d2d5fb1d5c83cc02bfd7aee35098b50c84f64142d3399fcd6ddc5f2b91e405fd

Analysis

max time kernel
133s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
Size

250KB
MD5

2da95afc1df937edf2c441579c7e8eed
SHA1

1a5b0a5389dc64259a79353e96bff26ef1f00763
SHA256

d2d5fb1d5c83cc02bfd7aee35098b50c84f64142d3399fcd6ddc5f2b91e405fd
SHA512

8a7e4196411287ad5353a65dc10249348b13c57f091d1cbc461c08ac67dd01742023c2dafaab5da6b46a54f9aa0869965fd123717d8b61f9c89e2acf0d9ddb1d
SSDEEP

6144:WhieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:TeKrJJuf86AYcwoaoSbr

Score

8^/10

execution persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2260-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2260-36-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2260-36-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winrar.jse	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
File opened for modification	C:\Program Files\WinRAR\winrar.jse	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D248951-3DA2-11EF-98E7-76B5B9884319} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000a62d7440f094e9941e495f80549284fad461c1c177808dcd754b8b8540b306c5000000000e800000000200002000000019882405e95907250e3c57705789292d40139305211cd92ab76eb0cc8d6fdd03200000006b9b9112236b112a569f4f99c7cb4bf73c04bfa868055cb3a713d9c5ea7756d64000000078f535a0b99778ce825207e889a6b7b03c1b11683da745da1c6861f8bc2fccc4c0b6b19f2276f417810e976b5dd43b8c64c93d716bf30583700f1352d618d390	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604d7c32afd1da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000008759c8371d01d089a466d56679b8b72114f937f89ad7898f535cf5ba80cf8bc5000000000e80000000020000200000005f90eb1d05dd6ecd8a7d47778ee29c3bcaff24df08f3f36bcd2682739c60f8ed90000000306d3f843ff46ccd394c9381e8ed01d1df53fbd7183cec0d61910602463bcac901a753214f4d93d8150433e495bc408af4bc8f308a4e65d3479e46ec18c6dcb521da1e2268342ff3f3ce2fca77828a943aee1b9d10f5250367d7bc08f89ba74099a43b2d0fc15166dd035843363f917508df936dafff5073d00ccc788baf981a27ed5cd40ef957e232bbc92a3e743907400000009c7daff1938fd7e9fecdebe47e44bf5581574b6be10e0416cc55367911e27c5998a7a369e48b3d8f5c76c1b7774cd3ee3ebd31cc163b856e22b0362fea24d857	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426657197"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2636	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	2100	explorer.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2416	iexplore.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2416	iexplore.exe
2416	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1652	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	28
PID 2260 wrote to memory of 1652	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	28
PID 2260 wrote to memory of 1652	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	28
PID 2260 wrote to memory of 1652	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	28
PID 1652 wrote to memory of 2416	1652	WScript.exe	31
PID 1652 wrote to memory of 2416	1652	WScript.exe	31
PID 1652 wrote to memory of 2416	1652	WScript.exe	31
PID 1652 wrote to memory of 2416	1652	WScript.exe	31
PID 2260 wrote to memory of 2704	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2704	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2704	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	32
PID 2260 wrote to memory of 2704	2260	2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2636	2704	cmd.exe	34
PID 2704 wrote to memory of 2636	2704	cmd.exe	34
PID 2704 wrote to memory of 2636	2704	cmd.exe	34
PID 2704 wrote to memory of 2636	2704	cmd.exe	34
PID 2416 wrote to memory of 2624	2416	iexplore.exe	35
PID 2416 wrote to memory of 2624	2416	iexplore.exe	35
PID 2416 wrote to memory of 2624	2416	iexplore.exe	35
PID 2416 wrote to memory of 2624	2416	iexplore.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\2da95afc1df937edf2c441579c7e8eed_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:2636

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\winrar.jse

Filesize
11KB

MD5
9208c38b58c7c7114f3149591580b980

SHA1
8154bdee622a386894636b7db046744724c3fc2b

SHA256
cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c

SHA512
a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52ac846724856cf60a2aafd56cf68f98

SHA1
a59e22fb5b4559bc185fb8bcf4450d352358a458

SHA256
f19880f5166c50e34affebeed00fa0ffa6c69c7e3334b370df21289c6ddb847f

SHA512
36c9aa18129b69f355fffbff5e9b635838a0dae06965a061eb720ca97c47a8e5e6c01ef4ad7835e0a35b53964b676b0cfd3a18669d7a7fea9e4fabab4027dd36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b95ce8ffc0534449467ac4fed6acfc3

SHA1
8adc6046213b89066629a3380790b07cfde0f2e6

SHA256
9ee3d5844b5c7d374e11b058440581b59bf89c4f946640ce079f71950fecca28

SHA512
705f8ea38cf7ef31b367e9ddabeb6afa8f016922de946c85ceba7fc301a2009ff271be53b8f632318ec6caccfde4a665b91b16bd1810371fa31b3334baaa304b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a944fa6e9a1b5123d9127e9a51d755d

SHA1
2a6a6875001a22b8e14d137a0009304931cc2b7e

SHA256
056b9aaf6d146a8032bc10678aa3483d9ca74f6ca6166e7480f0039eb6f4bf86

SHA512
9cd5d93e61ef93af9a6714a82904235eff7551cd00c25836977aacc12f72be0b08a61f009a50cff7aedee7292f3b414e911a8f42636ff53e8fa52845866f0e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f4c0acd01724d9fe24d8c72db77e17

SHA1
91cd5961170ca321b1e374fb09f7d1373fb92bb5

SHA256
bceed60d4af0fd182e8d5885b01d65ca32d119ecacbfb62dad7f97de4145281a

SHA512
0a3798b733b95533f6adf096ecc52ef2b0aac7cd408984a28be15406652ec6b3b8d0a7252d3ff1d6cf800f7be46f5eca22bb63f40d7c20ed8a86605a57360c87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
420647864a9f170a2122d611bb35dfdd

SHA1
11e706950472528ddec8a3c49f60d233b7f2cd5b

SHA256
d6b2760bbc72c8e31f2a6414aa45c8d47f4c57caa3123c74bd7cd84a73e69483

SHA512
56de0c7cb089811d9f30fef291ad8cc9fa43f5275677d45bb767f6b3943a33b79bfbccf8a1ea43bb4b84b8ee737c811747e5e3728f44ba058089169497b4b366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3010b89fbc005ea3f811672caf27993

SHA1
e16748de0051c8cb14aa6457e3e3f39e459a4d3f

SHA256
cb72e237ce4a27e70a4f166f3b7592b23b51cc695570d9ec3f5946941d655ae4

SHA512
b7b88605a17f20bec902699a45aa67a2474348f68e28983a2b1598ae22fb41b3c1bb9f0693b676d62ba3ca03c4118c6b62fb154656a3cbdecb7900e311e142e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4706e86565e934ed9e0e9d7e9eb91596

SHA1
09d5e59aa74ee3624213382f83f1e3b3bdd1a032

SHA256
84f4a706e99d87a9a770445db1bc83b15e30366884fff9de460418aecad8a1a8

SHA512
4a81cb7c7a5ce6ed7d3be5e6c1ab06dee4bed4e3aa3f11ffe96dd72344f147a31432bc1c0fa9f711eb21ecb954f1c3399dfbfa7973337aaf73f35819748b32d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6b3b7a76b99ed2c28d8a88502f6149

SHA1
c07d753d9e183111cc2936a659007ba43e6647ed

SHA256
f32d8581f601a4e3d42faa52766298f32c6b6714cd7cdd5c33e83de6dd17222f

SHA512
4685b3a82b7ecb0f74dded4d5f3fed53c4d8d01fc6364fda68145156c36c7e276e50e8edbe0fbe9f2c36519428932810c582dc76f4a2b4d1b4d60455ba0c8bc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd59a6a4885da5cf5b35537a19a12fe3

SHA1
299d1972ba18d11a6d35a6f3344a56e6bbafc2fc

SHA256
d38e829507fec95aecc075f62122cb01cdb38fb8fb07d86b29d3747e50eab92d

SHA512
0f2c0f45cefe3574d39886ef78e00202b4eadddb008369bdabfe900aa5d16f5b7d266af26d0a46a523ca955088f5f26563e1374008a3dbde903e12304d979cc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35da8b45419286ffeaa9661e8d2b6f5d

SHA1
8393bb32d2a61355696b02836cb5fe025102e99c

SHA256
90bdc8157d39ccd4948b76dd10907e586dac41d37b961b2c87ae2febad53c63f

SHA512
d5c0bdd848fbbefb1529273b8f166f22d3a8ac65e296b78baabd918c23d83b78184bd510271ad8b05f4a4cf43bb30f2c22211057875bf0a46cf794c9370d486b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbf36be9ef9149bbcf68486e06f26723

SHA1
f94aa85db677afca05a2200b8a9001f5a2848059

SHA256
5d49d8f7a6a9ec37e407e9b475e527fa1938bf7c730c50ad2861c3d51fbe13ef

SHA512
a9f34c5dc829bf07198a325ebbbb61628e2b5d046bfabd52bbcd5eb4dd64deb57dc2f94f2c3b9b9a49621f8f4904e8714d68e5ecb7343fbff5e27caa3be55008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b0755d515f4e4bd46ad88e203002ec

SHA1
1b61bfbb4e74f1ee2b7c761faebf37610b2b5890

SHA256
a4ee9108b4ee2f19e92b9ce9f88aff572e9351194015d1fbfec5d3416ae69105

SHA512
0d63793bba72e8e0642dc725cca95bd6c25111aa67b433c18a632b5dfabc6652a5e12c3e6d87ecb9d6038beec3c11c23a9b20201f9cdc21397f3be3a2e084ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62a83a44338cdbedc41885510719eb05

SHA1
35db65ec59c8d9f38a457605517249ef1be539da

SHA256
d78cd3452a659bc9fb17daf34a6c14b18b0b9673bdcbeb8f588a2ddd345b972d

SHA512
e5708db21e28df7f96dc05e4f2be0706d2d69571d0065a58e5c8b22acc176a18861a959fda05bc5712225e0e835928eaa6a2393cf4069ba31ae3e34a3fa9ce6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cc2522a3e58a4642d7601f915ba06f9

SHA1
a667abc8c0e7d038403db0a7ca3df11a88645f72

SHA256
2fd35aee2b6169e484badbbd2e1f8bd1361539d1ec404ef50966572f0fd0e327

SHA512
6a8472478e816e3e53874f45a0d01e6789223c250db5c42419c65606eb43b0b381fb811c01fb623815c3c641ba573500c27a9414544e7812ee6429cdcd487bee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19df8ddabfe98808990b3c0a805d87c5

SHA1
397d2b4c656799e2b54ba28c24003e6c87a2d492

SHA256
1876ff076d8b8220ecb9c50588db2845f00f7f83e291078e3dc26cf03ce74645

SHA512
e4a47b6a7062b69933a53ec44071ffd26ccf5fc2a3fd3dcf34cd338aa69145bbf41e3caba434b96744d0eb8fe0c22a5745faa53f0fed7564670e9643c4c500d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aae1bf302bca8924d0c110d293fd8bb3

SHA1
2606c7190f36354e2aa0845a4ccacd81ee8a7635

SHA256
4eb8f09450e3c1f05c04d4785ca6465b7153c382b8763ad3584d2b66fe2e3d31

SHA512
34510deec7abbfe871fbf9e9c042c14a50240a9686ce60299c958f8516af158115d0b77f6785df925c90e995e291b3fa1506227e84e15bd081433c08089a7ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2c27fb4475d171f703a1f0b2f1d454e

SHA1
91d4d85c40e176ad28a4f8299710dbacf6c33082

SHA256
18fef24d18c6800ba4743315dcad35cffeeb9ab1035b52555a62e455a29adee9

SHA512
0eac843b67970a09a9aaf88e7ab23d4e2ed22a561da4608f5f431e4e6786ec330b189499ee997f7e7d4dc1f05cb0271dba5d75045f43b44776b0e6b59776f514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f04e313b95b37663c6037f329d6d72b

SHA1
bca21e514e50bd1209c662d8183dc0b2421743dd

SHA256
414c69e20642fd35ed385b143804d9737579e332c7494f51895843557ea6daed

SHA512
2b57074ac617f05f7ede59affc9736793e5ab578c5c7cd326a57c882123cc3d0afa2c3ac1855097dbd44c038e0c138c19ec14e3d331df6d7f4f7c9e22360ab84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dd2352c131cb185d7a5893f36aa5be8

SHA1
f6dc50fbb46d21967fb51f82431f293191130618

SHA256
fda68fb55144a461541f812a6c447f4c66787639e2f3bb807453e6d45efabb01

SHA512
327bd63e5ce96fc7423858063ac6ef611e0610a92100bf61ea9da952656d71ff8de999929cc562dde921b6478a0eaecf24db4a3ece8d2ffdabf5f53a21ccd3d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb8252d6f0f0873cd36b9d693efbcba

SHA1
09ced30f560183394c428543bdb102e51a18bdec

SHA256
39a7a81d12f6d36098dcafe06c5ca6b6d3d4cfd884783e6b71d354fbf13b2c72

SHA512
13123134864be7973cdf6f50bd937cf631e09bdf9298ee202b95a12f5a06aecac8ebcb1b963bdc808e131b8c2741979d6f05f91adb452ce5e3caf0a3f737a862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df947ea964cd4d09d92e936d541ac126

SHA1
4877f7637e90bb14958740eee86ef345a1f121b1

SHA256
ce4091d6590fadd90a576393b6f41eb68bf941d6fe533e5422c1bcbebf534458

SHA512
03dd49372ee1b25786d519b3970376dcd3a9eb8178fd373c4da99d4e026b1b7525f3a7d488624dcc39957b2ff12277597a59a4dece5044cfc1025023c0777230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e1972ac36d8dcfaf08c239a4bb2e0b5

SHA1
9fae9d688917ba1d0f955edb5252482c01620fdf

SHA256
02499b6ee2ca2a6f607afbd99281e40c6265581acb34fc265400840fed8b3341

SHA512
1455e0c9280d55298fc0982dd7ecde9fa4375bc7788e518d5647127ed9789353f10bf0082e8c4e84d55b65a01cfcb6cd1062fef7bc202fb85493b15b5ded8d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43db4a937f764c7415170e0ef546d33c

SHA1
e1fa773899207f45b1791bbb9927927c3afbe799

SHA256
a21ac1f9431e7eaa20ff7d1916b1cbf91b02a9f42905eedb5a8df395a713e37f

SHA512
fd8efa024c0b4b65ca098d4eb7efe0ef5303ff3c5eb722ea795ed678b0770f74b2de64bce3c25dfd4e07dcfbac47c283a4714fec5f7380e012910c6c9bab96ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CAF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CD1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.mmc

Filesize
255B

MD5
a0c4d2f989198272c1e2593e65c9c6cb

SHA1
0fa5cf2c05483bb89b611e0de9db674e9d53389c

SHA256
f3170aeec265cc49ff0f5dcb7ed7897371b0f7d1321f823f53b9b0e3a30e1d23

SHA512
209798b5b153283bea29974c1433fe8b6c14f2a54e57237d021ecc1013b8dc6931dedcc2fe173d121c719901045fdf2215177ba164c05d703f2e88a196252ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.mmc

Filesize
149B

MD5
b0ad7e59754e8d953129437b08846b5f

SHA1
9ed0ae9bc497b3aa65aed2130d068c4c1c70d87a

SHA256
cf80455e97e3fede569ea275fa701c0f185eeba64f695286647afe56d29e2c37

SHA512
53e6ce64ad4e9f5696de92a32f65d06dbd459fd12256481706d7e6d677a14c15238e5351f97d2eb7bfb129a0d39f2603c4d14305a86821ed56e9face0bc252b6

Download Submit
memory/2100-1092-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/2260-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2260-36-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads