efe438f027c6ff5a6b80a4642176141ddda0c2bdc081ed914999d878e084d066

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
Size

476KB
MD5

772bc1a33bed6e7a8c3e2b0974ff550a
SHA1

4196ddb42254e377e8066d33f6a60be92bc3bd81
SHA256

efe438f027c6ff5a6b80a4642176141ddda0c2bdc081ed914999d878e084d066
SHA512

e952ab3ef6da8c3703c7a888efe1c081ad85e5e083b3ba4293590e162a80b40976f6777087185107b49e9fc5b87186c59eff11bcb5840cbc8d0e198307c8a420
SSDEEP

6144:ckMICtzWkvpia97cVsG9nJdxRh0R0VutL4O3igTVmTqL//VLJRLYOXTSbMyAG:ckmxnpia+1P0R0Vmv37T8TqRJB9XTSbB

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y3417IF5-TD47-XG24-UIO8-6I1V14MSG53J}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y3417IF5-TD47-XG24-UIO8-6I1V14MSG53J}\StubPath = "C:\\Windows\\system32\\System32\\Explorer.exe Restart"	explorer.exe

Loads dropped DLL 4 IoCs

pid	Process
1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe Picture Format\\Adobe Picture Format\\1.1.2.262\\772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe"	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System32\logse.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\System32\logse.dat	explorer.exe
File created	C:\Windows\SysWOW64\System32\Explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\System32\Explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\System32\plugin.dat	explorer.exe
File opened for modification	C:\Windows\SysWOW64\System32\	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
468	4996	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	vbc.exe
2772	vbc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	vbc.exe
Token: SeDebugPrivilege	2772	vbc.exe
Token: SeDebugPrivilege	2772	vbc.exe
Token: SeDebugPrivilege	2772	vbc.exe
Token: SeDebugPrivilege	4996	explorer.exe
Token: SeDebugPrivilege	4996	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 1252 wrote to memory of 2772	1252	772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe	87
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56
PID 2772 wrote to memory of 3416	2772	vbc.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:768
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2888
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3724
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3816
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3880
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3964
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3520
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3936
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4428
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4660
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:2148
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:1004
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1944
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1444
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1724

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2588

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3340

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\772bc1a33bed6e7a8c3e2b0974ff550a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1028
        5⤵
        Program crash
        
        PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4996 -ip 4996
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\User32.dll

Filesize
18KB

MD5
5fa07d6c6384d703766d7935de68850e

SHA1
62f28a572b4d1d359db7017235912ad2599b8c1d

SHA256
120e15dcc4a957649553cd92a5477db9dcbfd9a2cd821e1c904044b5a92d726f

SHA512
7775375f44e0cb00f9bffc023d797dbdb01ebe8429ccfacd7df57beb04427ef309c192d571051242aad1bc400f721f449f86deeb1e5f5d64b6f516bf24e92cc4

Download Submit
memory/1252-0-0x0000000074D82000-0x0000000074D83000-memory.dmp

Filesize
4KB

Download
memory/1252-1-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1252-2-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/1252-25-0x0000000074D80000-0x0000000075331000-memory.dmp

Filesize
5.7MB

Download
memory/2772-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-23-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2772-27-0x0000000010410000-0x0000000010441000-memory.dmp

Filesize
196KB

Download
memory/2772-1153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4996-36-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4996-35-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4996-531-0x0000000010450000-0x0000000010481000-memory.dmp

Filesize
196KB

Download
memory/4996-582-0x0000000010450000-0x0000000010481000-memory.dmp

Filesize
196KB

Download