86c311f7a2e56d5deedad7dfafab3eb0a16f10444934968ed658636ae39d4694

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
Size

757KB
MD5

f7222343e109d46c692332fb621102c7
SHA1

b00f5c095bd426e6b9134a050bacc682ab155191
SHA256

86c311f7a2e56d5deedad7dfafab3eb0a16f10444934968ed658636ae39d4694
SHA512

e06157baca323dffeeded40ce7b225012cc973947656dc962e9c364aaba1167d61f65080b129db2921ff1163b01c17e16780ff36455823c3d00d13604716cc9c
SSDEEP

12288:gWDLGQnzIaLBuuzmhP4N/r9KRpGj3aBqpKWmsZIqKKR+v3z3ykZcjEZbce4K0037:pLGQncaLYmmZ4Nj9KRpRoUWmmKKR+Pzp

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	msnmsgr.exe

Executes dropped EXE 1 IoCs

pid	Process
3972	msnmsgr.exe

Loads dropped DLL 64 IoCs

pid	Process
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe
3972	msnmsgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WMsnMsgr = "msnmsgr.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WMsnMsgr = "msnmsgr.exe"	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\msnmsgr.exe	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\fucker.jpg	msnmsgr.exe
File created	C:\WINDOWS\SysWOW64\demo.xt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Sfwwin32.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\70.reg	msnmsgr.exe
File created	C:\WINDOWS\SysWOW64\Chans.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mIRC.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\server.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\33.reg	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\demo.xt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\nHTMLn_2.95.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sysingB32.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\sysingB32.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\control.ini	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\sysingB32.dll	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\1395.reg	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\Chans.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\email.txt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\win.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\win.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\33.reg	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\70.reg	msnmsgr.exe
File created	C:\WINDOWS\SysWOW64\fn.xt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\nHTMLn_2.95.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mIRC.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\Sfwwin32.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\msnmsgr.exe	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\1395.reg	msnmsgr.exe
File created	C:\WINDOWS\SysWOW64\control.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\fucker.jpg	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\fn.xt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\control.ini	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\email.txt	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mirc.ini	msnmsgr.exe
File opened for modification	C:\WINDOWS\SysWOW64\fucker.jpg	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\server.dll	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "Http://www.startravestiler.com"	regedit.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\WINDOWS\\SysWOW64\\msnmsgr.exe\" -noconnect"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\WINDOWS\\SysWOW64\\msnmsgr.exe\" -noconnect"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "ms32"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\WINDOWS\\SysWOW64\\msnmsgr.exe\""	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	msnmsgr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\WINDOWS\\SysWOW64\\msnmsgr.exe\""	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "ms32"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	msnmsgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	msnmsgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	msnmsgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	msnmsgr.exe

Runs .reg file with regedit 3 IoCs

pid	Process
1128	regedit.exe
4832	regedit.exe
3844	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3972	msnmsgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3972	msnmsgr.exe
3972	msnmsgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3972	3648	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe	85
PID 3648 wrote to memory of 3972	3648	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe	85
PID 3648 wrote to memory of 3972	3648	f7222343e109d46c692332fb621102c7_JaffaCakes118.exe	85
PID 3972 wrote to memory of 1128	3972	msnmsgr.exe	86
PID 3972 wrote to memory of 1128	3972	msnmsgr.exe	86
PID 3972 wrote to memory of 1128	3972	msnmsgr.exe	86
PID 3972 wrote to memory of 4832	3972	msnmsgr.exe	87
PID 3972 wrote to memory of 4832	3972	msnmsgr.exe	87
PID 3972 wrote to memory of 4832	3972	msnmsgr.exe	87
PID 3972 wrote to memory of 3844	3972	msnmsgr.exe	88
PID 3972 wrote to memory of 3844	3972	msnmsgr.exe	88
PID 3972 wrote to memory of 3844	3972	msnmsgr.exe	88

C:\Users\Admin\AppData\Local\Temp\f7222343e109d46c692332fb621102c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7222343e109d46c692332fb621102c7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3648
- C:\WINDOWS\SysWOW64\msnmsgr.exe
  "C:\WINDOWS\system32\msnmsgr.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\SysWOW64\regedit.exe" /s 33.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:1128
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\SysWOW64\regedit.exe" /s 70.reg
    3⤵
    - Adds Run key to start application
    - Runs .reg file with regedit
    PID:4832
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\SysWOW64\regedit.exe" /s 1395.reg
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs .reg file with regedit
    PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\Sfwwin32.dll

Filesize
40KB

MD5
a85a6f809b5500adf9f163f60cbd9b25

SHA1
9b81d20e5ffbf9bae4bb95595579b29a282dab0f

SHA256
c67eaf1e75d7ba92ed2031010601774e02b0b2823042d7ea43d8ea582b46dd59

SHA512
032ea5e84b4690ad00c68fe85994496c149caab822ffc3cd00391a64e7e68d17df897010a1065db7dd804fc97a24058382345a15aea90941921ac035b2c1ce0d

Download Submit
C:\WINDOWS\SysWOW64\control.ini

Filesize
182B

MD5
41021fe4f3e28ddfe38a745665013fb8

SHA1
db53f6959b2211accde83a83e078219fa9c634bd

SHA256
cf306028f30ccee400a626850641755d565aba499caf0c2259c214fdcaf1770d

SHA512
e6a4b5ce390788011f8c8ec32ee455e2a979f125c460354c94c106a68ce1a10e165914914ed5280d2dfd2df57c0a7d9949227d4fe2b2fd33837d2b9529e724fc

Download Submit
C:\WINDOWS\SysWOW64\fn.xt

Filesize
16KB

MD5
d97951c75b1bdc6b4e9c934b5f3ab633

SHA1
ef07e34cf657f61e4ff97990c1f81c847c917c93

SHA256
42a21fc014d1abed68d0a9f3f303c7eea7a8029a2265245fb63f95d0e4d4e6bc

SHA512
dbe5bb142fedd61821cb21b72084a34cd49b5a2aa4f4a052e343c56271d1b7b240c1d203b605a0727708c62ad8b7c48c4d571f29d1414d9b8bd1ee1976649e9c

Download Submit
C:\WINDOWS\SysWOW64\fucker.jpg

Filesize
30KB

MD5
8133d21f449e680e9c621fbd30f61d4a

SHA1
a38b710d6548992c430f3275f024c7b507ad00cc

SHA256
2bc5fc82ce55988324739040b5904e54deddd71c7775a10412e296f554739565

SHA512
6391eb26edc00b38ab0745a3ee40f5ae2cacad7d2712dfca90aebf73ad719c875a450d841ee0be5dbe0eaec48851cfa1b328a2491c894f34d33278f24b86bc8b

Download Submit
C:\WINDOWS\SysWOW64\mirc.ini

Filesize
4KB

MD5
3dd94250b0d0a7958d698a662c584a99

SHA1
0124afbd708fa0bc8db364d28393bf0e8e690f60

SHA256
99ffff0ec3356893fbca7d655ab6b14174e7e12b1e32cfd811cc71894abee3d1

SHA512
ba91b499fb20547aad4f2f5a461f60fe1eebce5d6640b27d2a87c6b9fa3a5b394037032b648ff754f2d32936a3c561faa0c0c698f86489aa48bade151dbe2c69

Download Submit
C:\WINDOWS\SysWOW64\sysingB32.dll

Filesize
252B

MD5
8482d4e78fe1fe10bc0b223e50c13e35

SHA1
fc23e2ed0096492d97a44bb7dd73f4890f089473

SHA256
e237af5308217e9c7ffd26aee3b1e6c7eb318f1420480be7e22bed1df680c235

SHA512
b46c33bb9444b0a8217340e9b660554fc6b794807f852f29d239da96f5e04c583923eb8ba1b4d3883e169c87bf50957159f0b1dcbfd926404b48b7d2a4b374a8

Download Submit
C:\Windows\SysWOW64\1395.reg

Filesize
120B

MD5
af72950ed6eba3c502add78de989740d

SHA1
1c7a67a84ee1f04fa4d72fa971e9872c0506bbaa

SHA256
e919574075ab1d1cc4548d81daebed59f13c94054ba822baad9fd837f0abd7f7

SHA512
976ef8a6271eae3db3c55d27c352f9554eb1ed41bcc1ec0b9f4a672b7be59e86570ef4f1c19bc182860019ae43087c4bfb3e5cc3856e30deaa5eec0d71b4cda8

Download Submit
C:\Windows\SysWOW64\70.reg

Filesize
104B

MD5
ecfb3df6517a6c72e7c69a20c078aa23

SHA1
c58d4e6985972a54415fa020da99ef6dd5f906fd

SHA256
4bf0534c951000e6523f65f62d4b22fd82b3ccdfe2e6c96712981c48d2c05b87

SHA512
24dd795705756e3a0f1ceb60b76a3dd5bf59df7a3c7c57d23debbec3096b47403146d1b90e8f37f0a977e17b1107c2f610802d2a8d3befc12a4a96b28f019d86

Download Submit
C:\Windows\SysWOW64\mIRC.ini

Filesize
4KB

MD5
8f508cad6398da81139e5f4dd2e23829

SHA1
161a2a2fe2121c145a3d788252d71943af602db1

SHA256
32ff5cd4ab32aaaf651de05255ce56e89cf178009722943379066d83c563aad2

SHA512
d500d1e638ef51758206e6e4bb74ba8a3d4e8738187a1fa642742650a81c08e25f6e6312b79876c336179dc2767ca7507e5abdecca5b3f6ba4204628ebc11282

Download Submit
C:\Windows\SysWOW64\mIRC.ini

Filesize
4KB

MD5
9eaf142f6a3f422f901c8e6eaa01acb8

SHA1
e0216ab9e8f3011c28b6706d43c2eaf58a4f615f

SHA256
9444ae44e9e4c5170d04e44d66e8b05bb46df4a1a0d55d32ed9039075ed31066

SHA512
1afb848d54aa2fbd31945436b1a870297789cf342cceff89caf480cfb08c7343f7d2033c0ad9f1398e4869c776193d1725fba7674c3b47105cbe720ff01923ac

Download Submit
C:\Windows\SysWOW64\msnmsgr.exe

Filesize
1.7MB

MD5
a35434c25fb2ed3ba36a016c03cb636c

SHA1
b4e8103b52abcc8dcd9d2b058e9ef105efe508cc

SHA256
ab82804245f39b3e57674c48cc0cbb2ef2dac657fc60b258e63a46193eb66312

SHA512
8173a914186f36067a7eeeaabba2f6311889b945cae13fac70e0151abcd141b47e3d74bf6f2b653efa93b1cb208018a22d239ca7452fe5b848a666a5c30c69d8

Download Submit
memory/3648-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-293-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-301-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-256-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-264-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-275-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-284-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-238-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-247-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-310-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-321-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-326-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-330-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-334-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/3972-339-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads