02b11daa65ab8b8fe8dd68d4cecc0f49f5360c05894ffe827a9a79c5331472cd

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe
Size

1.5MB
MD5

24ef9c53fe9463effb8f45104742961a
SHA1

1fa4dc4b76966d10414ec0a337804ca5b2dc2560
SHA256

02b11daa65ab8b8fe8dd68d4cecc0f49f5360c05894ffe827a9a79c5331472cd
SHA512

a76a36b91b4afe6b6d338de59e752cf59809872db53bef9812cde7550d0f9f12f823eac224080f4efa03f827c74679d979a44093a053871408b2b074f0229afe
SSDEEP

24576:T7yryGw6Thq1kWn9+5eUMmz001Q0y7hr1SF9ONsclyrO:vyrtlq1/M5ed01der1SF9OpyrO

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 3 IoCs

pid	Process
2552	3.exe
816	1.exe
2320	hfs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 4272	816	1.exe	89

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b62-24.dat	upx
behavioral2/memory/2320-25-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-36-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-37-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-38-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-39-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-44-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-45-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-46-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-54-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-58-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-59-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-60-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-61-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-62-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-63-0x0000000000400000-0x00000000005F9000-memory.dmp	upx
behavioral2/memory/2320-66-0x0000000000400000-0x00000000005F9000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\program files\common files\microsoft shared\msinfo\1.jpg	3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Rundll.exe	1.exe
File opened for modification	C:\Windows\Rundll.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31136239"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "18083914"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31136239"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31136239"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435204168"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "21989909"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2CAA642E-85E2-11EF-BDBF-D6A59BC41F9D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "18083914"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Add to HFS\command	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs\shell\Open\command	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs\shell\Open	hfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs\shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\hfs.exe\" \"%1\""	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Add to HFS\command	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell	hfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs\ = "HFS file system"	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vfs\shell	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Add to HFS	hfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\Add to HFS\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\hfs.exe\" \"%1\""	hfs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Add to HFS	hfs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\Add to HFS\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\hfs.exe\" \"%1\""	hfs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4272	iexplore.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe
2320	hfs.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4272	iexplore.exe
4272	iexplore.exe
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 2552	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	84
PID 4728 wrote to memory of 2552	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	84
PID 4728 wrote to memory of 2552	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	84
PID 2552 wrote to memory of 816	2552	3.exe	87
PID 2552 wrote to memory of 816	2552	3.exe	87
PID 2552 wrote to memory of 816	2552	3.exe	87
PID 4728 wrote to memory of 2320	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	88
PID 4728 wrote to memory of 2320	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	88
PID 4728 wrote to memory of 2320	4728	24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe	88
PID 816 wrote to memory of 4272	816	1.exe	89
PID 816 wrote to memory of 4272	816	1.exe	89
PID 816 wrote to memory of 4272	816	1.exe	89
PID 4272 wrote to memory of 744	4272	iexplore.exe	90
PID 4272 wrote to memory of 744	4272	iexplore.exe	90
PID 4272 wrote to memory of 744	4272	iexplore.exe	90
PID 816 wrote to memory of 1236	816	1.exe	91
PID 816 wrote to memory of 1236	816	1.exe	91
PID 816 wrote to memory of 1236	816	1.exe	91

C:\Users\Admin\AppData\Local\Temp\24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24ef9c53fe9463effb8f45104742961a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\program files\common files\microsoft shared\msinfo\1.exe
    "C:\program files\common files\microsoft shared\msinfo\1.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" ¨Á
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4272 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hfs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hfs.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\MSInfo\1.exe

Filesize
483KB

MD5
cf0d357cbe0b3580090164e2cd76d082

SHA1
3fd7b26d52ecd67cebfa44023c47f3263ba3cecc

SHA256
6651d89804adcbc06664dbfa3c431b126c7efcbf5a9d0685750a3af5e18d6e5e

SHA512
f4516f19d4440d0db02b5c8e2b16f9a774e675b49b0703c4c439fdfd1b85ff0643dcf9dfa5630554267e868ca23838e9b0ece995879c12adc836ffbae95cb12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
815KB

MD5
78ca7430b94a29c579c5e077f20fe601

SHA1
b8820d0b3e73ced8b2e05e093a78363583ac0c8c

SHA256
a9e6f6791ff509437ecf2c0d7e869aad1e40a7407385fa150e2613266d90b81e

SHA512
0e52515a112405edc6985e068b633b982741027ec706e75780e7ac18d2280dd291a8d2267f4b167241fbd8f4edb2bb59e22319ad371b715530052972e2745fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hfs.exe

Filesize
652KB

MD5
b72db6bc26d5dd238635e5c438d3a673

SHA1
e7739c4c5179ab354eacb90bc60d7c337850b3df

SHA256
f11b8cbb68023da2ab8dc7f8d55bd247cddf595a4f4d04d17159983a8d6794c1

SHA512
29ba9c0410af1fd4ad7044fca7876b99dd12f29a879c84fa46084719755bb456d7b6c02f651bb839dc59764856e103ec4073b6f5ff9544e4ac34217f0df74df1

Download Submit
C:\Windows\SysWOW64\Deleteme.bat

Filesize
168B

MD5
0416b7bbd78248df1b9694d98e31f16d

SHA1
4a4401adfb1eb8ad34bd7349c379cf3f323476c7

SHA256
229fe9059eebe3da2bfc2950b484d80685d4e7454ec7139d65d7061bc3dc6691

SHA512
13028f2a66ff10199a69d191bbbbbdf8797b7e97ecf32625db9e076ba00473e139b83a2e1c818e9a7e584533b9bc0f329f9e07c6721e4d16715421683b62d055

Download Submit
memory/816-19-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download
memory/816-34-0x0000000000400000-0x000000000065F000-memory.dmp

Filesize
2.4MB

Download
memory/2320-58-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-46-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-66-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-25-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-63-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-36-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-37-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-38-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-39-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-44-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-45-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-62-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-61-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-54-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-60-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2320-59-0x0000000000400000-0x00000000005F9000-memory.dmp

Filesize
2.0MB

Download
memory/2552-7-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2552-8-0x0000000000630000-0x0000000000684000-memory.dmp

Filesize
336KB

Download
memory/2552-20-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2552-21-0x0000000000630000-0x0000000000684000-memory.dmp

Filesize
336KB

Download
memory/4272-29-0x0000000000330000-0x000000000058F000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads