6b910c57f9c39db8f4d49e8e1826f4b1c7c41b1c90ae7624354a023a742730f4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Size

289KB
MD5

444e57036688988056cbe2bcd5d1c2dd
SHA1

ecf6ccbaebc5fde8458bc9911b1ca1b0d7a4c0d4
SHA256

6b910c57f9c39db8f4d49e8e1826f4b1c7c41b1c90ae7624354a023a742730f4
SHA512

6f6aa67fc82ce7135ee3a53df732f053cf684df44e6dfed58fc2ce16023d8fe5773f13f4805f62c3ac5383592d8a4b21780bc930bcf23c7976831330da5f3730
SSDEEP

6144:9QqPftf8zXkU0mciu1QxSS9GfqDHEENAcixN8P/x:xf8zXz0mcNydTEENS83x

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe
1936	WerFault.exe
1936	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bipro = "rundll32 \"C:\\Windows\\$NtUninstallMTF197$\\jcdyr.dll\",,Run"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gchk = "C:\\Windows\\$NtUninstallMTF197$\\upg.exe"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C895FFC0-22B8-48A7-87CC-A09F2A7D35F9}\NoExplorer = "1"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\ = "Sky-Banners Browser Enhancer jcdyr"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\NoExplorer = "1"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C895FFC0-22B8-48A7-87CC-A09F2A7D35F9}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C895FFC0-22B8-48A7-87CC-A09F2A7D35F9}\ = "Street-Ads Browser Enhancer vscpi"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\$NtUninstallMTF197$\vscpi.dll	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
File created	C:\Windows\$NtUninstallMTF197$\jcdyr.dll	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
File created	C:\Windows\$NtUninstallMTF197$\irjtf.exe	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
File created	C:\Windows\$NtUninstallMTF197$\apUninstall.exe	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
File created	C:\Windows\$NtUninstallMTF197$\zrpt.xml	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1936	1860	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20188a76a6d5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b00000000020000000000106600000001000020000000fd6bd37a77bd834ed44898755bf5e930e155fa202cadb4e407281132fba91168000000000e8000000002000020000000722e0414c1b8e4355facf6b57a1fef3c65740baa928fbd3f4d62504b38283115900000004ebacaca70a2ed255c23ed44ed85e13b55e46a50dd89b0c074c9434d62ebf1eafa272b5627ef80cf3d9377920994a918a47017cce6d3634e2ad2c7b27f240ed4acfd920882d929abaae76db8ea26ec3c257b06c6c9ab6b393bf7b8e3cb7995e1a4504fbba0b586323a50804e29ec89c43e00839ce1dc0f55c219fe6c4b848f039b816b2e625d035d20c16eaa271d5efb40000000031bf545a5ca8acf18fcbf7b879d403183676b1d79c3009c3717d767ef1bba09c86d6910b3af6d0309ba54a79f6dd69da7e9d607ec65dbe1275f6ceed06e72d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{901BA7E1-4199-11EF-9AA1-FE3EAF6E2A14} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000930ed985b08cdd4cb38e38023150682b00000000020000000000106600000001000020000000f6772e3d21a6a843ffc807e7916d50eb8b83d3f54ad42d3d22824ee7e7815f62000000000e8000000002000020000000e7d0d8f8056e8f688ffa1ae1d984f1be2f12256db215be5c4c1640b57e1835aa20000000ce9ee0cabeaee7152e3d52ebd6b26bc3c030a99db719255fc790b976be18be7240000000bc9e9a1b11f677c65bb2b2598fdfc63018f90e8b2548b71d82da5b3761f3365965f4da950116672cdd5adb39aa0d45711cd1c81844dbe5809db8fd37dcfa1a70	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427093195"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\InprocServer32\ = "C:\\Windows\\$NtUninstallMTF197$\\jcdyr.dll"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumazcicgrm.brumazcicgrm.1.0\CLSID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\ProgID\ = "brumazcicgrm.brumazcicgrm.1.0"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\VersionIndependentProgID\ = "brumazcicgrm.brumazcicgrm"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\VersionIndependentProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\instl\data\SFTID = "50f6584b7adf46c48fe5a448eedaaab4"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adfazcicpr.adfazcicpr.1.0\CLSID\ = "{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\ProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\InprocServer32\ = "C:\\Windows\\$NtUninstallMTF197$\\jcdyr.dll"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumazcicgrm.brumazcicgrm.1.0\ = "brumazcicgrm Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumazcicgrm.brumazcicgrm\CurVer\ = "brumazcicgrm.brumazcicgrm.1.0"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\VersionIndependentProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\ProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\VersionIndependentProgID\ = "adfazcicpr.adfazcicpr"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\AppID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\TypeLib	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\instl\data\afltId = "zd1206"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\VersionIndependentProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst.1.0\CLSID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\InprocServer32\ = "C:\\Windows\\$NtUninstallMTF197$\\vscpi.dll"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst.1.0	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\instl\data\PRDCTID = "adPro"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\ProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst\CLSID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\VersionIndependentProgID\ = "chkazcichst.chkazcichst"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{81AD6EA6-E257-4960-944E-554FF8C8BCCB}\instl\data	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\InprocServer32	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\InprocServer32	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\TypeLib\ = "{18B5BB0D-DC38-4611-B16C-2A6A82FECAE5}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst\CLSID\ = "{6CD48497-A88A-4647-8169-71CB056CC0A9}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\ProgID\ = "chkazcichst.chkazcichst.1.0"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{81AD6EA6-E257-4960-944E-554FF8C8BCCB}\instl\data\SFTID = "5c99801024414eeb9449a411fbc92267"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\instl	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{81AD6EA6-E257-4960-944E-554FF8C8BCCB}\instl	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\ProgID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\Programmable	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adfazcicpr.adfazcicpr\CurVer	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\Programmable	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\TypeLib\ = "{18B5BB0D-DC38-4611-B16C-2A6A82FECAE5}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\Programmable	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{81AD6EA6-E257-4960-944E-554FF8C8BCCB}\instl\data\afltId = "zd1206"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\brumazcicgrm.brumazcicgrm\CLSID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C895FFC0-22B8-48A7-87CC-A09F2A7D35F9}\AppID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\ = "chkazcichst Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9D427022-285D-4C82-888B-FC59A02B7CD2}\apps\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\ = "C:\\Windows\\$NtUninstallMTF197$\\vscpi.dll"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst\CurVer	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adfazcicpr.adfazcicpr.1.0\CLSID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst.1.0\ = "chkazcichst Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst\ = "chkazcichst Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C664BE3A-9A5A-40DF-9CDB-28B8DC6002BE}\TypeLib	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{81AD6EA6-E257-4960-944E-554FF8C8BCCB}\instl\data\instlDay = "19918"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\brumazcicgrm.brumazcicgrm\ = "brumazcicgrm Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\instl\Data	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9D427022-285D-4C82-888B-FC59A02B7CD2}	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F438590B-7D4F-4DF7-80B7-AF29D82B2B19}\VersionIndependentProgID\ = "adfazcicpr.adfazcicpr"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\chkazcichst.chkazcichst.1.0\CLSID\ = "{6CD48497-A88A-4647-8169-71CB056CC0A9}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6CD48497-A88A-4647-8169-71CB056CC0A9}\TypeLib\ = "{18B5BB0D-DC38-4611-B16C-2A6A82FECAE5}"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21E63E5B-E84F-4F49-9167-03E431ABF7BE}\ = "brumazcicgrm Object"	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{252EA345-5F90-44BD-BE1A-6F8FAD0A96B3}\Instl	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2720	iexplore.exe
2720	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1860	2556	444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 2720 wrote to memory of 2652	2720	iexplore.exe	34
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35
PID 1860 wrote to memory of 1936	1860	rundll32.exe	35

C:\Users\Admin\AppData\Local\Temp\444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\444e57036688988056cbe2bcd5d1c2dd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Windows\$NtUninstallMTF197$\jcdyr.dll",,Run
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 296
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c1c099f5f46c2f71e8acb9a7b58db92

SHA1
f659d2996ba992e00b48d64af102511f46550ac1

SHA256
c6701af431bc30fcf4c2d0b129e7bdc310cf05bf8e3342d9be68b78fa8abf176

SHA512
e78e2b185d1a39cf23435f94a1e968f3db26732887a83af0ac05bf2ccce0219e32585d92fec073d92b11b54212d279771c04a0566aa72d3b16362596b756eea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe337c12c24eed3b71694830324ed66e

SHA1
0e3fe87ff785970677f29f4d501c69911b669a51

SHA256
b90d710731c4e577ac3ba34a28a1cb5c63fc48d35038c07de1634611fef1df7b

SHA512
c491bcb7a98e95ace1bdcdc8ae5d9a014bcecf9709442117c7188c2fb1e493fa373f655104bf744205bc046c08c2555077ca56f3eebbdc8a6ff673f92dd5a8eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e16b413792c581add92647c93f4fece4

SHA1
c6df8423330ee9b5b6007d9ea60f3c3beefa6c42

SHA256
093afd512f97321c5ee4642c277dd6d73b2302442bcb2289d71a9d4275f8d5f4

SHA512
73b50d0d97280839b5ace3987bbdfbc2055bb3ff9aea33bcc169cf9d68b96fa82cbc31b85b84b2dc5d4750546753a1bb91f9945c5ffed0b54eeda03e48332eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78f26f23221ae3f07e7d3ddab1d89f20

SHA1
32ce647c32f62ca2e70fefe4fd3a047dbc36c895

SHA256
a4dca3365a456c076f8fbc419aa134926a00781b5edcb840785e2f82fea055e8

SHA512
1574af722c73367d073d1fd35509305b74874153e690d02706b3e511f9a21508315719ae51aaef5f4014310266ebc539f9e955b4901fdae7c302bf9d14cac2ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fb6de3f38d375b57ed0d7b5c4ce4db6

SHA1
8cf8599dd2bc87f12d5852e83e1c9619917ead34

SHA256
da3dd60609a08b2e6975801377db10af3f8a54fb411de28cb71a5f60e9d5ef7f

SHA512
f40d65a554f616816d9ee0afe9f8638683dbdd7c419d99025bf74ab154cf35dc1b96f09b4404e7f86eb680596102b21715ea03daa86986deed2b0342e950923b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
887bd70c65b9811e3584cb494cc5ac6e

SHA1
66a12c61e4eed6d30aae6ef26599684ccbbcddd0

SHA256
a2f724421e72529af784e27012cbc02770e2fafb195a982bff12268f40c139ff

SHA512
b795a795d5f49f32094ddc9ab2ccaeb26d93764b2b01044afd27255f662bb3ab2d61f73451b288dcbb773f8b7193ca49dcefeb8c31f74f4aa703691cbabac6c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74e87bc37a26d7108cdf1defe5a334fd

SHA1
3237da15469a5ffa40ee572a2f55fe09cafd466a

SHA256
2d13d3e762c46011fe7c31e4e9da4fe9cd9d576e6c719dfdb35900afbc531dc7

SHA512
2b7ccf36908e69acf56624b2cb85d672c08523ca83fd24ce4f0f9c2d7c5a95306ab9742c8e3808e4249dc351e6c5a50b8a5894198e8deed1a5a0f07c9be5fcb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d4bfae2d2b8d82ca7f297d9bff9d3e0

SHA1
370a55b215e05cdf4fd6c5ae215873703a394ef2

SHA256
5e807699b32ea9271fcfe5373aff65edb9dcd594a7ec99f0b29514be815ae4a3

SHA512
077d6c4c418834a379c8529e54778f33048bb5490b0e17b0e2d52d7aa2d4c4678eee487534183d15265b6af7c043093e666327aebf53782bb25fc9baf90c5ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fce371e07f68fa10d002c30878db8450

SHA1
fccf14ab3ec3286160372bda9782385a620f707a

SHA256
01441560caaa39987fc0ac1400924bc10fadaba9f65f111a81e7a9fa3a311848

SHA512
8e064af3b2f8b1e7bc59586546fedaf0fcd830236132610f36a4de0cd8c356edc61b6b80bf90a371f9418ac116c3ece1faff6680e7a7818be06ff1db47bb7e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebc2d3d19bc0cf81d1a27c53ab1b61b3

SHA1
39e8aa680acef602f5505cdccfd1f8ad5ee766e3

SHA256
692adfe21250edad8a6a695abe01759aefeb80f8676f98432ff421165aaa227e

SHA512
56897b587fd446a727bc41ad4b053296ebc2c60589c446dc7eef04a0287b961750e6296ffdf8ba698a015c2de4c8892cbd44a43379ab43b706a2640c32e899e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
519666d798b1caa96ee51e31ac22e5fc

SHA1
207dd2e36aa5188658e07cee9715336a243f36bf

SHA256
b7ae36ddcc264b2a5adee2eb098f611c5d27f418ccab97aa5597aa1f687af1e9

SHA512
5703bd5651f64789375adc02325d625141bc31c06770fddc033cd23e317a2091c17734bd547d4286c401a4167be387c7e376c6d0d2034dfbbe15d2464648d48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79f25bd9df42d0febd5016914df3eceb

SHA1
4c3c7941d496b58a6cf48c36771b13e9d6511a0c

SHA256
578c31378c9500ed57925a95a86f4ac2160656b47dd16224c78b67a8100cff83

SHA512
08cabcbcb7b29dff58d672c7c3490bfcd7afbebb6fe6e9f920a75d2f7772ee7c84466630ee6ef0f235f390089e9631b134e71e550e6d77eeca489a1bd8e34447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6575c44bbf6c73f6ea1506572eb7c47d

SHA1
ca2a7eebd3b74e041889b7a17b9a59e327330892

SHA256
dcaf834312cdeb33483d3a0f8f257b160bc162ce4f5db85c4fb3a4f39492bc28

SHA512
baa72d7f26bf0b05c3df0a69f73a5b63af82059cb8afd37893b2c347e983c934f9084c8ded91f31b83b806b0d1db0d7fae97f380ac30af4648e08dfa1d9e7b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
634e176a4a20aaebb914eb6274235f90

SHA1
a53dddaacc898b7f9c241106637e287a603f85aa

SHA256
dd3b6ac63e898d37ed957e0c732b91866426e2c04332292903ac35e7d6544edc

SHA512
0290cc298ada54d5751e7a7111a461511c103287782e46acbd0a72ce40bec7d3e519cf27f0b60acd004d43c4ae709e2d4ca66a6962f579b34c8008559d9e1887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7ded81d65fe0c675de25d8dd6f134f2

SHA1
7ad5348979ed0d91fd258852229a7b69595b776f

SHA256
363b6088989145114f4410d8a0083f1477e555f7ff808a10b528993c37a6abf5

SHA512
309056d177d51ea7e78981f64b0e5d4e9382f4e804658b4af5e0ecb3799a195b2aec3a4b1b881506665de16618383079504701be7c1a8c04269ecd214ab65814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0885df94816702dcbdb904f36ab51e53

SHA1
4c16dd835f5a0a7dc06ddbeef18f4224d1f7f0a1

SHA256
466838d4e95eefd93eb870c28011e3545a412ec9c832afda29e90abf195b3329

SHA512
2d44d2de800669aa6622d8d1105d85058245add9c0eed94ee5d607207bdb10929ff588ecf3baccf102b046a017c3678d733317ee42adece0b82436cef3a22f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf97e563888f074047fa3151b1cf119e

SHA1
8ca42788570ba6c069ee82048d3f631553e236f8

SHA256
fe4982d97b06dc9ef2a29f6bd63475bdac4071915c471957e4ca40b247761be3

SHA512
f3f4f2ae3a9cf6e0c63190f953d4b522e4faae91023239524f9dac7a2949fbd407ebbb46c617aa09012b7fbeea25baaf6119a8cb182130f98754cbb60b527dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7545516585456efa9a8368467be98bc1

SHA1
d369d22ab3d5b8e7ed6adb7b5782a527b8a9dc48

SHA256
07003228ab5800939c5e14a5f0d97af45d75c152e993132e51e387f73531abfe

SHA512
4947734ce8bf4db3f13bd187651d9c11939a1f06b4d0551d09205dc43a1c0689d81dc7c460be3cba37ca9580660fe02b4c9c77612d3b7ce4f7e0fea8d0acb281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab933E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar939E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nso9271.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Windows\$NtUninstallMTF197$\jcdyr.dll

Filesize
292KB

MD5
4df98b634a9a17430e04e949262f7a45

SHA1
0f9763656214c22b82a75f090bcbee3427b8f922

SHA256
ec201540451668bb6de79eb91a34a35c1d14ee4ff3a6b8f0288915c21990985d

SHA512
ed4628c479b0b28f0e573995843c5a039eb69bc23f11e312e003806ed01f949d6c88d0327757a774ddbd919c9af542048af4728cc27d14c68e754d25a2e6305c

Download Submit
\Windows\$NtUninstallMTF197$\vscpi.dll

Filesize
234KB

MD5
4554afba3f6a61cc970039db2c5fd3fd

SHA1
f2a6ca7cc9b9200d6f57fef031d174e1f69cb5f0

SHA256
df10b119c61be950cb0f41d097a1b4f10c4f4f72780ae458f8c3067fef3cf7f7

SHA512
34ccc6882e9e02ee44e45a0008c7494daa9b222dc9c0558eb8f762b2f18dbc4321af04319c92ab09b7f7dc97b246c0a23969ec33d250c99aa07b8b0f4ac00691

Download Submit
memory/1860-20-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads