ba91b997d1cf924bf12ea85cebcb840ed1ccc774d1022ebca357ffd3dadc26de

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe
Size

160KB
MD5

48c28410f1e65d178b0502fe7352abf9
SHA1

881f4bdeb2f2e4a112f3dbd7855dd4d40538f08c
SHA256

ba91b997d1cf924bf12ea85cebcb840ed1ccc774d1022ebca357ffd3dadc26de
SHA512

25656c0021429ce86b943a66cf0641dd87085f362446cc0fc4fe8cc394f4769fe2ec7ce38e277b73e797691860944d751fbfbb551d9e867dd444f6cc1d44a1c3
SSDEEP

1536:9/elR8Hruyv+mMiIAcI9vmQHv51skHMDnHbZAYsMKWqD7WCDYVRaJNGXp+V:F2WLuyv+mMi5cCeeM7FAJM3IymYVZI

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1844	attrib.exe
2980	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	inlABFC.tmp

Executes dropped EXE 1 IoCs

pid	Process
1856	inlABFC.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\redload\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4219927892"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118982"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4219927892"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{27249A36-427A-11EF-A174-EEBB2D38B7CC} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4226960192"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118982"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118982"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?S"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\redload\\3.bat\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1856	inlABFC.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4016	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4016	iexplore.exe
4016	iexplore.exe
4260	IEXPLORE.EXE
4260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 224	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	91
PID 4636 wrote to memory of 224	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	91
PID 4636 wrote to memory of 224	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	91
PID 224 wrote to memory of 1184	224	cmd.exe	93
PID 224 wrote to memory of 1184	224	cmd.exe	93
PID 224 wrote to memory of 1184	224	cmd.exe	93
PID 1184 wrote to memory of 4016	1184	cmd.exe	95
PID 1184 wrote to memory of 4016	1184	cmd.exe	95
PID 1184 wrote to memory of 3632	1184	cmd.exe	96
PID 1184 wrote to memory of 3632	1184	cmd.exe	96
PID 1184 wrote to memory of 3632	1184	cmd.exe	96
PID 1184 wrote to memory of 4296	1184	cmd.exe	97
PID 1184 wrote to memory of 4296	1184	cmd.exe	97
PID 1184 wrote to memory of 4296	1184	cmd.exe	97
PID 4016 wrote to memory of 4260	4016	iexplore.exe	99
PID 4016 wrote to memory of 4260	4016	iexplore.exe	99
PID 4016 wrote to memory of 4260	4016	iexplore.exe	99
PID 4296 wrote to memory of 3604	4296	cmd.exe	100
PID 4296 wrote to memory of 3604	4296	cmd.exe	100
PID 4296 wrote to memory of 3604	4296	cmd.exe	100
PID 4296 wrote to memory of 2684	4296	cmd.exe	101
PID 4296 wrote to memory of 2684	4296	cmd.exe	101
PID 4296 wrote to memory of 2684	4296	cmd.exe	101
PID 4296 wrote to memory of 2908	4296	cmd.exe	103
PID 4296 wrote to memory of 2908	4296	cmd.exe	103
PID 4296 wrote to memory of 2908	4296	cmd.exe	103
PID 4296 wrote to memory of 4272	4296	cmd.exe	104
PID 4296 wrote to memory of 4272	4296	cmd.exe	104
PID 4296 wrote to memory of 4272	4296	cmd.exe	104
PID 4296 wrote to memory of 1264	4296	cmd.exe	105
PID 4296 wrote to memory of 1264	4296	cmd.exe	105
PID 4296 wrote to memory of 1264	4296	cmd.exe	105
PID 4296 wrote to memory of 1844	4296	cmd.exe	106
PID 4296 wrote to memory of 1844	4296	cmd.exe	106
PID 4296 wrote to memory of 1844	4296	cmd.exe	106
PID 4296 wrote to memory of 2980	4296	cmd.exe	107
PID 4296 wrote to memory of 2980	4296	cmd.exe	107
PID 4296 wrote to memory of 2980	4296	cmd.exe	107
PID 4296 wrote to memory of 5068	4296	cmd.exe	108
PID 4296 wrote to memory of 5068	4296	cmd.exe	108
PID 4296 wrote to memory of 5068	4296	cmd.exe	108
PID 4296 wrote to memory of 1588	4296	cmd.exe	109
PID 4296 wrote to memory of 1588	4296	cmd.exe	109
PID 4296 wrote to memory of 1588	4296	cmd.exe	109
PID 4636 wrote to memory of 1856	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	102
PID 4636 wrote to memory of 1856	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	102
PID 4636 wrote to memory of 1856	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	102
PID 5068 wrote to memory of 1188	5068	rundll32.exe	110
PID 5068 wrote to memory of 1188	5068	rundll32.exe	110
PID 5068 wrote to memory of 1188	5068	rundll32.exe	110
PID 4636 wrote to memory of 728	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	111
PID 4636 wrote to memory of 728	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	111
PID 4636 wrote to memory of 728	4636	48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe	111
PID 1188 wrote to memory of 3960	1188	runonce.exe	113
PID 1188 wrote to memory of 3960	1188	runonce.exe	113
PID 1188 wrote to memory of 3960	1188	runonce.exe	113
PID 1856 wrote to memory of 2136	1856	inlABFC.tmp	115
PID 1856 wrote to memory of 2136	1856	inlABFC.tmp	115
PID 1856 wrote to memory of 2136	1856	inlABFC.tmp	115

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1844	attrib.exe
2980	attrib.exe

C:\Users\Admin\AppData\Local\Temp\48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\48c28410f1e65d178b0502fe7352abf9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4260
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf
      4⤵
      PID:3632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat
      4⤵
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:3604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
        5⤵
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        Modifies registry class
        
        PID:4272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f
        5⤵
        Modifies registry class
        
        PID:1264
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1844
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2980
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        
        PID:3960
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        
        PID:1588
- C:\Users\Admin\AppData\Local\Temp\inlABFC.tmp
  C:\Users\Admin\AppData\Local\Temp\inlABFC.tmp
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlABFC.tmp > nul
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\48C284~1.EXE > nul
  2⤵
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\360mohesetup.exe

Filesize
794B

MD5
1bc415b31cdff50d79ea2a3d7b4ff2c1

SHA1
f5ebab61deebc3d7a4a6676a23b982f1418ae6a6

SHA256
582ea6421c80adc1de2dcb34fb8db1926e34b49219d99306693166a6b268d412

SHA512
ee9718e829fa7c6b2e3b208fe99acd390d704a4ad037fd9b5ae231db184f48146792fb1ac028a69224ddca2c3195ef2aa5353ee6bc7abe01157773f4a6e50e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
791B

MD5
1706b41fd446b5718a8419c0fcb35d55

SHA1
d9bb8df22acdc60c754ac14982cf795df3b1b815

SHA256
5c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943

SHA512
68c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s_Mg_l_219.bat

Filesize
54B

MD5
504490369970f1c0eb580afbcdf91618

SHA1
b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971

SHA256
a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43

SHA512
5495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad

Download Submit
C:\Users\Admin\AppData\Roaming\redload\1.bat

Filesize
3KB

MD5
168976102055ae6902b5d251d4b39401

SHA1
37c28d5b4d19bf3ef0be7be04ac4b54c71866773

SHA256
aabf9954046b451c6287c18b37448dbce289b0a76bb0bcbe72b7e97b6ebfc9fc

SHA512
95474e88ce99544ab19d25c3f96b348b99733858b8382baeedce62748444b529e55c0c4df84c20ff05eb7b3172baaa22ade7604c7288b536e1895cd95dbc42a6

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.bat

Filesize
3KB

MD5
428b15afd0f31b5f77d86f84a2e0bf36

SHA1
e76c640936f9ea1a4cf0f26e5417d4cbbde08ea2

SHA256
390a9eb07646fea162115045ea2b76a3a248d8823e7dc4a54851c39463ddfdb5

SHA512
3272917c8a65641eb39c280ba2f23c359145d8951ec78d803143fdbfa87cf6233a4d3a03607bcae7703f718dc592297aefc69726086a206e5d0bffd5655d8ca4

Download Submit
C:\Users\Admin\AppData\Roaming\redload\2.inf

Filesize
248B

MD5
2197ffb407fb3b2250045c084f73b70a

SHA1
3d0efbacba73ac5e8d77f0d25d63fc424511bcf6

SHA256
a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591

SHA512
b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe

Download Submit
C:\Users\Admin\AppData\Roaming\redload\4.bat

Filesize
5.8MB

MD5
5829ced52c496d58f4a45a1858a00a55

SHA1
3bac60e6c9168d64f44dc71c710c4a05d58f5c1c

SHA256
d98e4cae76196776eafb5d46c1318fcae2e5d9433b24c019c696f3b1b9ef3c11

SHA512
f99da3f3915afe5bca1e174a01d8d70d103f2920669646840649809e2a35c9e5934f1ea6ce0bdd573cdd7f43ae208b87a27c2e3425cc867e4e05b16f269cca42

Download Submit
memory/4016-80-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-92-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-69-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-71-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-68-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-72-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-74-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-67-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-75-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-77-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-65-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-64-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-70-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-62-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-54-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-59-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-82-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-83-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-81-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-44-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-58-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-85-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-84-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-86-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-87-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-57-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-88-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-94-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-93-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-96-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-97-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-102-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-61-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-108-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-109-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-110-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-112-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-107-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-106-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-60-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-154-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-56-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-149-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-151-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-155-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-156-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-153-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-150-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4016-158-0x00007FF927150000-0x00007FF9271BE000-memory.dmp

Filesize
440KB

Download
memory/4636-127-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4636-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads