7b62884a3cd7670a6f5ebba712c417936bb0f9a782003de53c85516e85f95202

Analysis

max time kernel
141s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
Size

1.2MB
MD5

eac9954d2428c333ac4b0483344b993b
SHA1

7ce14ae6abbf63276d7bd5bf4679d30dd23b1789
SHA256

7b62884a3cd7670a6f5ebba712c417936bb0f9a782003de53c85516e85f95202
SHA512

cf323b79fa5becc2e71af3ff8875383ba8cce18b8d9578537e43cc2b44bcfb1fb4f6c1d20acb72a772a2b0916dd8793c878fc04863e311e673f305508c6f168b
SSDEEP

24576:vn2Cdf/6N6Kl+OG1ogqKISkqZV9vyAFUHLSMyzDJ1kAbArlbBa1FWETk:+OfSAmvGoge4P9vyAFUczokaGg

Score

8^/10

discovery evasion persistence upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4624	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	pwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe

Executes dropped EXE 4 IoCs

pid	Process
4360	GoogleUpdate.exe
676	pwd.exe
4300	MPR.exe
4208	realip.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-0-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral2/files/0x00070000000234e5-44.dat	upx
behavioral2/files/0x00070000000234e3-47.dat	upx
behavioral2/memory/4360-52-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/676-56-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1384-61-0x0000000000400000-0x000000000080C000-memory.dmp	upx
behavioral2/memory/4360-76-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/676-77-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate.exe = "C:\\Windows\\System32\\Google\\GoogleUpdate.exe"	reg.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Google\realip.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\GoogleUpdate.exe	cmd.exe
File created	C:\Windows\SysWOW64\Google\localip.txt	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Google\blat.dll	cmd.exe
File created	C:\Windows\SysWOW64\Google\realip.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\realip.exe	realip.exe
File created	C:\Windows\SysWOW64\Google\block_reader.sys	cmd.exe
File created	C:\Windows\SysWOW64\Google\MPR.exe	cmd.exe
File created	C:\Windows\SysWOW64\Google\pwd.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\block_reader.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\MPR.exe	cmd.exe
File created	C:\Windows\SysWOW64\Google\blat.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\blat.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\blat.lib	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\HookLib.dll	cmd.exe
File created	C:\Windows\SysWOW64\Google\GoogleUpdate.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Google\pwd.exe	cmd.exe
File created	C:\Windows\SysWOW64\Google\realip.txt	cmd.exe
File created	C:\Windows\SysWOW64\Google\blat.exe	cmd.exe
File created	C:\Windows\SysWOW64\Google\blat.lib	cmd.exe
File created	C:\Windows\SysWOW64\Google\HookLib.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	realip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoogleUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1980	ipconfig.exe

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "MPR.DocHostUIHandler"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe,0"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe \"%1\""	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Windows\\SysWOW64\\Google\\MPR.exe"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\ = "Implements DocHostUIHandler"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf"	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell	MPR.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4896	reg.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	MPR.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4300	MPR.exe
4300	MPR.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 836	1384	eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe	81
PID 1384 wrote to memory of 836	1384	eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe	81
PID 1384 wrote to memory of 836	1384	eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe	81
PID 836 wrote to memory of 4624	836	cmd.exe	84
PID 836 wrote to memory of 4624	836	cmd.exe	84
PID 836 wrote to memory of 4624	836	cmd.exe	84
PID 836 wrote to memory of 4896	836	cmd.exe	85
PID 836 wrote to memory of 4896	836	cmd.exe	85
PID 836 wrote to memory of 4896	836	cmd.exe	85
PID 836 wrote to memory of 4360	836	cmd.exe	86
PID 836 wrote to memory of 4360	836	cmd.exe	86
PID 836 wrote to memory of 4360	836	cmd.exe	86
PID 836 wrote to memory of 676	836	cmd.exe	87
PID 836 wrote to memory of 676	836	cmd.exe	87
PID 836 wrote to memory of 676	836	cmd.exe	87
PID 676 wrote to memory of 1276	676	pwd.exe	88
PID 676 wrote to memory of 1276	676	pwd.exe	88
PID 676 wrote to memory of 1276	676	pwd.exe	88
PID 4360 wrote to memory of 3664	4360	GoogleUpdate.exe	89
PID 4360 wrote to memory of 3664	4360	GoogleUpdate.exe	89
PID 4360 wrote to memory of 3664	4360	GoogleUpdate.exe	89
PID 3664 wrote to memory of 1980	3664	cmd.exe	92
PID 3664 wrote to memory of 1980	3664	cmd.exe	92
PID 3664 wrote to memory of 1980	3664	cmd.exe	92
PID 1276 wrote to memory of 4300	1276	cmd.exe	93
PID 1276 wrote to memory of 4300	1276	cmd.exe	93
PID 1276 wrote to memory of 4300	1276	cmd.exe	93
PID 3664 wrote to memory of 4208	3664	cmd.exe	94
PID 3664 wrote to memory of 4208	3664	cmd.exe	94
PID 3664 wrote to memory of 4208	3664	cmd.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eac9954d2428c333ac4b0483344b993b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A335.tmp\1.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\System32\Google"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "GoogleUpdate.exe" /t REG_SZ /d "C:\Windows\System32\Google\GoogleUpdate.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4896
- - C:\Windows\SysWOW64\Google\GoogleUpdate.exe
    GoogleUpdate.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5C5.tmp\GoogleUpdate.bat" "
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1980
    - - C:\Windows\SysWOW64\Google\realip.exe
        
        realip.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
- - C:\Windows\SysWOW64\Google\pwd.exe
    pwd.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A604.tmp\pwd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\SysWOW64\Google\MPR.exe
        
        mpr.exe /export
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A335.tmp\1.bat

Filesize
1KB

MD5
061a650773713d32f3f00d9d6e42a443

SHA1
be58547350f42f0846e642226f3416aacd1bf9fa

SHA256
d33bd0cadad2d76c7c3711e7063a3e498325bd731538b8173228e1c46027e790

SHA512
4ebaf0f241ad2fb974e46317fda9ec6f9bee1118b97222119017c30adaec9a9953a85283eb68147f097093c531d5c11b2c6710060c4be7014f5289f48933ed45

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\GoogleUpdate.exe

Filesize
383KB

MD5
4c68ee627f3c1678b582c6358f9321e7

SHA1
b8df8c9f4ff374b7e98f6690770606b65776604e

SHA256
1fe5f183e0c523be58ccecd3211596f82b481cc0337a504f55855eb0e1d33123

SHA512
d7c0aa802880ed6580b592bb99d67168188f8eb7833372c7839c700fc7fd92170744ece6e32c21afde9c5bd034f4b7103f4d73f27a3ffacc36e2adbdee7a734e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\HookLib.dll

Filesize
42KB

MD5
27f3b6699c6243d8089056135cef4147

SHA1
767f70d5b79bf8d308318aa0da9ef0e0adfcd5d2

SHA256
e5ad5d5b8a8ef2e686af0fd68dc70bab60508fe42f81dfa5d8e4cfade7ac2437

SHA512
0e44ae83e9a3165725a3a65d1f248141e679cc9b9911e9e60e5977154f58c50ceb3bd1eae6b0d2c4c13a1570500b32f92ee6d50934535ec54be2d1806cbee139

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\MPR.exe

Filesize
3.3MB

MD5
bc1d63148cfc6d96736c2a3b5f675e67

SHA1
f36e48980caace5e7cc7b996110ea8912ca18528

SHA256
444ca87b043e3723ccf99d96aad2310dc2faf690939c4a123a05b97d4935a7a3

SHA512
631e0948f27ab80b3cf543a4096bbd600fb457d9a5c15825beecffd46ba6b6bf74af42e42c89029f9757a76a387d084ccbca93f6fe40efe56864c69c9df25217

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\blat.dll

Filesize
126KB

MD5
6a3e5393a84513e457ed18e0913a2176

SHA1
1ecb0f51a02b6ccce8d2a58e9f28a8ae60aea12d

SHA256
14944a809d98abe7b22bf86a0a4204221991e26f00dfeafbe2b7ccc7a1dd5c5f

SHA512
10943f63b67bf0f826a6a0efbe1a99b0445170390df4db9b45ca25f352a48f8d1f066e9d6be3d567d26bcde746ce41631d9ade48959403963a279e7b23f41a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\blat.exe

Filesize
119KB

MD5
3f23b78126a01245cb3dac4602d4e3f7

SHA1
15af783721bbee0480d4702f9aa35f03da3c52b8

SHA256
0d2f026dee2c8b288a469afd5274d35029e54674b0f355b91cb4461dc6d491b1

SHA512
78d204abb47c1d7fc3564cf54e41414764c81bb272ee2cb686f2d2bafadeb8ce1470c822f4d0904ced460a240f300ca545b1f8eaa2f6f21f124a0c20aa262c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\blat.lib

Filesize
2KB

MD5
2e2bf0cb321e717dd2caa9228aef1e59

SHA1
b42b69f46949534c818ee9c369bae0e99b4dc36a

SHA256
042d1e40f789cb1fa43a49cb1ff20516be3370cadf1dc272adafddf4489a961e

SHA512
33b9a80706c1ec26e0fa5ca6bb2e921c57d25ba8413f2feb0d74beebc9fa50de114a0cf704948fc1cebd2c4aa6b3299cf835b719c9215eee78c8a8d83acda920

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\block_reader.sys

Filesize
1KB

MD5
f9aca461359daf992d72177f7559fa44

SHA1
242968e0c96fd9b15e8e2d40b406da80ee5d1c9e

SHA256
f6018aae2edbf28bbbc7378ea349b6cb54b553d28336cb83f3a1810d27294530

SHA512
2cf504f12e1b6cc7883e3521fa989ab06caed8810bf63bde4fcc929821e9d2776384e6370e3bbe13577f152738188eb15e9e2541a2b0cc4143b46117c18bb2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\pwd.exe

Filesize
21KB

MD5
bbf7e15ba24d5eb1016a082bfe68cb84

SHA1
55d22402f00988c07fc765ab2e9e4c9b58bc5f21

SHA256
3df7e952ac598b943609abbddcebc4027608ff6fd6034edb5e89a71a4d74f2ff

SHA512
b6dc328ece1d63429fcee414b79c199bf6b2448009a35021183a4604fc3fd9798f7419b297cebc307fd36b8a6aabfb2e47d1ca18b58a0403e6946de62c783368

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\realip.exe

Filesize
40KB

MD5
effa4a5a70423867665d2a46348ecb26

SHA1
8596bef191ed40ade5980abf0158dfd3d193c352

SHA256
03b86eeff30d769e062a3228a0fb3ce6f0f8911093cd2a4a70cade34896f568d

SHA512
d94e48e1722d4814862d78f35800b4d8eff8f17be4902cbe0d2f0355fd3279faa9a403f3e4bb7ed70b44ace8dbb76b65b7c9f6e9ccf17c69e4d17e0895b8dfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5C5.tmp\GoogleUpdate.bat

Filesize
417B

MD5
083aeba786185b0354a94378e5c15688

SHA1
0fd9e68257eaa1490d26a52e267c898376e71455

SHA256
fb47b3107b69f2384fb7940e8640f63fc77676c14d449fff68e1d260d24fd6fb

SHA512
9ab625eacf6e27029738ed9476ad6abb8f370784988dd553504262e09f9c625a7a201506ba7cd0d55d6c5bd67aa0e86639fd1579b7fae2f50379ddc9dfe709e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A604.tmp\pwd.bat

Filesize
244B

MD5
0f9bfdc68b6f7912ea080953bade0a0d

SHA1
be395363283e3618961292f1f94be2fff39fb69c

SHA256
c2adf9854ebd4ecd0eed9168828f85b005e5fce29cdd8652661d8e411d619256

SHA512
ecbb8eef497bf879f5411cae2a0c8b98979d705dfac761151837d2a6cd51dee2e5ab1c17f7f8b50a8ceda5d5ae301597e506bca0b9a4c833befa648702705e22

Download Submit
memory/676-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/676-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1384-0-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/1384-61-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/4208-74-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4208-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4300-80-0x0000000000500000-0x000000000084B000-memory.dmp

Filesize
3.3MB

Download
memory/4360-52-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4360-76-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads