e420a32939b9e741526f3096611cc1280f76f505125ac8f0d23da7b25435e80e

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
Size

190KB
MD5

82777e650da1a7176dee2635c1f30179
SHA1

7dc7357f7b2c0457f1e3d259fcb4c3cba8c75224
SHA256

e420a32939b9e741526f3096611cc1280f76f505125ac8f0d23da7b25435e80e
SHA512

db9f5fdd66e219e4b997f5267e51de36ce58bafe4113103e2daaeb31db7085f3f6248b30d076559650310b754c82a94bdc6c7ea53c72c892f46028bc19713d5d
SSDEEP

3072:nCSjGoLpWM6slmjxNu4JB6vgmJAIlwPxX/ZWOFrb:9XdmHu4JDvI+PxBWOFn

Score

9^/10

discovery persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (215) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	Logo1_.exe
1964	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX2085.tmp	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javah.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX2022.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX1FAF.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX2924.tmp	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\RCX1D12.tmp	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\RCX1C71.tmp	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX1FE1.tmp	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe
File created	C:\Windows\uninstall\rundl132.exe	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
File created	C:\Windows\Logo1_.exe	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe
2044	Logo1_.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
1964	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 708	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	84
PID 2236 wrote to memory of 708	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	84
PID 2236 wrote to memory of 708	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	84
PID 708 wrote to memory of 3464	708	net.exe	86
PID 708 wrote to memory of 3464	708	net.exe	86
PID 708 wrote to memory of 3464	708	net.exe	86
PID 2236 wrote to memory of 988	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	90
PID 2236 wrote to memory of 988	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	90
PID 2236 wrote to memory of 988	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	90
PID 2236 wrote to memory of 2044	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	91
PID 2236 wrote to memory of 2044	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	91
PID 2236 wrote to memory of 2044	2236	82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe	91
PID 2044 wrote to memory of 844	2044	Logo1_.exe	93
PID 2044 wrote to memory of 844	2044	Logo1_.exe	93
PID 2044 wrote to memory of 844	2044	Logo1_.exe	93
PID 988 wrote to memory of 1964	988	cmd.exe	95
PID 988 wrote to memory of 1964	988	cmd.exe	95
PID 988 wrote to memory of 1964	988	cmd.exe	95
PID 844 wrote to memory of 4560	844	net.exe	96
PID 844 wrote to memory of 4560	844	net.exe	96
PID 844 wrote to memory of 4560	844	net.exe	96
PID 2044 wrote to memory of 1216	2044	Logo1_.exe	98
PID 2044 wrote to memory of 1216	2044	Logo1_.exe	98
PID 2044 wrote to memory of 1216	2044	Logo1_.exe	98
PID 1216 wrote to memory of 4848	1216	net.exe	100
PID 1216 wrote to memory of 4848	1216	net.exe	100
PID 1216 wrote to memory of 4848	1216	net.exe	100
PID 2044 wrote to memory of 3456	2044	Logo1_.exe	56
PID 2044 wrote to memory of 3456	2044	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3456
- C:\Users\Admin\AppData\Local\Temp\82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8DF8.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1964
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1216
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX2973.tmp

Filesize
159KB

MD5
4800993226c4eed58d81a2ce68c4ba15

SHA1
e5c7f9b6c6215c52d7583cbc9194555fd8a964df

SHA256
e9f99a9cbb8bd6cae2d0f081ad57ae29a0bb7d0fecefc861f6d0584fc000d190

SHA512
372ebfb37f258fc5d36bacfc4ab03043a34c75e051cf06aaf195a65714b6aa5ce54627cf15d5ccd20198a22572cba5163873b52205b7b2ff6a0e3ea1a534a0f2

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.Exe

Filesize
1.2MB

MD5
643ed1d72cbca5921a16cdc15a9f1dac

SHA1
3ef4590b5e98abf9347ffeca0ad0d746ca5f6b54

SHA256
0d7b7bf9c1ded0fa167ecd01f9ddaa0192d38eb735f77951f64ed74f94e19d0a

SHA512
cebeadb8a0f1fe91632f285e0af673b2a93f3062f75e346d9fb6d8c15714d2ff1239318762cda110513da0d9f3b3571a39a03f983d320965b1f123c21ef08926

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\RCX2CE8.tmp

Filesize
93KB

MD5
0efcbaadb9630199df461d2f07b10ae0

SHA1
5acc7686fd82521bf84ab2c365b233d0cd5f3e79

SHA256
7640cf6435724a1c1e0dbe36aedf63dafba3a7246df4fca2d3f528281e61f000

SHA512
2b97fb234a094ae9f4371dd18ccf655f3361ab7c710878b366ea0fa7515c29f54ceb5899e2a7137f2c1e256299c526f903b3342bfe5dd51867b6ccfb9e190a45

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\RCX2DBB.tmp

Filesize
121KB

MD5
48eb18a0395aa3a7a5dba2803fa6985d

SHA1
6ffc6f95260a95bd11aa6db0780dfe4319822b92

SHA256
c7456f9dadf4d744e7317a5316c53881a588a0209527dedd0314246c27aa2477

SHA512
0b4308a736e4496863a88fee3bd644eabbe1b44677311bc8041a383ce891cdc5190e5d7f9b7e6fc9b409f2acf6b4038ec8fabbf04fe25e9885dbb4a21580f4fa

Download Submit
C:\Program Files\7-Zip\7z.exe.Exe

Filesize
637KB

MD5
21ac1a4346c39e0037c83c046851fe27

SHA1
e986a75a77e8c8a2b4a8ace4a4a77d204b937e16

SHA256
76ada016139634d3f4aeec0ec3952436a2fa3afee1e049e6800a9ef38688cbdf

SHA512
268a15851bf48db79c4cf953ae8f0c07b6c88818fd7d2dfc6e012f69f0e2b5c24d7827343f8b38e9446872044917917e723dd3d49959a9c95b82e528577d97e9

Download Submit
C:\Program Files\7-Zip\RCX1BA3.tmp

Filesize
93KB

MD5
a6ef1d248daed9c3f6b44e9df1f0c0db

SHA1
b3d07fb3c746292d82d2cc6b7a8532733d5633a5

SHA256
fc3f381666c661b42807d88d69e45752b18e3300a5ace275ee9649b8ee9e399f

SHA512
244ea7b6c44ca112c7ee937a666de326f36af49d152aa9b05a95a0b6941ff277cd4433086e3bdc18556c5b10b33aec03a8c2db5a87cf91fa5f417bf7ecf6b1c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe.Exe

Filesize
379KB

MD5
5474f230fc4502ffcdd60638e5d63ae5

SHA1
05ba1a2663c73b7a8ff24dc4dfd088ab8000a5bc

SHA256
a2cfddb9911d6208241f3265cc1c08f2d2587ca76c94108dcd1fcccd87023fef

SHA512
e33039b45317dd0f4dbc0070f61ef849d861ffc91ddc114d6b8a50fc8762312eccee6ac4a855ca8a733db36cfddaeaa1fd7b410a4f81a7599459dcb4894e4523

Download Submit
C:\Program Files\Mozilla Firefox\RCX2043.tmp

Filesize
94KB

MD5
dfe18a9f9860ae3df41f9dcb6ed510ee

SHA1
f2109061bd900f2d8506a3e258e552adbb12007e

SHA256
246358e2e8470842b14e61a458b5a9164971894c39cef651728cdc7d9f45f5fa

SHA512
42cc516b527972cbea91c6bbec018c9bc458f0a36dd28efd84fd0fe66eaf39fa24a496828247d15d3855c7b78f7e998a5a59f06b28d1c6444b66c6deea37148d

Download Submit
C:\Program Files\Mozilla Firefox\uninstall\RCX2065.tmp

Filesize
102KB

MD5
848ef0bfaafa8e6daa7a88588e4f5d03

SHA1
b8529d620a55a7dc32ae915304fc3fae398f7cad

SHA256
d92872b46ba6cfe28b570d23b1ab565b16f949d218c04641d0c9c176f37d0077

SHA512
4e7af7b7680c5571d6cb4c5e38d19a4d168901ca92b526d5642b8a6b0f47a100d1825c8f5be54df8899a5e01f0dcc2f1b569df69ca8d963bed79bbb64d0e7205

Download Submit
C:\Program Files\VideoLAN\VLC\RCX20A6.tmp

Filesize
95KB

MD5
32d4fe4bf2c87dbbf09d974ead4aaf87

SHA1
65bdc129c80e4ab26ae9c818bc79b5492ff9f046

SHA256
6c42d0b77a02526a3a8bd541b12fe8391f3bbc236d5c53b958c1f7a1d6b0ff30

SHA512
e48e3266734ab3590c7013d172e8f28424cfe59691f8799d16dfb1eb842aed96cda2dc794ae24a8bcbe3418aef1f68f5331b8391dd1cfa09932c2515e8f9c9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a8DF8.bat

Filesize
614B

MD5
253272c41c17cbc748051bfe3c3cf044

SHA1
1b7bdc921e864ca7a22675411fa9bb720a320e38

SHA256
2372bb637753239caec306f69932d83624d83ebb87e146ccd50f77dd0a5634ba

SHA512
264c029a11ff6e6704bc62f598bb627936bca1d87339c5ce66cabbe409676d50869bd44e4ac3294453f4cb07abc2d04dedaa66407903b68ca13f49ee29a3b11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\82777e650da1a7176dee2635c1f30179_JaffaCakes118.exe.exe

Filesize
97KB

MD5
713a30695b671b6e3b19b7d09f9d8409

SHA1
83916537c86d7dc1043c752f195f04fa42813afe

SHA256
6b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08

SHA512
a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7

Download Submit
C:\Windows\Logo1_.exe

Filesize
93KB

MD5
4812c27e497de8c92c4a81863796caae

SHA1
392223229195aff1c13383d87e2650288091cda9

SHA256
b34edb82a325d51d912bdc6fe03bbc17fe7c3bf6a5bf830882197c81ca61b41f

SHA512
949016e5a7fb80df83876cc7d31d71b70cd1c1c7e576eb33de8922c4f724e52f93886f3fdb54538fdb94aafa387203917f4f78590f0e8d14e8b1a3ce24a7787a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
memory/1964-19-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1964-14-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2044-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2044-817-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2044-1122-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2236-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download