3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Size

298KB
MD5

03ca8f4558571b27bef876d0005663bd
SHA1

08e6dbadc0e38517565127514f66a6d5794bb88d
SHA256

3716b919a585fa4902c432b81235b850d36d2d07079498b958927804ff947c22
SHA512

4391181cc2ca0acf4c94d076d614f1c2a770706c710ede7e355bcdd7e07bfc41ad8ae47eb909a2d5ce21bb3698f4bc728413eb3650f79abee7bb25fae4c29716
SSDEEP

6144:CzSY0RcrnbIFMzEOjh64JDZs6z7/WKtuujadWphpVsznR1bYhmbM:uKcrnbIA7dTYKsujaqpkRChmbM

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002342d-34.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pp111.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pp111.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Pnkx.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Version Vector	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.1188.com/?JaffaCakes118"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.1188.com/?JaffaCakes118"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\ÊôÐÔ(&R)\Command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shell\open\command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\lnkfile	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ = "Internet Explorer"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\command	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\ = "ÊôÐÔ(&R)"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\shellex	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\InprocServer32\InprocServer32 = "Apartment"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\Shell\open\ = "´ò¿ªÖ÷Ò³(&H)"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E188F7A3-A04E-413E-99D1-D79A45F78506}\ShellFolder\Attributes = "0"	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2664	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	86
PID 220 wrote to memory of 2664	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	86
PID 220 wrote to memory of 2664	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	86
PID 220 wrote to memory of 700	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	88
PID 220 wrote to memory of 700	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	88
PID 220 wrote to memory of 700	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	88
PID 220 wrote to memory of 4028	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	89
PID 220 wrote to memory of 4028	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	89
PID 220 wrote to memory of 4028	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	89
PID 220 wrote to memory of 2424	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	92
PID 220 wrote to memory of 2424	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	92
PID 220 wrote to memory of 2424	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	92
PID 220 wrote to memory of 2580	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	93
PID 220 wrote to memory of 2580	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	93
PID 220 wrote to memory of 2580	220	03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe	93
PID 2664 wrote to memory of 3232	2664	cmd.exe	94
PID 2664 wrote to memory of 3232	2664	cmd.exe	94
PID 2664 wrote to memory of 3232	2664	cmd.exe	94
PID 2664 wrote to memory of 4468	2664	cmd.exe	95
PID 2664 wrote to memory of 4468	2664	cmd.exe	95
PID 2664 wrote to memory of 4468	2664	cmd.exe	95
PID 4028 wrote to memory of 2288	4028	cmd.exe	98
PID 4028 wrote to memory of 2288	4028	cmd.exe	98
PID 4028 wrote to memory of 2288	4028	cmd.exe	98
PID 4028 wrote to memory of 2920	4028	cmd.exe	99
PID 4028 wrote to memory of 2920	4028	cmd.exe	99
PID 4028 wrote to memory of 2920	4028	cmd.exe	99
PID 700 wrote to memory of 908	700	cmd.exe	100
PID 700 wrote to memory of 908	700	cmd.exe	100
PID 700 wrote to memory of 908	700	cmd.exe	100
PID 700 wrote to memory of 2564	700	cmd.exe	101
PID 700 wrote to memory of 2564	700	cmd.exe	101
PID 700 wrote to memory of 2564	700	cmd.exe	101
PID 2580 wrote to memory of 2252	2580	cmd.exe	102
PID 2580 wrote to memory of 2252	2580	cmd.exe	102
PID 2580 wrote to memory of 2252	2580	cmd.exe	102
PID 2580 wrote to memory of 8	2580	cmd.exe	103
PID 2580 wrote to memory of 8	2580	cmd.exe	103
PID 2580 wrote to memory of 8	2580	cmd.exe	103
PID 2424 wrote to memory of 4776	2424	cmd.exe	105
PID 2424 wrote to memory of 4776	2424	cmd.exe	105
PID 2424 wrote to memory of 4776	2424	cmd.exe	105
PID 2424 wrote to memory of 4016	2424	cmd.exe	106
PID 2424 wrote to memory of 4016	2424	cmd.exe	106
PID 2424 wrote to memory of 4016	2424	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03ca8f4558571b27bef876d0005663bd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun12.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3232
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun61.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:908
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun73.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun43.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\Desktop\Internet Explorer.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srun19.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2252
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\╞⌠╢» Internet Explorer Σ»└└╞≈.lnk" /G Everyone:R /C
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\ie\iexplore.exe

Filesize
814KB

MD5
5e5f63cd0ca3ee94c61a2db20ce33fc9

SHA1
c90ea9645c7cc1ad7553675a7ecdf880b1fb4621

SHA256
219280ffebd3d771102fc3a7f26529e5e9161366e3a5de2f8943d81dda7756bf

SHA512
b36df698f1cbe52df754db9fcfba7e6811b6fc74f44a89378ce29356630f66a10d526402e9d133f8ab608bb614e2214945c0b732b4db3d0cad3d3665e062edcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun12.bat

Filesize
130B

MD5
af197ab4ce4325a4d9404424e380d026

SHA1
a2d56574a4bc489be1bf25e5030e0a817ffdd2cf

SHA256
553c843afa7141da9096178c0b75805e6677d58a08833449fe24f2b7b9b61950

SHA512
5547fad3d2866429345e90aa634c5a5fe341b6af24c3e9e76dc42b4fdfee489357708ad9154851ae9e687c9ee08bfcd546d7ae9c60f8403548fec81a150722ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun19.bat

Filesize
191B

MD5
83a6d9f519941c0c7150da1d3b06f077

SHA1
b26fdddaa23010f07853dcc269bc4327160fcf47

SHA256
92015fe71ca302fa0a74d7d56b1f84409e2a6a25ac2e40ac6b85309a9be4008e

SHA512
b41fa1c48525cf130344dad5137f4f847e52834700c191b10e4f0d738a43fa8d6398cd8c803ee6fad1be2947ae2b48a47bf985b828ba946df98f83bfaed9b019

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun43.bat

Filesize
130B

MD5
cd56ccdaf1d7638c0af8c306696faa2d

SHA1
0247a2ec40277a4971c3299054467fb51113c8cd

SHA256
bc251a0ddd4dfb39f72e1613936530bc06a9466dc451b785e90905ca7d2a20f5

SHA512
7b0db034a3ce38d8d780dff9aac1ba40d75d417841851bda1e96acef98f5096d0478ae351a69995839eaa37458dadcd7d13a7bfc9383c10d5a9fe271e004d51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun61.bat

Filesize
142B

MD5
e86a459370957b4f3539a3e123e7b3db

SHA1
ffc678861a18ff07ca4a7e6470011a51b58e2759

SHA256
e955f4eb7a7978d0f4d6cbe29db39503164ca3eac4fa89677311e4e951393747

SHA512
d28b933df8723a61663bd4a18d9ef1c3b4fef1502263587a410496f29266762591d06c9846b346849b64bb381062aa3be3950221275361e4fe6d672090eb7bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\srun73.bat

Filesize
130B

MD5
a64dba561aef05132368b946ef75d1b8

SHA1
fc27ba6252030af9547514a92e58a0ea9ebe99d1

SHA256
47f97774c7bf781bac836e19deba3f62c83c5b7fa8fc884431730c4a81639e64

SHA512
b1da1c7cd754f3f3d2d471f80f76797dec5652e693de8f00a66170cbe7c8c111dca459dea114211afdff807756473fb27562b7fa77e0f83819e4e0a44b7c6023

Download Submit
C:\Users\Admin\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
c84397c8fefe5d9b4a480d520b8c75e8

SHA1
6dd0dc4250400a69d57e543ed4a147c70ac1e7ae

SHA256
91e4547b6ca3a6664cf75fb03aea845470f4b00b4863be53d931caaba3cea781

SHA512
eb8a2815d8bff51af280c6f23beaa676fdbc0c7707eda90b2e3a66204e1bbe6833348485fc03dbe45863c3d40af6862eb7e7303478eefe7fcf0af2e69372b7f6

Download Submit
C:\Windows\SysWOW64\Pnkx.exe

Filesize
298KB

MD5
4d7caeaf82ebca37a54a7f9cda40562e

SHA1
ab24ef2a3938be8080b57004ac3275299102b5fe

SHA256
3783131beaa732f5645933d36c4f47993ced754041bffb40c1c47ae957033eff

SHA512
6fe36aef486a5b96cf01ddcc353f6f0f80630bed0959cadb96e992f6b2dd88c9c0f2f2ed9924d826867fa228617cb582d2285abb3364343530a4707d2071d3e0

Download Submit
memory/220-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/220-1-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/220-2-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/220-38-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads