
PID 2728 wrote to memory of 480	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	32
PID 2728 wrote to memory of 480	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	32
PID 2728 wrote to memory of 480	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	32
PID 2728 wrote to memory of 480	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	32
PID 2728 wrote to memory of 1404	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	34
PID 2728 wrote to memory of 1404	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	34
PID 2728 wrote to memory of 1404	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	34
PID 2728 wrote to memory of 1404	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	34
PID 2728 wrote to memory of 592	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	36
PID 2728 wrote to memory of 592	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	36
PID 2728 wrote to memory of 592	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	36
PID 2728 wrote to memory of 592	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	36
PID 2728 wrote to memory of 3044	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	39
PID 2728 wrote to memory of 3044	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	39
PID 2728 wrote to memory of 3044	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	39
PID 2728 wrote to memory of 3044	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	39
PID 264 wrote to memory of 2344	264	Net.exe	42
PID 264 wrote to memory of 2344	264	Net.exe	42
PID 264 wrote to memory of 2344	264	Net.exe	42
PID 264 wrote to memory of 2344	264	Net.exe	42
PID 480 wrote to memory of 1564	480	Net.exe	41
PID 480 wrote to memory of 1564	480	Net.exe	41
PID 480 wrote to memory of 1564	480	Net.exe	41
PID 480 wrote to memory of 1564	480	Net.exe	41
PID 1404 wrote to memory of 2256	1404	net.exe	40
PID 1404 wrote to memory of 2256	1404	net.exe	40
PID 1404 wrote to memory of 2256	1404	net.exe	40
PID 1404 wrote to memory of 2256	1404	net.exe	40
PID 592 wrote to memory of 2356	592	net.exe	43
PID 592 wrote to memory of 2356	592	net.exe	43
PID 592 wrote to memory of 2356	592	net.exe	43
PID 592 wrote to memory of 2356	592	net.exe	43
PID 3044 wrote to memory of 2268	3044	IEXPLORE.EXE	44
PID 3044 wrote to memory of 2268	3044	IEXPLORE.EXE	44
PID 3044 wrote to memory of 2268	3044	IEXPLORE.EXE	44
PID 3044 wrote to memory of 2268	3044	IEXPLORE.EXE	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44
PID 2728 wrote to memory of 2268	2728	4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4258ff976538ddb6eba552017de1cc88_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Net.exe
  Net Stop Norton Antivirus Auto Protect Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop Norton Antivirus Auto Protect Service
    3⤵
    PID:2344
- C:\Windows\SysWOW64\Net.exe
  Net Stop mcshield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 Stop mcshield
    3⤵
    PID:1564
- C:\Windows\SysWOW64\net.exe
  net stop "Windows Firewall/Internet Connection Sharing (ICS)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:2256
- C:\Windows\SysWOW64\net.exe
  net stop System Restore Service
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop System Restore Service
    3⤵
    PID:2356
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Services\svchost.exe

Filesize
19KB

MD5
4258ff976538ddb6eba552017de1cc88

SHA1
642c7c0641302e626b3896aaaa29154ef6e17e60

SHA256
f24dd9c54ee30ce5ea624eb8b51f24adfef2b196cceda2064d721d8b723d24ab

SHA512
72631e69e044395a3bc23118e388094a5555a081482845d5fb6cc1c591b6a1c5ca10a4ebafcb52f250114d66e245c39528b63d1fb4205a833ab896dbaacd60fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a3af0f34eb8411d3e5cfccff3d5b3334

SHA1
15957ca568a7e323037c2ab34517cf69722a3c61

SHA256
054677e11ebe243b2cf69dc068f0cae40702b0c5e8a51863ba0e64a07206cd25

SHA512
f0c0043ee22b287b68d3785deabc27e48980ad2073c970691e1781d4d19edc9e0587aeeb92cb857a0476d7d808763689922ccb4b5f8d8dc8ab3a3e0b236c82bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
25bfd6f28abbe9b87039de0bd8934d83

SHA1
22e4dc4620ccdfe5b77f39c2d326ee8fa17c50cd

SHA256
0cb64301f7c604454dfbd7a166a33de9f61c4eda6777ae50085234b1e2f5c739

SHA512
d5cc30c6e48db301f718f0172f6a9af8a221e32419c98ddd4050bc57a404a34307351127caedba87f1cce52c8bada896bf098b4941dd944b38ec60f1eb5d14c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
55d35b5cb940e36f8353c9b6755ace5d

SHA1
d6e566ddf22d138a06e3c34de3176f045c45e93c

SHA256
0a750dfca5b4dfd4e8d56c91afef117c526ef1776f139143a73e843c3cc08b0b

SHA512
a5728604fd38c3cfef9c1d3f0e069ffbdcd094e1e5abb9632a848028e57ba1df5c8863aa507656145c659cd8cb93148aceb6aa9e2f6d50c936a0ecdd7c1aacb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
44c039d3b3eaec314c2162a77fcfa89f

SHA1
cffee1ee58028f7802a17c7dc5675bb6c945a10e

SHA256
fdbd3dd80f2f8bd09a61a469fa0d6adea53b8ee8c346066b78e4a1cb38a29c01

SHA512
76f60211e8b797fb65c6fae6eba57c5e893343e093385d56d135cab9e7e7e12d53d18282fcf8296c987efa6b7d1c23899e658b307e9ce3c35e1106a25a6419d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
67617280eac8feb86e6703a72e9f8099

SHA1
312037672433adf06a4ecc2518827014a76c370b

SHA256
d89290cca2ce78594079f7a78377fa908eaeaeb87ff96d5093b36460fbc915fc

SHA512
fd79fdf6035d541f087a76d757b8443e81babec02b342482f9f824b622bc8e56b28e8f8aaf8846a3dbfe2d95ec8796af44a980c7ea34b6e08675c7540d8644ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e7e6c84d596d6b18f7b4bd2a9f47e3b6

SHA1
1e4c716308a796721825b1f171309c5e446cd30d

SHA256
f60c638eec373031380c10cdd269efc0da2a633a1343afb37e0ff59127ac50f9

SHA512
a422c233305573cb3a1c5072693a44c18916ca29301bdb64d4300efe8a5ca542f5be640b0be4bf0153d47856d7fe9a0383973e1532e5dfd25e2218c39337bc42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d7d7437f74faab0cf1a3909d1cae48a5

SHA1
37f3602e50b57101b9bdcd72c884463711bdb0df

SHA256
ddac53743f485ec49b471cd4eb5e1aa99fa5e750f825e6e5bdd70c0a80c9e701

SHA512
1ae76d57ee809a26f008986d63272ef99b601ac6af2073696ae398b4bf848f6566216c89166d29fc6c981673d4bdfb1b41a11c19ee9ce360c337820a48565916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fac5411eb226409e74bd7dea64dcfa5f

SHA1
d6b9dd986db00468dc86c39c317197e6fbcff448

SHA256
f130349d080fa8b551a829d62922cffb9447721f9f8c129ab526d8421756aba7

SHA512
ae9590c04c442ad87f7bb7c2731a51c2916571fe6e63c321a400eaf2f823751c21596b64eda40949faea5b4af309eb5412e79db7b20e871d85c54fa9d6b422e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8f658717edbce3a9a1dad8375d1cc993

SHA1
e69394a1e37f524bcc850181cb9ae4db89dbbd7f

SHA256
af02fb86a3502f0d151e1460028246a70931ad5679714f4ed21deb929534a023

SHA512
52ec266e221b53aab2aaf959383f1d699d23c0dd3f3ccf803718361735443ece9b73bff74f6624ff00b6d9ad7a27fcf532174519a2173e844ace56b406153793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
10d852f628676fb98e466ff26ed3a6cf

SHA1
4c1e9eb68f350fc2ef1ad981409bda1e8d1083a2

SHA256
168f3fa1e701a8edabe7320f2122a13d8951ee43c427cdc239d58bae3df6c5eb

SHA512
a217909cc393c8e272d584297874fcda20e87f5f9f49c24a2fb3cb8d21b15e1286632d8fc51dae60ca06daaaa9e0d71a562fb78e286b9f6336910f1152a7045d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a5251654a3b7920ddcfd9bb6273abbc8

SHA1
5ccd108d0738a10df89672b7031307bac92a4500

SHA256
8117f559c7b29762a25b2dceeb08f3452ded0b77b95d2136b9d68ebb5f715c21

SHA512
849063c77e880e6e7b1521d2cc8059d9abe01abb63fddc1aed892a3dc348d3f1deca826504e35edd222be8d5975963fa04211b75cce8290fb7cfd7bef2b75845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e9fb60283626b98c93041b4cf9f2f17c

SHA1
843da455c21f03b58cfdc304bda52f7b2ccfa092

SHA256
b192f6c1008e45565e6d19c1d2169d9a01a85fd7aecab9bdcafeabf6c3d452ca

SHA512
7dd78cc6c88105b146426e0613641e9daaced38a338cf95234d0f8e4a753ee125fd287792913b5b93018201bbefbcecab21225351b2c43b22d8e7368d40e5ac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
537432dedae776eb85b55ff60eff032f

SHA1
37b16d23a49a8a2c3c65b590b623e335304e5701

SHA256
14eac22c821f1e5e222446602ec07a1c050b785c33c47f802608461a528e8bf0

SHA512
0ea09f1f03c59095e49d57265d4d27314ce1ade4c70d8b8843e6ea509a1260422bfe8c7bbdf7897be004f1a20be8583c718d0fc7bb685e1c5ff97701bb730a67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3a2cad6a62a5cf11d4dc90d1fd7e14d8

SHA1
a549cb8d2e704681dab3ca7b3c651552a82fd4b3

SHA256
b9de50e0a254f602ab22ca9749b6f5db578ec4a2fd46b90db4bd5f28ab654627

SHA512
2ce638df75d0f40df3c0be82572ece17180d1fcf3f41a1b2eff253c4feab7d23d5497efb7703bfcdcefb8e3262b160b0f2990f3b73d8bf9828601be34ac77fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1188f26a6976fe1749845ece4f5d1715

SHA1
eb87e4b02f5c5b2730f79b60732d82211d7b9ce2

SHA256
cf50e84e2ffb20160f1f075e1946ab0662fbb7cbdbbbe8ddd87bad8265f1864c

SHA512
cdd0f71ee9eaca9dccdb5738e6dd01004af9e4f16c86aebbadf0e3f5b5b7b94bb71aeae556f5c921e96a28f2dea4d9f56ada8aad64bcf39cd048ef3db3ffa478

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d29bec86f3cd2b08958f0730059ddf8d

SHA1
76cfdae34f4dc568120e2d773a0f4c19ee4509da

SHA256
aea19461245de163a7942ee9d024dad97d600d8b33df60e7d0e4844a48b53fca

SHA512
8e2b2ed823c947dd9cd4c5241ad054df7c25d0d8a197566aca68d0291d11f4217515d769535f8f964da64e4ee66cd7e816125e4d398c42a413a349f706c26145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
06f19ee7778fe742824c5116609deb2b

SHA1
7f2c8462bb833b8082b91ad68ac0f276c82e5fc0

SHA256
a8759a0b3b1531f3f5d0f74a6f7ccbcccb1711c50cbe63bbbe56f567732c49ca

SHA512
318d57c834b8a8fd5276068ce3c0873038227d52c3756dc21611c6b037f5334415bffa76747ca77cec0687f1c72c32a6b8728db035b7e60e2e5241a5eb2a3ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
558ce0f8fb47d4020197093931a20afc

SHA1
4b369ec5fec40edbc6828b769dabaddb5e05175a

SHA256
05bfa3d94943eca9073d657117a471a1f20ae522e67d8ceb693f50e6ca2ae6fb

SHA512
70b9c6651d862f1e755a79b248fd194ca70aa2805e2655fccb74326207b6ca4558be8f8bd7b5692af1b049d1caa415e65d2f8b3bd97d78faa9af272fd1b879a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
972b2536ac42cb5d26cd7379ebb9da69

SHA1
6722bedc8ed258866667102bebaf532abc800712

SHA256
69a674703224294392b8f8be712ef27bf38958cea9d25137ca851e634dd49997

SHA512
71c5cddb142d45f5f33cb2fd0fec863bb1a074d55e6493957b11df3c8ba4a18e8cf35f964bd6749f02c570bc02aab944583d843d907aeba0faa2c8e2948b09e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e3efe4e448a7c7df1f36d6a2d2840f27

SHA1
50501955ea27f478d45a6816a746df4cad48ee4d

SHA256
3ca424b8f24ef2919a1c5e33d4b9930495ab515c8f2ec760a3226a62f20e697c

SHA512
377f70a9792fdbdf6481510c3bfc1b4f48825422622e2a58d1b55432b936012a7a7d33ca3415c9fd5caecf8548d656f19d90b8c8cd7853d41fce913b67a8c843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
42949c834f52e6d0a3d6654d20b305ff

SHA1
b444b1d7881e90f866c7b9c360485611d7020ade

SHA256
07822d2e90c6c9680354ae50908b15e65874c3918871180e66abbce5ee684bc4

SHA512
0cc33ed2b133cbaf670df65a349f959ce24b419467a0f534c4283b5961d09a243a83a98100ae537277bfba09c206fedb3843b94621592d4bf198e7ad55846c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8904ecd42358d6597c55ff3b799f12d8

SHA1
31109bda8801a23d513d17e4e6faf022846822c2

SHA256
eedddb082c1908434bbd794a007eceb832cb9bfd2b346b8ca18cec24787a4f7c

SHA512
3756cb7b94fc35bb68955d59672887d58da0b311c9db5e6088534c4e29c863b01df7a44cdae685b480b3160416b23f3ea7af4ae4db6e93f2a63ba368e061a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab738E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar743C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\DirectX10.dll

Filesize
1.1MB

MD5
2ee1e467d73642afddb03019f58c252b

SHA1
ea1f3b03f46db029a955190692cecbc571e1d46c

SHA256
5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3

SHA512
3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082

Download Submit
memory/2728-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-1-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/2728-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-4-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/2728-452-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-445-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-440-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download