Analysis
-
max time kernel
135s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe
-
Size
736KB
-
MD5
4245f76471e5837dd3323e07bf7e6bda
-
SHA1
2ec34da792c51acc16efb2e618e13e361a8866ed
-
SHA256
ed1bc0cf788dac18aeaf4cc9fb125b9721931e4f0b7fde56ef08993ad975fb1a
-
SHA512
83eac9a8e46257d7432a8c5df3befcabded63f9061879e8bd76efe497c48f7453124b6c6495afebb7f93784cbdfc283053a7a815ba8957f04ba486b35d7d9de6
-
SSDEEP
12288:UfHjv8bKWzon9/eltgjq77hrkY8PJgRfLuQrXhspyPn3zaJV:UYzz+St0q77hrIJErXhsADa
Malware Config
Extracted
Protocol: smtp- Host:
smtp.zoho.com - Port:
587 - Username:
[email protected] - Password:
tonyelo000
Extracted
hawkeye_reborn
- fields
- name
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3780-3-0x0000000005210000-0x0000000005238000-memory.dmp family_zgrat_v1 -
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Processes:
resource yara_rule behavioral2/memory/1616-14-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1616-17-0x0000000002C90000-0x0000000002D06000-memory.dmp MailPassView behavioral2/memory/448-29-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/448-30-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/448-32-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1616-17-0x0000000002C90000-0x0000000002D06000-memory.dmp WebBrowserPassView behavioral2/memory/4028-20-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4028-21-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/4028-27-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1616-17-0x0000000002C90000-0x0000000002D06000-memory.dmp Nirsoft behavioral2/memory/4028-20-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4028-21-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/4028-27-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/448-29-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/448-30-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/448-32-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
installed.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "rundll32.exe" installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe installed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "rundll32.exe" installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe installed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe installed.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
installed.exeinstalled.exepid process 4772 installed.exe 1616 installed.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3780-3-0x0000000005210000-0x0000000005238000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installed.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\installed.exe -boot" installed.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
installed.exeinstalled.exedescription pid process target process PID 4772 set thread context of 1616 4772 installed.exe installed.exe PID 1616 set thread context of 4028 1616 installed.exe vbc.exe PID 1616 set thread context of 448 1616 installed.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exeinstalled.exevbc.exeinstalled.exepid process 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe 4772 installed.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 4028 vbc.exe 1616 installed.exe 1616 installed.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exeinstalled.exeinstalled.exedescription pid process Token: SeDebugPrivilege 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe Token: SeDebugPrivilege 4772 installed.exe Token: SeDebugPrivilege 1616 installed.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installed.exepid process 1616 installed.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exeexplorer.exeinstalled.exeinstalled.exedescription pid process target process PID 3780 wrote to memory of 1760 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe cmd.exe PID 3780 wrote to memory of 1760 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe cmd.exe PID 3780 wrote to memory of 1760 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe cmd.exe PID 3780 wrote to memory of 4080 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe explorer.exe PID 3780 wrote to memory of 4080 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe explorer.exe PID 3780 wrote to memory of 4080 3780 4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe explorer.exe PID 3956 wrote to memory of 4772 3956 explorer.exe installed.exe PID 3956 wrote to memory of 4772 3956 explorer.exe installed.exe PID 3956 wrote to memory of 4772 3956 explorer.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 4772 wrote to memory of 1616 4772 installed.exe installed.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 4028 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe PID 1616 wrote to memory of 448 1616 installed.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4245f76471e5837dd3323e07bf7e6bda_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\installed.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\installed.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\installed.exe"C:\Users\Admin\AppData\Local\installed.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\installed.exe"C:\Users\Admin\AppData\Local\installed.exe"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFADB.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpFEF2.tmp"4⤵
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpFADB.tmpFilesize
4KB
MD50c71400795defb1ddf2816dcb2440470
SHA1a9f25ddc014a44b58a890ac42ea47d98a3f754a3
SHA256eef6222f63aae44aec7addd2cdf1d348af92b32e0be1d4c857c48d9a941d9dac
SHA5124d5fd766afe850d8282b85ca0ff3ef36e225e754254f43e1e3e0147675d40f901096199e666310e7f70b6cfbe9f33f3dbe4a063fbd4df7267190bad5121efabf
-
C:\Users\Admin\AppData\Local\installed.exeFilesize
736KB
MD54245f76471e5837dd3323e07bf7e6bda
SHA12ec34da792c51acc16efb2e618e13e361a8866ed
SHA256ed1bc0cf788dac18aeaf4cc9fb125b9721931e4f0b7fde56ef08993ad975fb1a
SHA51283eac9a8e46257d7432a8c5df3befcabded63f9061879e8bd76efe497c48f7453124b6c6495afebb7f93784cbdfc283053a7a815ba8957f04ba486b35d7d9de6
-
memory/448-31-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/448-32-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/448-30-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/448-29-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1616-14-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1616-33-0x0000000006090000-0x000000000609A000-memory.dmpFilesize
40KB
-
memory/1616-18-0x0000000005360000-0x00000000053C6000-memory.dmpFilesize
408KB
-
memory/1616-17-0x0000000002C90000-0x0000000002D06000-memory.dmpFilesize
472KB
-
memory/3780-5-0x0000000074740000-0x0000000074EF0000-memory.dmpFilesize
7.7MB
-
memory/3780-10-0x0000000074740000-0x0000000074EF0000-memory.dmpFilesize
7.7MB
-
memory/3780-6-0x00000000078C0000-0x0000000007952000-memory.dmpFilesize
584KB
-
memory/3780-0-0x000000007474E000-0x000000007474F000-memory.dmpFilesize
4KB
-
memory/3780-4-0x0000000007DD0000-0x0000000008374000-memory.dmpFilesize
5.6MB
-
memory/3780-3-0x0000000005210000-0x0000000005238000-memory.dmpFilesize
160KB
-
memory/3780-2-0x0000000007720000-0x0000000007816000-memory.dmpFilesize
984KB
-
memory/3780-1-0x00000000007B0000-0x0000000000870000-memory.dmpFilesize
768KB
-
memory/4028-20-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4028-21-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4028-27-0x0000000000400000-0x000000000045B000-memory.dmpFilesize
364KB
-
memory/4772-13-0x0000000008180000-0x000000000821C000-memory.dmpFilesize
624KB