1ccc871ef6a00bd3993ce8b9e3f70045c0022aa9b4a03c61faa3dc75979e61ac

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Size

336KB
MD5

84198e422a176a3d3d949e834d6847e7
SHA1

a1e716fb1d40b322ea3121ffcfadb62491ec6010
SHA256

1ccc871ef6a00bd3993ce8b9e3f70045c0022aa9b4a03c61faa3dc75979e61ac
SHA512

5156dbd8509a787fcab6f9b63a2aca1db98a0b50a9bcdc13c584ef2cb512fc90c8356545bb6bbc5e5dfb086e69490f60e0911c7386eb6fd0c2cd53966008d4a2
SSDEEP

6144:M7LdlbxFlRg3tx6Uu8Rhv4DfmX9+xykuHm5TZKw9lprPbDJ0wBD07oS9pdzK8AxK:adlbrg3tYUuahA6X95kuG5TZKw9DrP3e

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Loads dropped DLL 19 IoCs

pid	Process
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\NoExplorer = "1"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Playbryte\uninstall.exe	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GACLock.dat	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File created	C:\Windows\assembly\ngenlock.dat	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\tmp\B84ELYH8\__AssemblyInfo__.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File created	C:\Windows\assembly\tmp\4GIXZA1H\AxSHDocVw.dll	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\tmp\4GIXZA1H\__AssemblyInfo__.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File created	C:\Windows\assembly\tmp\B84ELYH8\SHDocVw.dll	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3336	cmd.exe
3888	PING.EXE

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\DisplayName = "Search"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\ShowSearchSuggestions = "1"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\FaviconPath = "c:\\Program Files\\Playbryte\fav.ico"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\SuggestionsURL = "http://clients5.google.com/complete/search?hl={language}&q={searchTerms}&client=ie8&inputencoding={inputEncoding}&outputencoding={outputEncoding}"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}\URL = "Playbryte-fa/search/redirect/?type=default&user_id=575bf852-cf77-41f3-a5b8-86172a2a1b17&query={searchTerms}"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{b278d9f8-0fa9-465e-9938-0c392605d8e3} = "PlayBryte Toolbar"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\CodeBase = "C:\\Users\\Admin\\AppData\\LocalLow\\Playbryte\\Assemblies\\1\\BrowserObjects.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\Class = "SHDocVw.NewProcessCauseConstants"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\Assembly = "BrowserObjects, Version=1.1.0.0, Culture=neutral, PublicKeyToken=00039a55b1b77fcc"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\CodeBase = "C:\\Users\\Admin\\AppData\\LocalLow\\Playbryte\\Assemblies\\1\\BrowserObjects.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\Assembly = "BrowserObjects, Version=1.1.0.0, Culture=neutral, PublicKeyToken=00039a55b1b77fcc"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\ = "mscoree.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\ = "PlayBryte BHO"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\HelpText = "PlayBryte BHO"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\ThreadingModel = "Both"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\Class = "SHDocVw.OLECMDEXECOPT"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\Implemented Categories	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\Class = "PlayBryte.BrowserObjects.BHO"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0\Class = "SHDocVw.SecureLockIconConstants"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\MenuText = "PlayBryte BHO"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Class = "SHDocVw.CommandStateChangeConstants"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\Class = "SHDocVw.OLECMDF"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{49E5A200-45E4-34EC-9ED3-1C09BEA2D845}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\Class = "SHDocVw.OLECMDID"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DA62727A-E124-3E4C-B21F-B5774407C35F}	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\Class = "SHDocVw.tagREADYSTATE"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B0C9160E-DDE2-3323-BD7E-C37DE1F8968D}\1.1.0.0\Assembly = "SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=51b6fa9a48c79a9e"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61e0ef7a-9bc0-45ea-9b2f-f3e9f02692bd}\InProcServer32\1.1.0.0\Class = "PlayBryte.BrowserObjects.BHO"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\CodeBase = "file:///C:/Windows/assembly/GAC/SHDocVw/1.1.0.0__51b6fa9a48c79a9e/SHDocVw.dll"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3EA6E86E-0B72-36D8-A43D-C6A50A53FC5A}\1.1.0.0\RuntimeVersion = "v1.1.4322"	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3888	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3336	4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe	87
PID 4368 wrote to memory of 3336	4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe	87
PID 4368 wrote to memory of 3336	4368	84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe	87
PID 3336 wrote to memory of 3888	3336	cmd.exe	89
PID 3336 wrote to memory of 3888	3336	cmd.exe	89
PID 3336 wrote to memory of 3888	3336	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\84198e422a176a3d3d949e834d6847e7_JaffaCakes118.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Playbryte\Assemblies\1\BrowserObjects.dll

Filesize
200KB

MD5
9dc23cb6a2c0c256146218b4932fe947

SHA1
fc44d04bb5ecd3cb66c604af5872b97a491ed71f

SHA256
9523532c02c5894559d67013135fd2781d4d2438668480fa0095e216d40e2dcb

SHA512
5b583e6de105f38015c93cd17ee904560e44b2c892bdc0b80987e5ad225014aaf7d5dfb6f6079ac422cbe7d7af2f526abf59efc533918c6f9c4cb57b52f143d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\FFAboutBlankSearch.txt

Filesize
2KB

MD5
0fff1a900fb1df3bac2b22b12d6e79f1

SHA1
f7eb355a39ae0625a6ac6b0676cfc3dc83565ce0

SHA256
3c98525664420880d906dfc5ee6594ef68310f26c80d7453d5fa5f16ae478d01

SHA512
66d7ac0b0f214e3ed8c48e4e05d2eec4803465709ba36a7c9bbc22f8b92d1d17e9ec3913dc2296d53275ac4fcbd5af86e333523f11c7315ade8e48f26a2a1a91

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\Toolbar.xml

Filesize
145B

MD5
8d28ff2b37c1f274f38de3504058a228

SHA1
5d6c11f263a8d3b41bb166f632c7f1948b54ff3c

SHA256
99bfee7121f795533d9e7b6ca3536f9ac52c2055e11fc3bc93a28f02207f0dba

SHA512
5d186ab2c196115830a67ae416170491709f0ea8fdafba052d3c1548beb5c820c3425f314ae1c8897b9c283b250f41e2a4066ef2c8b12bdcb897b3a87ef75b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome.manifest

Filesize
202B

MD5
8231f24a28fa90ba8a74f248392cb935

SHA1
2eaafbecd8a8e49a06bc927f2f06fc694d50207a

SHA256
52b4b8fceb31dbbc905e34b80a65b5ce63d89378443f7ed3b2caaa03d1042a5c

SHA512
4234ecdf78cde0fc00f9ff2214204e31f50a5ff7ad21ea7d330ef38fe9cfddb56a0cb969a0d49af3fdb8f75e64430d10b6f1abea6843f4c3e743f28720ef52dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\Thumbs.db

Filesize
42KB

MD5
a13a252d2d526907d84cc888ff86ff7e

SHA1
42645ce4e718729672ad861e69b9fdc64e11476e

SHA256
c834466ab8d08d9deaf470494f06dd2442d446f7883a74559bf90987cc1725a6

SHA512
ada28aa68b46a9c46a5aa70f9531461c3cae7e10c6eae07c47a5c7352e93f07f59f9f81ab358dfcc7019f9c3f724fadf41033539bc26ffa79d30f30c30420500

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\browserwindow.js

Filesize
5KB

MD5
d9d55dec62f1b565e5dadd48a4fee277

SHA1
9cf277fdeb092dfcf260aea3663d97edbfdc4730

SHA256
132aaf282e95f7a5e2b4cbce54f6eb76d175e6d20d50364faa3e1231046c70d2

SHA512
cfc10f839f9fa0d280141946e3ac324dd28aae352356fde5ebfc552d9a039487edcaea35b00b0b16053cae4e1d8cff043a79fd59b6a23f1a9a093a1ccf645f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\browserwindow.xul

Filesize
639B

MD5
bfca47419dfbee66e46977f59df93911

SHA1
ed21f6e531bd37ee3febdc649a6b1ccc2a18e0f6

SHA256
a60484bdd267f15fbabf1f7894aaa8d8cb097ddb3f03805f789a84830ac6b07c

SHA512
b051f344c29f0623454d040e164cfa7067d620d469329a7262edabed697bdf481d356c34545945c2a8a1289cdf35804218d297d1a87aebde366b2d473b8ad1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\fileio.js

Filesize
7KB

MD5
5f7e7f18f270df208d51a3c8a95d8715

SHA1
f565472885ebd55bebabd88f2888d87a060cb22c

SHA256
411370465bc13225f2caf2dff432d639eeddeb0a531a16c31513ddc834aee6ea

SHA512
ec4acfa1ab758f2f1f793f4a1d393d0313f60a9cdbb89c983def18dc138396e3471997a33e332cc9edcecffb112f2b346516a0f537e2996c4eaec934d241739b

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\images\hidden.png

Filesize
135B

MD5
9ffce671bc7bd4fbcf202f06c2cb1128

SHA1
58ae75aab8a6e10523b594fe89ac64958c909df1

SHA256
794658e1c5cc2fdabc604b62c8deda9ced96adbda66207915e5551a4ddde65d6

SHA512
38eb938cc39317bf00270d6ec3b128fe24116fa9d54e885106f7f6dae2b31581bf2e75ab1ec7f090fcbd6e6d59214d50d0f04c054a769019c893f1c7a82e2964

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\inline\inline.js

Filesize
5KB

MD5
2393045d94ee767445d77413ce06eaf9

SHA1
a6bca7ea188506de1c5f5fde23f0082839820868

SHA256
3effbe8523d2fe06f2e0dfa6eb81760a1e2a7a2f1223fbe4c72d6b1b689f5fef

SHA512
2ab40229c51f6c8d0e3f5666fb7f3822e892d288ab31db78cd87ea7710c32563ed268af6b0580cfeaa4383d900edc09a9ff520dcc42af53eb3baa55bed24a6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\json.js

Filesize
18KB

MD5
6e0f67dbbfc82ae0d7fe8500f501e426

SHA1
5de8795c78d44c77869ae7c96f9fe6f139c8829f

SHA256
8e82c7944c69af6792c22c193382a7ae5b9018b3bcfa8aa748e63b592c430f36

SHA512
4daba5571698a108ebcf4ef8fa87c8acbf3b9930512473b2ae91764732580b06fcd58567b3b1262eab9582c438e7db3c4fbdb540cf97e9a71ef5ead54f934a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\login.xul

Filesize
767B

MD5
1e4dd5da9f4e36addbea3c7d7ab0232b

SHA1
c0ff7d2094598fd457b420a910d393dde1bcac24

SHA256
e693228ae152b04bba35fed764b610a8acf3616cde1c4088e91da6f396fe4b97

SHA512
25ba550249508b2832ae66cfd45bd030f60366b34fcc6501cd6dda7ca0d0ec0918fa46ef0487fc4adafb92a5ec17dd86cbb8cd13a909920452f846cf99fae6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\menu.xul

Filesize
676B

MD5
4d98e8cfb5770628cb652bcf052d7c53

SHA1
e5554c32040eb61bd2ed8c8c789c913dc96f6bb8

SHA256
2b0837acdff995a45af64703b606ae34eadfc083738eb79fc274e65a5a06b2d5

SHA512
956ea261fa6c3ab5512b1e8b4001b8f6d5d1f56e33f44047aae64a05dacbe54fa8a9a980bb9f505ca57c4bc5021faa5b406e9b0bbc958fe1aa30552c2d6465cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\share_link.xul

Filesize
1KB

MD5
57363ff93f4a979202182f7f9b10b30b

SHA1
fa53754a8f9d71654b221061c057101bf0dc8064

SHA256
ca82863da4d7bbb8d011b2c10c697f84eaf101a1885c20e3d4d48756085de90e

SHA512
2da969c40b047928b19c880339f288abc2e004c1f9fb82da4b44df05d439ed2c39ea3bcc1d1c31e48be90fe495e685e3e3ebd2875619756279930448d8bd161a

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\sidebar.js

Filesize
50KB

MD5
42b9217e3cd998d7948b88ea333b5997

SHA1
3750d7838a801e780b88cfe8dc5884bd8c0f182e

SHA256
17fb39dc5f672dc5f1757287edcef647e35993fff62c20644661e73ff045d6ca

SHA512
dc5a3b9e5343f5418b51a40ffc7b8580fd195ce771fd6637bec906213d261f842a1c82c8579460f177a45dae117ea8091c89f628dac89023bad83de8ff22bc02

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\sidebar.xul

Filesize
4KB

MD5
e1ab49072ee7dd16d4e41893dfd5e8d6

SHA1
a6337106cf1ea477d58026fd4e4712f0efc8a650

SHA256
a1bafae8eb6ce28c352279322dc56e8efe9fecc132f1f7e887690be5aae53c12

SHA512
d23c0f3954b33bb1b400886618ce5375d17e63489a3a3a83d23e97d594c1dc57f7de7b19fcb9220bba5dea3721242863b1b8c234ca3337ef6fb84953c4fd9309

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbar.js

Filesize
43KB

MD5
56b3b0011f6f4778231f195ebf08a402

SHA1
ff13dc0da813dc375082fcad59cf9a5316c80a01

SHA256
8857d9e54794d8412792690cc180cfb006f04d944aaeb5f1b0a7c38f31b6b2fa

SHA512
6fa1e5026676871d6417c0d55334f5fddc10676225c8e879cd804348107aa8f9b1ef648b86d2de97df2ed424717df2a7649f84e0e3751e62d05c291672382e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbar.xul

Filesize
1KB

MD5
75bc4ef477a2da9d2b324e29cdec0d5d

SHA1
fb921129f50557c7ac27142f5d4f023af771c016

SHA256
a5467ba36344a7ea253c09c76a654cdaec3956c806989397daf013b5c0852e9d

SHA512
dbb78aee7803cfd58916db83fb6e763f2b4fbf7ded2e5a70972c4afc1774ee3fcd5da95d12af5154b4ac97e0b8528c6ec56098a104198932a5f9e28f93fbdc73

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\toolbarsidebarshared.js

Filesize
32KB

MD5
d952cf8275b94892a23fd5e45229299d

SHA1
dbb120efe746d42c41a448e973c32a61807115fc

SHA256
3337796b9c6f0dbd883d63ee51add669128f56a3534e605e4a77922020674f27

SHA512
5289887519dfdae1e97726b23e09222c61dda1165269218849ece08d52423f70fdaaf17c6362c85dc43acb955a7949c7b2a6df3e60c2365a23dba41dec86fce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\update_status.xul

Filesize
1KB

MD5
bd45a43882e268e61265ec944b5d97a4

SHA1
ada640b2fc6d1e85da6b5ee7113a992f5947d6a2

SHA256
c02e88a95d218c39ee91338fd33c8f162bd59e0e2be85269221ee4e41d98a283

SHA512
25be11e3b19ea7d148345aeffcb84b27bd5020ce0c66a5c00537d7b5d3e5895dba2680cb717bac11dc3d0290d74dd40c141b372e786b6d477b64e43c1374cb3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\chrome\content\windows.js

Filesize
3KB

MD5
ea2f31f782aa28f0d6fc1ef57a8dbd86

SHA1
48e34ad8db9382d7868019d225f7b7cd7b58351c

SHA256
08df0958b78f538bf3b78413da5b091857361bd0660a9c882b9c791338079782

SHA512
1b45f31ed0e9857a35093031ca274f8a58f4c87d76b26dad421a5edb5babc2f457d45659190552af1da49420780fd28149112c59245334bc6da4bb729a09c8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\Firefox\[email protected]\install.rdf

Filesize
926B

MD5
a42bb90b389338ade7a6122b87d1d48b

SHA1
dbf8a4f19c8a33de785b57df5e3856c0f2443d4b

SHA256
1284a975891efce56bf54394d4fb8b53c2399fae8842b96b2d4673f771ce972a

SHA512
ad2d46cf342377b863add02ce5dba20782c54df380017b6d36ef72a669ffd7568b857ae72cf2885421c5087124dc31e39d370c1ad7c00cf2534e335f96556483

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\GAC\AxSHDocVw.dll

Filesize
48KB

MD5
353d0856ef87852e6b45a66dc18f22c4

SHA1
8ed092b9fd9b3993e4c4c5f7ddc055e20383fd62

SHA256
f85b9aa13d5dbdc953625bfdd178df82da6694b2724fd2d2ee1185ae57348c95

SHA512
222078090eb5d82ee3eb3ef4854a7d3f1802e3f25512cee9ad58a3dcc19b724bc8fe381a86c33d536a5765ae5243b8c8f32bbb93e93a645a3fd9e64a708b33b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Playbryte\GAC\SHDocVw.dll

Filesize
132KB

MD5
3f1a1cc32e039f36221d7934d9cf610d

SHA1
a1390fb8decd211e50860ed312515733ea829c98

SHA256
b10384df060591538d73cae468d6d66f606cd7cb752281de6161dd743f0c3dd7

SHA512
5cd052c6dfa098d91b494aa87ab580b1ea74367b5830a318cc5431a93299b5119f0870d2cefda29598a9e28990a70dbdfb5bc19f52849b11381112f1b98329fe

Download Submit
C:\Windows\assembly\GAC\SHDocVw\1.1.0.0__51b6fa9a48c79a9e\__AssemblyInfo__.ini

Filesize
266B

MD5
2004b98afb98581dddf658f1251e0807

SHA1
1323e5ca996e08a6c5a88ba998184dcb7828bb3c

SHA256
cd30bc957898be764c914753dacb6342c9fb903a6ebab53bc2ee3561969c986c

SHA512
6fbb1e95d5592c7601f1ce1570846156823b53ef9c8cc2aab59342ad3ac2f66108cf3ac16d43556d8f9fdf3fbbb95a6165ff449cf7d8cac64a855aa6bcc2c2a9

Download Submit
memory/4368-0-0x0000000074A32000-0x0000000074A33000-memory.dmp

Filesize
4KB

Download
memory/4368-2-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-1-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/4368-235-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads