6de51a11a13757cf2de4632ce4b147f8c52bc1c5cafea27074284dc633e92fc5

Analysis

max time kernel
142s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 20:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe
Size

639KB
MD5

dd099364e35f41af09fb6a52c2438349
SHA1

64fbb3696c22db55a03f05a65604d93789330624
SHA256

6de51a11a13757cf2de4632ce4b147f8c52bc1c5cafea27074284dc633e92fc5
SHA512

476992fbb9c27d055a92fe55b19a54e7432cdf19c6fb0ee357e39f4589b34d314a8b744b974dd0687989d5030d3f5c91dafe5e852456951f69fdf24300272040
SSDEEP

12288:TKu6znn5kncK7hZu3z8qyBF3Z4mxxCC2vnea6s8:TKu6T5kN7hZuDkBQmXCCOT6R

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2552	44.exe
2852	Utility.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe
2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{991A4E2C-7149-11EF-8C8D-7E918DD97D05}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{991A4E21-7149-11EF-8C8D-7E918DD97D05}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{991A4E21-7149-11EF-8C8D-7E918DD97D05}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{991A4E23-7149-11EF-8C8D-7E918DD97D05}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Utility.exe	44.exe
File opened for modification	C:\Windows\Utility.exe	44.exe
File created	C:\Windows\Mangerr.DLL	Utility.exe
File created	C:\Windows\RAV2007.BAT	44.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 009c985b5605db01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{197F4A51-C269-43E4-97E6-37E727A41310}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 40e4a65b5605db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64B8E726-E5EC-4D6D-A2BD-62BB48ACBA14}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64B8E726-E5EC-4D6D-A2BD-62BB48ACBA14}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "jm2az78"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de9d10a2f404f140af6aec138629f47e00000000020000000000106600000001000020000000a99777f54f72c87a945eb17823c63273151071e08e8b15897252b3dea50c5b9a000000000e8000000002000020000000b7d0356e75cd7ca092e25db38247962ff5f32c8b25b0bcf362f8a7f17aed96ff50000000d6084e11e3fc49e8915844a799fec894e1b6407c4dc37507b7c924eaca0d4b8c50914c4d52f6a19b90bb72af308370bcf22d4e0889aed886aeac86906999bf5b28f7faee910d15b484077f86d1ef1ba940000000f4214e49a2c8a7eab1c9fb6be6bb28c43831a12ade5fa1188c0105c1c08c16d83562ccbbd149782c99f345705b0e88a88d759a4339bb3e1f8cdb5770fe08a016	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	Utility.exe
Token: SeDebugPrivilege	2616	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2852	Utility.exe
2852	Utility.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2552	2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2552	2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2552	2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2552	2480	dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe	31
PID 2852 wrote to memory of 2660	2852	Utility.exe	33
PID 2852 wrote to memory of 2660	2852	Utility.exe	33
PID 2852 wrote to memory of 2660	2852	Utility.exe	33
PID 2852 wrote to memory of 2660	2852	Utility.exe	33
PID 2552 wrote to memory of 2828	2552	44.exe	34
PID 2552 wrote to memory of 2828	2552	44.exe	34
PID 2552 wrote to memory of 2828	2552	44.exe	34
PID 2552 wrote to memory of 2828	2552	44.exe	34
PID 2660 wrote to memory of 2556	2660	IEXPLORE.EXE	35
PID 2660 wrote to memory of 2556	2660	IEXPLORE.EXE	35
PID 2660 wrote to memory of 2556	2660	IEXPLORE.EXE	35
PID 2660 wrote to memory of 2616	2660	IEXPLORE.EXE	37
PID 2660 wrote to memory of 2616	2660	IEXPLORE.EXE	37
PID 2660 wrote to memory of 2616	2660	IEXPLORE.EXE	37
PID 2660 wrote to memory of 2616	2660	IEXPLORE.EXE	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd099364e35f41af09fb6a52c2438349_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\44.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\44.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\RAV2007.BAT
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828

C:\Windows\Utility.exe
C:\Windows\Utility.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2556
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mangerr.DLL

Filesize
577KB

MD5
541148965ed725ec3bed3cb20ff72c74

SHA1
34bfed3e65eb7743af12b8a75c294a6a0ca645bd

SHA256
b8f4ce65f855a764fb5776d8641794ec0dd44d9124e639496a442e82b1cf71db

SHA512
220bd2e71835c146bb32c9e58e12aa9f36fda7008f5afafc0111165723033a564a31867a2a8979fe72353371b7c1dfb2c7f6813372dec668fea629adda5d5074

Download Submit
C:\Windows\RAV2007.BAT

Filesize
152B

MD5
b2fbe1c5abd9904e00b56da777ddc182

SHA1
49d8e96089724a7f9386fa9857dece3975f0f312

SHA256
a7fc223dfe327fc5c317487b5b054ae1c75dc0192e841489a78282a4ddcccd62

SHA512
3864b5f32049bf2fff6241016393e261e0660c9e5eabe7c9ea6619e8326790ec28bde409c2f063bfd0cfe9ab577c6a587802cfc7f8287b6e134a76ca02428fbe

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
465a4de4a8a2bda5d747b8da7a1d874c

SHA1
eeecf7017b0b14e6fbe47e96576cb924c95a4827

SHA256
de25e54f22c95502ed48bf80c7f16027255e597740549a21ac9370ba07c96106

SHA512
e3dfb7a5f8c23aa64f4614fddb4332be04cbfad70ee7d6eedf599bff0d9063a420d071d9043901c8033ce64822fceacc162f99934843fdbdd83853668ad911a8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82af10370c021bc00fbf2de2f46c67b3

SHA1
8bf829d835b7ac8f642db326f72da7ca629896de

SHA256
90e8810f8d46767e6ff5fae62faadc00cf6bb58ac9e504585bc232e8b573591a

SHA512
774e766285f18a41e8d21061fcab075de03451735798b68e540d9bc54439c882ca6ae2d73956ec8d82820277177b105baa2d7a511cdf6a812af5c1abf66f5b6b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1150d9f0aa9c3b1b409de378a8c76a4c

SHA1
15298a2c9fc6eb661abdfc092a583342eff7d2bf

SHA256
dc4136b5d1fe2b3597b6fbe465e88e1f6fadf4f195b6e7de3e6783157b7078ca

SHA512
f7e1e1c37d449ad07b5812ef96f68020e919aa3cd29b12ead73107f5fe471aefb4ee6c9677a2ce81e6bff4ced71aca91a7b62f3b619441899be5c9b2b907071d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20645898744c49b631bc2323ddc81538

SHA1
1aca060a35072f2b939534b72b60ee0fb06e36c2

SHA256
1fd73ccf6ca4018cd01c257c99e6870b77102b03c781a17db8f92d7a258262cc

SHA512
b71bcac6f8c11cc4bcc2a7e9ea237c8c3d09811b0f81a8cbe644c85e401572d0b7b61f7474cc8a15ad678552b1bdf9c6809b54983f4a70f1b2d19e22dcf64d91

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe4bb074c5c7c034a3174e3b2d2c5b06

SHA1
838c6a511d1b389b64502efd202fecc5b006d880

SHA256
ec3244060696d20fc43f20f68ddc63eb5ee5fe7402d406d77d068c7edd87969c

SHA512
4c6b2357fcdb2f093eb0967769d53cbd0267740a2ad2c4422f91337093c54a091754cef1d8bc366b6c25653f1fa11e708a7abc600fe8859632aa007ee9a56908

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ad9fa0df9ce337f8864f7908917d6f

SHA1
815783b43886924040cf8bdd729be55bd6a4f1ed

SHA256
57658d0a3f7335e84554d065cda4d94ea3c34a284b775c179492e2bdae505ef3

SHA512
bfc2b078534fd0181384d5186a85dfb107c8695bcc3b0476829dc2fa51cad7fc5e6dbf08fc6c01c150dda41d50be0eb274b8cfbe27d97923f7dba6e39981830a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce350cf7fe91afb1b004e4e4b79b1b25

SHA1
ab456fafece054751234953c58db26e30d16ffea

SHA256
715f43f3d92597bd834cd7e85f21887b263978a784808e7c5acc17729f6d661b

SHA512
714d3f0db2e02a6ce33d1f337c30f7409110a3dfa83aa2b56acb0e45a53d716113901d7f69d8ba521b056b18d57d71aa977ca1510e067ba6be4112673cce0ae2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a72736ad6bab8da16159759c2e06bb7a

SHA1
151a9e85b5c4f39a7777a3461083e946fcae3ad7

SHA256
638e4ee0e9ce5f5a9cf8f22b9f941a53a9a62cd402cb7f463ebc999fa4f6eec6

SHA512
e46396eb838ffe376c4c9ca2f02e2ae98d7724437581bc44f34c0c1afba34d6d9c2b546f3d6f16ee975d0666e8dce521345dbe44a23a87f7b7e2b06d9ada0889

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba0c34e4a53761d2fc7458572423c69a

SHA1
cc7701ea6cb21695a98de07c566081f73fdf8ed6

SHA256
23e6916661865f94b380b0eb27abe75992551748916aaffbe5bf3ea06ec0c31f

SHA512
65b8299a52fc0da1dc27f27744077fd3096e9aac8e06a81e07d7feea172e53ffdd92219f586da8c08f998a34052598948842ccad68bf1ab19efd78b8fc5dde6b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484339914b90f5d13ab551330db4fec0

SHA1
88f5f313162b18a49b7cd57978ce031661932694

SHA256
1f6c719a5f55d39c3792968b041ca56186fd4a12ae755e47c7aef49f99c9a8dd

SHA512
af58df0e3c9806a774fd0ac6e99d1e181dc2ef26ebb47e37ce5683e03ae9684b0d40185e98992ff8ff5babcc2bbd03001936d4472fe413738fa52fd70c89bfb4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
195e4fd2dff1c796ab33cad60f503a75

SHA1
25bb16ad559e1d12eea22ddda24a04d677541736

SHA256
cc7e3de33797450cd0f7be995f83096390de39258d3dc2785dc0c662113606c1

SHA512
e40484b68cef3a8967fd6ecb9b62ff0d6a3d07bc598ccbe337d649d528a70b0b98600df76f9f3a77e717fd65df7dba8e14cf3a8aba9e0f2dca88483e84bd1cfc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e5a65cedcaac8f395f05a213d73b9155

SHA1
331dd02c73d24be9d458f1c7fd903e0697ea77a8

SHA256
88b1dbf2a85b9aeb768e660556fb72e348b0aff1bc149633a8bc03b1bb2edac5

SHA512
34bba34963bf4818173a3b5481e3e989688944bd1613318258c4c66da4c0a3bd523591f628277de069b334267b96d1b407ffba8387544418890a0a3308189658

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabF913.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarF916.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarFB40.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwECDE.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwECDF.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\44.exe

Filesize
655KB

MD5
3d09d023b932722124fe1eae2268d709

SHA1
8a358e14af19e3a08b29342070e80373c167c5cf

SHA256
3a1d0121028781866b016e8282264334224d4ab9bb111d68d27a5b3d2e529fa5

SHA512
5a7738cd4a2123ec0aa7c3bdd1d53148a1cc89acd4e0c02451f3ae18f6ba249b2dc1b69743afe1fe5c01889b18750873a0ecaa77400f05e0bc3b106714cd8044

Download Submit
memory/2480-39-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-82-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2480-32-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-31-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-30-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-29-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-28-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-27-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-26-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-25-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-24-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-34-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-23-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-22-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-21-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-20-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-19-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-18-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-17-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-16-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-15-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-14-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-13-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2480-12-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2480-11-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2480-10-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2480-9-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2480-8-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2480-7-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2480-6-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2480-4-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2480-35-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x00000000001D0000-0x0000000000224000-memory.dmp

Filesize
336KB

Download
memory/2480-33-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-81-0x0000000001000000-0x00000000010FA000-memory.dmp

Filesize
1000KB

Download
memory/2480-36-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-37-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-38-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-0-0x0000000001000000-0x00000000010FA000-memory.dmp

Filesize
1000KB

Download
memory/2480-40-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-41-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-42-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-43-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-44-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-45-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-46-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-47-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-48-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-49-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-60-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-50-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-51-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-52-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-59-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-58-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-53-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-54-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-55-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-56-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2480-57-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2552-79-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2852-741-0x0000000002200000-0x0000000002297000-memory.dmp

Filesize
604KB

Download
memory/2852-740-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2852-319-0x0000000002200000-0x0000000002297000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads