0f6cd4e8159b243b7de4a18711fc39624491759beccb01386438f52175aad4b1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Size

345KB
MD5

86c4c35439fd5cfe3aff15e8765e2050
SHA1

e12e37c922d5b97c055f5d82f1a6fa7db9ad3e66
SHA256

0f6cd4e8159b243b7de4a18711fc39624491759beccb01386438f52175aad4b1
SHA512

7858a9577ac4ce24d974914a2b25a7c2920c137bcc3dd2af91846bf618c85c6cff57d84a8e26a2840e48b23412ad5c41482a133c22d1958f7ccd674eadd5bd84
SSDEEP

6144:CO+v5qbv5qPyMmQpPmzs0dsa+Ql4oe4351qaey0YICpmpod:EqdqPRHPmzs0ebFi35befepmpI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5052	ydizvelyxui.exe
2628	ydizvelyxui.exe

Loads dropped DLL 4 IoCs

pid	Process
3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiaxqi = "C:\\Users\\Admin\\AppData\\Roaming\\Teopugfuosu\\ydizvelyxui.exe"	ydizvelyxui.exe

Drops autorun.inf file 1 TTPs 12 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Autorun.inf	ydizvelyxui.exe
File opened for modification	C:\Autorun.inf	ydizvelyxui.exe
File created	F:\Autorun.inf	ydizvelyxui.exe
File opened for modification	F:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
File opened for modification	C:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
File created	D:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
File opened for modification	D:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
File created	F:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
File created	D:\Autorun.inf	ydizvelyxui.exe
File opened for modification	D:\Autorun.inf	ydizvelyxui.exe
File opened for modification	F:\Autorun.inf	ydizvelyxui.exe
File created	C:\Autorun.inf	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4680 set thread context of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 5052 set thread context of 2628	5052	ydizvelyxui.exe	93

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ydizvelyxui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ydizvelyxui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe
2628	ydizvelyxui.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Token: SeSecurityPrivilege	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Token: SeSecurityPrivilege	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Token: SeSecurityPrivilege	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe
Token: SeSecurityPrivilege	2628	ydizvelyxui.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 4680 wrote to memory of 3280	4680	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	87
PID 3280 wrote to memory of 5052	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	88
PID 3280 wrote to memory of 5052	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	88
PID 3280 wrote to memory of 5052	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	88
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 5052 wrote to memory of 2628	5052	ydizvelyxui.exe	93
PID 3280 wrote to memory of 5116	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	94
PID 3280 wrote to memory of 5116	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	94
PID 3280 wrote to memory of 5116	3280	86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe	94
PID 2628 wrote to memory of 2564	2628	ydizvelyxui.exe	44
PID 2628 wrote to memory of 2564	2628	ydizvelyxui.exe	44
PID 2628 wrote to memory of 2564	2628	ydizvelyxui.exe	44
PID 2628 wrote to memory of 2564	2628	ydizvelyxui.exe	44
PID 2628 wrote to memory of 2564	2628	ydizvelyxui.exe	44
PID 2628 wrote to memory of 2580	2628	ydizvelyxui.exe	45
PID 2628 wrote to memory of 2580	2628	ydizvelyxui.exe	45
PID 2628 wrote to memory of 2580	2628	ydizvelyxui.exe	45
PID 2628 wrote to memory of 2580	2628	ydizvelyxui.exe	45
PID 2628 wrote to memory of 2580	2628	ydizvelyxui.exe	45
PID 2628 wrote to memory of 2904	2628	ydizvelyxui.exe	52
PID 2628 wrote to memory of 2904	2628	ydizvelyxui.exe	52
PID 2628 wrote to memory of 2904	2628	ydizvelyxui.exe	52
PID 2628 wrote to memory of 2904	2628	ydizvelyxui.exe	52
PID 2628 wrote to memory of 2904	2628	ydizvelyxui.exe	52
PID 2628 wrote to memory of 3456	2628	ydizvelyxui.exe	56
PID 2628 wrote to memory of 3456	2628	ydizvelyxui.exe	56
PID 2628 wrote to memory of 3456	2628	ydizvelyxui.exe	56
PID 2628 wrote to memory of 3456	2628	ydizvelyxui.exe	56
PID 2628 wrote to memory of 3456	2628	ydizvelyxui.exe	56
PID 2628 wrote to memory of 3644	2628	ydizvelyxui.exe	57
PID 2628 wrote to memory of 3644	2628	ydizvelyxui.exe	57
PID 2628 wrote to memory of 3644	2628	ydizvelyxui.exe	57
PID 2628 wrote to memory of 3644	2628	ydizvelyxui.exe	57
PID 2628 wrote to memory of 3644	2628	ydizvelyxui.exe	57
PID 2628 wrote to memory of 3848	2628	ydizvelyxui.exe	58
PID 2628 wrote to memory of 3848	2628	ydizvelyxui.exe	58
PID 2628 wrote to memory of 3848	2628	ydizvelyxui.exe	58
PID 2628 wrote to memory of 3848	2628	ydizvelyxui.exe	58
PID 2628 wrote to memory of 3848	2628	ydizvelyxui.exe	58
PID 2628 wrote to memory of 4020	2628	ydizvelyxui.exe	59
PID 2628 wrote to memory of 4020	2628	ydizvelyxui.exe	59
PID 2628 wrote to memory of 4020	2628	ydizvelyxui.exe	59
PID 2628 wrote to memory of 4020	2628	ydizvelyxui.exe	59
PID 2628 wrote to memory of 4020	2628	ydizvelyxui.exe	59
PID 2628 wrote to memory of 2900	2628	ydizvelyxui.exe	60
PID 2628 wrote to memory of 2900	2628	ydizvelyxui.exe	60
PID 2628 wrote to memory of 2900	2628	ydizvelyxui.exe	60
PID 2628 wrote to memory of 2900	2628	ydizvelyxui.exe	60
PID 2628 wrote to memory of 2900	2628	ydizvelyxui.exe	60
PID 2628 wrote to memory of 3368	2628	ydizvelyxui.exe	61
PID 2628 wrote to memory of 3368	2628	ydizvelyxui.exe	61

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2580

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe"
  2⤵
  - Drops autorun.inf file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\86c4c35439fd5cfe3aff15e8765e2050_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Roaming\Teopugfuosu\ydizvelyxui.exe
      "C:\Users\Admin\AppData\Roaming\Teopugfuosu\ydizvelyxui.exe"
      4⤵
      Executes dropped EXE
      Drops autorun.inf file
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Roaming\Teopugfuosu\ydizvelyxui.exe
        
        "C:\Users\Admin\AppData\Roaming\Teopugfuosu\ydizvelyxui.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9afd3461.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3644

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4296

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:540

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4688

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autorun.inf

Filesize
36B

MD5
8c3b6960085cd51d537e090d887c34b2

SHA1
a03f1685cb413f52c1cea6551cebf52a98b874c2

SHA256
a863f0112a6898ee05fa8af4a319a12694d2e182eebba3df891f6b911bb00587

SHA512
d2c79fac2cae7dda058da7eed5f1c35790074f024ea93f56c27e31d607549d0a1b1541b10380323c08d5ac9112ab6786f7b6f63ac9e0cfcdcbfdeab7eb90ec19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9afd3461.bat

Filesize
271B

MD5
feb4f4fbcdc1e8740758063e0b6e4f55

SHA1
cfe85620eb30934c43880aae79846cffb21433c0

SHA256
3db423608a1235786180b41bbeb279523cedef99bc887fdba20c7e15ca5a6044

SHA512
7e857a88aaa993dd0b662b17cde2522ae577375bb1b96b5299a0084da28b9b6feadf5aeb0586f6cfecaeeb15b69cc065b76efc6beedad27fb70caff88d1bc8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB517.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB518.tmp

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Roaming\Teopugfuosu\ydizvelyxui.exe

Filesize
345KB

MD5
087ba3e929c9a367d01f45ccf3ba889f

SHA1
08b158f115b7daeff46f66027ac1393d536437e3

SHA256
c27e327a74f015cfbcf9d14ed9c4708adee8a2b45c44b59c586936a77490e40d

SHA512
1b3284eb3628102a6699143b712b4ca2acf8eb495c9a34344d6e7e3888e573c4a0700654e6eae038abd4b9554488a36ca08e02442dd8534f48740a637f4c1227

Download Submit
F:\Diskrun2.exe

Filesize
345KB

MD5
86c4c35439fd5cfe3aff15e8765e2050

SHA1
e12e37c922d5b97c055f5d82f1a6fa7db9ad3e66

SHA256
0f6cd4e8159b243b7de4a18711fc39624491759beccb01386438f52175aad4b1

SHA512
7858a9577ac4ce24d974914a2b25a7c2920c137bcc3dd2af91846bf618c85c6cff57d84a8e26a2840e48b23412ad5c41482a133c22d1958f7ccd674eadd5bd84

Download Submit
memory/2628-55-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-73-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-108-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-100-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-96-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-92-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-88-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-84-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-69-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-70-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-74-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-75-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-76-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-81-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-82-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-60-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-71-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-80-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-78-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2628-77-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-15-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-51-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-20-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-21-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-17-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-12-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-30-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-31-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3280-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4680-1-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/4680-0-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/5052-39-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/5052-38-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download