737ba07e36e4c3eeb668b5425b332178c504194abe72000e2605a53555087b90

Reason

Machine shutdown

General

Target

11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
Size

282KB
MD5

11a13418d08527a1df11a91aa6560863
SHA1

ff4fb55fe1aa7ffbb79775b16ade23afd395d39b
SHA256

737ba07e36e4c3eeb668b5425b332178c504194abe72000e2605a53555087b90
SHA512

74af708b092a83bdeb8d7c0b0e72ecb7e2508241360d8d8861b333180c9823ae3cd19feb9436d8fc8239791d63970622daa8fde1276b39c7cd33e9aafda50536
SSDEEP

6144:Izf/4vdu9hHaZBynO1qQZq2kwJD7DOZa6emP/CvL:Izf/X9hHXQY2kqD7DOw6eeaT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3"	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\D5B.exe = "C:\\Program Files (x86)\\LP\\D115\\D5B.exe"	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4376-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4376-11-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4376-13-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral2/memory/4256-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4256-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/4376-116-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral2/memory/3480-118-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\D115\D5B.exe	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\LP\D115\D5B.exe	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{9A39C7FC-8AF0-48F2-A892-37E78F4EC352}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe
Token: SeShutdownPrivilege	636	explorer.exe
Token: SeCreatePagefilePrivilege	636	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe
636	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4256	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	85
PID 4376 wrote to memory of 4256	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	85
PID 4376 wrote to memory of 4256	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	85
PID 4376 wrote to memory of 3480	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	91
PID 4376 wrote to memory of 3480	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	91
PID 4376 wrote to memory of 3480	4376	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe	91

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe"
1⤵
- Modifies security service
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4376
- C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\56321\E5AD1.exe%C:\Users\Admin\AppData\Roaming\56321
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\11a13418d08527a1df11a91aa6560863_JaffaCakes118.exe startC:\Program Files (x86)\21DCB\lvvm.exe%C:\Program Files (x86)\21DCB
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2508

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4064

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4164

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
6a406ad96e5b0fb95b19fd5c525659e8

SHA1
89c48a17daeb402c78a406ed31980ce381c1e66a

SHA256
fff6d4beb65672c459a492cf64ebdcc3ae0b5e635533fd761876300e1f4da6a5

SHA512
c336db63c06d794ea67bd2d779db15777d1caf244119e76bd640e58e0168afc52dd744be20dfa4bdeb45dfb9435e3cc187099c1ac745d8a7e19ed9a343d886de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
b3e1373f7de40116f803aaff016b74bd

SHA1
41f0df17f271b896d4f82fd6d83cbddffdc8ed64

SHA256
b583caa78c719c82870b6ae330a683002a439bfcf93ada6efb5882e651a7eda6

SHA512
ce11f581dd3fd221915f63f8d93186de38a7f959705d843c667e05d1d53eb2fa0c026dd4be1a9edfe2e6c22bcdc79c3edb1d8af288fc5d3bc29f000fbac22122

Download Submit
C:\Users\Admin\AppData\Roaming\56321\1DCB.632

Filesize
996B

MD5
a221aef49058dd083cf55ccee16a3925

SHA1
2ef3577a539c99a446a9a3e2b534f7d9aeb05720

SHA256
6ed85758acea29a69e969ce96b4321f262743969ecf6a29b70169897b4bb2a4c

SHA512
4deb59ae9a000a98726966e1173d41887ef1f75116e730904fb783235c903edaec050c6a6271d04f9b2b507b35ca0cfc8be54989a973dd7857e75a627d08c11c

Download Submit
C:\Users\Admin\AppData\Roaming\56321\1DCB.632

Filesize
600B

MD5
1672c197f8a69919103d99bb4e332129

SHA1
1f4e9ba8c93d4710003080660b942368c33cf4e2

SHA256
ea1004d2dbd2276fd74a53c81b2dc095588fcacaa13c8869ec41744fbe2c9614

SHA512
e0a4914061281d41344a996d5520781ee36d87001ade83806b883553bd5c75269c96d355c895b5155d8954c755e30c071d9b8f1cfd05ffed1e0e1a3622d060cf

Download Submit
C:\Users\Admin\AppData\Roaming\56321\1DCB.632

Filesize
1KB

MD5
f287354d540c831528ec25ade43bbf98

SHA1
c8cf3dfd8228a75b85df6798e3f2634b256626b0

SHA256
cb363ab200ba6a04090b13cff1821213aae89976003c2048054a8a6d02895245

SHA512
95fefd2c22a01f72ac30a2916d3775da9faee405d005c007ca121a0ceaec03584b2f20c0f0a1c4bdfec6f138597d5209418499a076b20870aef0eecb811bdba7

Download Submit
C:\Users\Admin\AppData\Roaming\56321\1DCB.632

Filesize
300B

MD5
28396d5db9ec67731c558c7a9ee624b8

SHA1
e8e9856383b7250f552edca9f641e1d9cc459755

SHA256
7f1dd112a970d0a843dd1d81ba35bdf710544f4dd7eaeb448f37ba4aa3bf015f

SHA512
9b5db57c0ab244a7e4d954294fe31babdc1c17c5f93ae34a7b97f261b482c62dcbcf4b4e28e3a9b813590ffc390f0f1b8617ec00131980ee3d1fa5a68fb78f56

Download Submit
memory/3480-118-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4256-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4256-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4372-317-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/4376-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4376-116-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4376-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4376-11-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4376-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4872-324-0x0000027AD3CE0000-0x0000027AD3D00000-memory.dmp

Filesize
128KB

Download
memory/4872-336-0x0000027AD3CA0000-0x0000027AD3CC0000-memory.dmp

Filesize
128KB

Download
memory/4872-355-0x0000027AD42C0000-0x0000027AD42E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads