e76cc2c811e9d9a2ad685f45b8a5495bc6bb81a9ab0511f4275a81b4d5574cf9

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe
Size

960KB
MD5

a1b9ee92b2ee693c59536ce3ea5c0751
SHA1

4c8630d2ac6d652f7bef6e7be4cbdf852d168e01
SHA256

e76cc2c811e9d9a2ad685f45b8a5495bc6bb81a9ab0511f4275a81b4d5574cf9
SHA512

8916e12be83a8bb5a0955a5443b07eb7e418168e76a96f43540d20d2be22aa34ee13e5f868dc40b03b212d3bc23ff4c38daa6a2d3ae6f568ca6cdb7280eac568
SSDEEP

24576:zUWqistCFEnNx3VIoM+N+41tVY6VZ7GoaTTmOouhkGYhaVc:zUUinPlMA+41hxGZTTXouTYha+

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	daemon.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	cmd.exe
2888	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sounds = "\"C:\\Windows\\Temp\\Cookies\\daemon.exe\""	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daemon.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	daemon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"c:\\windows\\temp\\cookies\\daemon.exe\""	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "Windows"	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"c:\\windows\\temp\\cookies\\daemon.exe\""	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "Windows"	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"c:\\windows\\temp\\cookies\\daemon.exe\""	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	daemon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"c:\\windows\\temp\\cookies\\daemon.exe\""	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	daemon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	daemon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	daemon.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2820	regedit.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe
2632	daemon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	daemon.exe
2632	daemon.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 1724 wrote to memory of 2888	1724	a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2820	2888	cmd.exe	32
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2620	2888	cmd.exe	33
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2808	2888	cmd.exe	34
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35
PID 2888 wrote to memory of 2632	2888	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1b9ee92b2ee693c59536ce3ea5c0751_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Windows\Temp\Cookies\jovial.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\Temp\Cookies\humulus.reg
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +H +S C:\Windows\Temp\Cookies
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2620
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\Cookies\stevar.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\Temp\Cookies\daemon.exe
    C:\Windows\Temp\Cookies\daemon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\Cookies\grup

Filesize
338B

MD5
d4cbce4da767dc3c45efde33cc2e13c1

SHA1
14b6c4a571006026b8230d41104e240cd844ea59

SHA256
16dff2d317d7666bb202f09e9cbccc73f558fee849cf3e0d4e9bf9ccc395edc3

SHA512
9eae997ceb7ae0c76888ec062e579a7e7490c00f48686b0c91d01ceace8bee59bedf7489f0f3ad8587a0ebda56842b52ddf3a1b6377ede14cd73f939cee89047

Download Submit
C:\Windows\Temp\Cookies\humulus.reg

Filesize
1KB

MD5
df6792731411e25f6ea323f1e9bcbbea

SHA1
6299865524e8c94852622b1ec8e1a25684c6fc61

SHA256
333b45dfd8af67f86c08b1fac1a11888e3d5942181fc5584d4942238bfc386d7

SHA512
3cf4c41d99a78193a9a712f6047c7515e038a17e2a5779b76f9e7e2b666da588293756ab41a25a22970099afa7e93caa4f53422fb52d51a63272b2efd02956b9

Download Submit
C:\Windows\Temp\Cookies\jovial.bat

Filesize
187B

MD5
dfa0bdf0e2a6071df48a5bffb11d75d8

SHA1
1e899fc19a2cee10dd83ae43ff4df59acee8f23e

SHA256
b0e222631c6d49405a03ff8f0ac705cbe91e06f00a6a6d562fbfa528d71b88ca

SHA512
3fad39eb2f6abbdfd54117dd4885ec1eeb6c0684a39c68a8b659ce958059b160546380fa882dbe18c08cd22903db49f041764027389fb890de9971a0cc96dfda

Download Submit
C:\Windows\Temp\Cookies\mirc.ini

Filesize
3KB

MD5
4a347057b6add2522ac7f69f93d8159a

SHA1
97f16c2e1e12fcd3881a89dcfdbda17d922dc620

SHA256
dbeec4dda081420cbddbade517d26533826ad67f2e468fe780da770729262ed7

SHA512
434c426d02eed59e45da091c15fb2bbe47cd26c9950597aa3f3b3760d381110e933c4ccf55389884ee97f7523aee889c42f3c869c58d90d81128ff5672117f1e

Download Submit
C:\Windows\Temp\Cookies\mirc.ini

Filesize
3KB

MD5
ecce04953f9382a59bfe90f817c190e9

SHA1
a9cd2bbcaea9020640761e5fe466ca98dc0fa814

SHA256
eceaf6c271119087693848a4635b88e931d06246d61f7b405d34f3a3164ba9b4

SHA512
791ec20795b9cc6913492d19dbd644b596e49da7e119923720cdcce258aa72ec72d5bfa7ca153daf45e0684686da9ecf358b0f7a2121013ed5ba17d70c46faa1

Download Submit
C:\Windows\Temp\Cookies\remote.ini

Filesize
8KB

MD5
9cfa70e2d30c0f623fa896722869e030

SHA1
50b8a4e55641cd69c118584c76b20c9de3b54cf1

SHA256
f6ff5157c29b18a586ff48829d175f007f6e5169311736829264a68ef993c482

SHA512
9e332d189cfae0dd4e584649e773fb1b2b248fd16ee48496af410b98535a24175ec923ac2b130c48e164325f2606505b716f917f1e01da4e15621b6e91afb20a

Download Submit
C:\Windows\Temp\Cookies\stevar.vbs

Filesize
72B

MD5
14034cf3d48c7ab4ba932b135ed6e0e1

SHA1
44177e49b169b276fb404588693f2a360024769c

SHA256
f3dd036dfce459cbd9bd4b32d9cec7d6d7cfcb4551a745aeaa8d8377287d6460

SHA512
eec54638d19ba4269f946bdc8afc6ca7f52402e93f15362121ebdfa310f2923796540b18477ceff5c242e1ef22115980b345cd919eb78d6b19b6a2e49f12c434

Download Submit
\??\c:\windows\temp\cookies\aliases.ini

Filesize
11B

MD5
2218df9cdffc814a3dc25c81dd8619dd

SHA1
0290f796218937f61331adc8803788e7cd4c2299

SHA256
455831b583cfa9549746bcd296a60f5191d2eff7829d469e029b68768c5e56d1

SHA512
7aa4c745dfce7b2c38c4930e8275885727a19480597f685f89ab0e536175c31a2d5ee61cfd84b483f73eb211970a1a4fefcc59d8ef97b9af7bf09b7dcf932efa

Download Submit
\??\c:\windows\temp\cookies\control.ini

Filesize
124B

MD5
0345db250410687bd9731a579f898b6a

SHA1
f0236a298cb934470c7a36fe06387f506430a20b

SHA256
ba67116218dd89f9ff616065a14dd6d6484cd9e3bbc06c7cc13f75829ecf93f8

SHA512
e7be37641b3a1969e395c542bfca2e6f44cf23639838b36dfe5740fc70f08d440a1f2753ef5d634d81e28ea273bf833feb08198458124716135dc6e7071fbaed

Download Submit
\??\c:\windows\temp\cookies\ident.txt

Filesize
5KB

MD5
452df7d04d4edf3f63caeea8f3b4fed5

SHA1
034d3e07132c5cd8501ae3f0d603aa4de809a3b3

SHA256
0d260b9de6e6203995b1dc0bb9600c2b252b7c837b94a421c7c0b9da45fe0794

SHA512
f96f4b397fdf489f57d8d31fa03685fd6f1bbc7d2fd44e088bd8ecd854d6b0540dc5bff8d8a8fcda9179b4147ef7274547d97ff6e7080c85ed0c1d4d0e37e697

Download Submit
\??\c:\windows\temp\cookies\mirc.ini

Filesize
3KB

MD5
0d40219c0c453b0efa920e293e2148a7

SHA1
89ecaf40b4458ccecd45c848b46019d1c77a8b1f

SHA256
6e5cdb7cd3d23302b41ff0ef1643d4244750a59718268af4e9c42bca9b68ba68

SHA512
103b3fd424be454e66bf27d91f6b1e51062d7468937621ce3274cd21d0eb3cf63832a3d896aba4992a2a65043326dee8ee720ff86f586193b22672acac6b6dce

Download Submit
\??\c:\windows\temp\cookies\realname.txt

Filesize
69KB

MD5
c3c54aa7e6cc8772457e7dfafd2d0dfa

SHA1
06e1a8697be7b54b184f0a55f354bcf6d64f99c0

SHA256
9f94afc4d5553ccf29a303b78fea9f0d45b11d39e4f4aacd086821639a589e0b

SHA512
627f6ff7ffc47d481cf75df7b6ec703be1ee08b25750cc8c122aee7260fd9dd3bbad28818181cb4b2ca84b4a48c27c0f1ae46901cc71691304099ce709afc398

Download Submit
\??\c:\windows\temp\cookies\remote.ini

Filesize
5KB

MD5
aada7506b4e7fa1931215acfa66c7453

SHA1
af156ceac5f9e857d2a494fdef62e1002ab75c1d

SHA256
b72b0a571e503b39dfa1198fb318f846ec5d4ac500fb87b9e92ae8ff4ca54436

SHA512
6653f3fd3bc15fd823666eaedd82eed1a0682f5aa968e8376659c3c49e01019decbb2ed15937fbe23800753e591c32b5f3c8e832b0262c5d94bfd7c5e83ddea1

Download Submit
\??\c:\windows\temp\cookies\servers.ini

Filesize
478B

MD5
a283f82bb48bd0bf34d276452ee2f844

SHA1
94e49e0c920156d9c4753e22d80580e87a8df710

SHA256
5287cfd4d3cd8d50d931b7830a56c71af786ba95d99cae64a4818d7143f9f7d7

SHA512
078ce9635e2668961fde8a30abb274920db1422c915b0e6f686b0eb1441a42a0ad4da021668e7ae128a3936e1e4c6e871cd50e72c2eaf862c6a78ca1c0a63548

Download Submit
\??\c:\windows\temp\cookies\starblind.mrc

Filesize
1KB

MD5
79ac45979e745a13d1641f82c6300dca

SHA1
b428e7ee3d443aca5cfb95e7bc0f824769078998

SHA256
b6b3110bcbcfdcab6458b607c4bedbc09dd7902c86d2136a27b24fd9006f8b01

SHA512
34e95f7e7e1d61f01976e1723bc78657b96268d805d7f4b623840d1432a7e8102680799938ee83fbe4fff218f41c4eaa15d40ecc9e960afae2bae1c62da88b31

Download Submit
\??\c:\windows\temp\cookies\stemb.ico

Filesize
5KB

MD5
e09aa9787af5cc53fd7525dd6693cf10

SHA1
57445d0779a66c61741822c0a7988573efee13d7

SHA256
c7f023fc4c85680f5c334fef09155e81861634108140a5716a1395dd7cd62266

SHA512
b71a8c0939d545afa173f107f99314848c6104928b77d6f39d6e4486ca2b65797cecff0f877160edf6ca1d21dca95b7f1be53221811c945f7c4be6e77a4d1f8c

Download Submit
\??\c:\windows\temp\cookies\trupero.mrc

Filesize
13KB

MD5
e9bc5c7f81203d21f10fa91152f7d141

SHA1
0b92a79047fd999a293d5e6fc5ef11d4e6cc11b4

SHA256
d1a8374f9e3453b8abef393f3f3a64f60d07dca81f53ab99d2060c7a32ba6242

SHA512
aee6f688ce761db346ea0ae13f0e09db1ece3ff525bc3e102df18f3b94f0f5d3fb6d1dd2f34cfb3a0d75b39b6807861f7e2034f4dff64f4e2052c12b39c9a8ad

Download Submit
\??\c:\windows\temp\cookies\users.ini

Filesize
139B

MD5
be8c8019a5f71f941adc21dcfde90d21

SHA1
8414f4039ee4b5a205387eec81aa60c6c2e16404

SHA256
5cfc46f6de7c289ff581364ad837bc2ec86695e305190c19034723c9f2f05250

SHA512
853d9bb3efcea5c89ef3b774a371d7c2ac3782141541342c000908de9744aa1a719f5ba31a600fcf295a33a6bdeba01432e936f75907cd315e312aa5edbf8722

Download Submit
\Windows\Temp\Cookies\daemon.exe

Filesize
1.6MB

MD5
fb05b68f8250b7ccbe32033318787329

SHA1
aa1734d9d657b531e855de5f9923add98674a105

SHA256
c6ffa293037bae71d4841aa107a62794d17dc3d85448c04b063cd89bf7812da1

SHA512
274294508de7640d18c5547a2d1b563b2342746f48fbf7114feec9c2fa0f6e431203f3b708755f31c7d8369c9b063cac7123b04c378843acee3ac45f2bb344ee

Download Submit
memory/2632-273-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-282-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-270-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-271-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-272-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-267-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-268-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-269-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-284-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-285-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-286-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-287-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-288-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2632-289-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads