148c1c94ec622ade72d4b8f8c248ce3b27c39b5cd9f02c079c9c9860345ac8ba

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Size

229KB
MD5

8ea62755d4e84d11a74d5d935d51c919
SHA1

09241eb73c594a5e7da9824ac46de7b5e97e2f45
SHA256

148c1c94ec622ade72d4b8f8c248ce3b27c39b5cd9f02c079c9c9860345ac8ba
SHA512

79a97742ceb3f6cf71abd4c79f6c2f36809d4d1a43b3daa5484b1eee50d2b1cf08c8ba918a3da32d8179be0a9e3f7830f2549cb1202a31352efc7b28408537d5
SSDEEP

3072:42cX0J6zhizgq1r6BXUmMn8oJv7DW3q7JjZdwR7enKJ7/Hqt:bJ6zO1GBXfa7JER7e27/Hy

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe:*:Enabled:NVIDIA driver monitor"	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe = "C:\\Windows\\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2672	netsh.exe
2956	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2512	nvsvc32.exe
2212	nvsvc32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 2512 set thread context of 2212	2512	nvsvc32.exe	40

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\nvsvc32.exb	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
File opened for modification	C:\Windows\nvsvc32.exb	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
File opened for modification	C:\Windows\nvsvc32.exe	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
File created	C:\Windows\nvsvc32.exe	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
File opened for modification	C:\Windows\mdll.dl	nvsvc32.exe
File opened for modification	C:\Windows\mtdll.dl	nvsvc32.exe
File opened for modification	C:\Windows\nvsvc32.exe	nvsvc32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2716	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvsvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvsvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf710000000002000000000010660000000100002000000088810b1eebae94ac0f84bd99ea2421c4ed4c0d9382de46a1be02682234bbf588000000000e80000000020000200000005b02efcdfc88c3b598f4e9e33deea14293c4bf5bc6e18bc29167552c1d7bdd1c200000002023e880c8965131146386de1686a8f0a6071a4b4842844c03d9987db263544f40000000891af8b47c6b23593ebcbe26a61eb6e6ae90e48ea3c3381a53d6a55f13ff546a70a7a73eea378d769cbdfae110deb35bc4afe7d82ea5f86e1a69dab0d283913c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{01CD03B1-58A2-11EF-9A20-C2007F0630F3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807672ecaeecda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429625703"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000be05bc68d95142c2c4da39d221f1a79d03d42f1a3ce58b0801e5f95cb6701104000000000e800000000200002000000033a92be7c2f7ba64e24ad4ac43fcf46354ad14ed5b32dab715bd75dbdd713d86900000006c8888784c8ef75f9bc9f8313fc1482c39832f748103760597c781c332ae56b47d4e022d569267a7b56d94b02945ecc5d0771a8d4a621eaa1ac74dd0a08fde0ff6947bc679bb1e3d0153148d4f8401488e9e42758445de2dc9dcef12feaa739bb2f5feffbf8deca01832dce528b431a93f08935649c6832f1a6e3a1dbec0b547c5045c627cffe760e7be366ccfe03f7f40000000b7b68861645eced18800d42c699dea94e2f56d9169cb5dce349177094a55d020ee4f9880d22cfd85b58f1745c586c2beec6484bc9d832191c5d7e84e1b8c45fd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1384	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1384	iexplore.exe
1384	iexplore.exe
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE
772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 380	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	30
PID 1496 wrote to memory of 380	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	30
PID 1496 wrote to memory of 380	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	30
PID 1496 wrote to memory of 380	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	30
PID 380 wrote to memory of 2916	380	net.exe	32
PID 380 wrote to memory of 2916	380	net.exe	32
PID 380 wrote to memory of 2916	380	net.exe	32
PID 380 wrote to memory of 2916	380	net.exe	32
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 1496 wrote to memory of 2860	1496	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2956	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2956	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2956	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2956	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2512	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2512	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2512	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2512	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2680	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2680	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2680	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2680	2860	8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe	36
PID 2512 wrote to memory of 2996	2512	nvsvc32.exe	37
PID 2512 wrote to memory of 2996	2512	nvsvc32.exe	37
PID 2512 wrote to memory of 2996	2512	nvsvc32.exe	37
PID 2512 wrote to memory of 2996	2512	nvsvc32.exe	37
PID 2996 wrote to memory of 1872	2996	net.exe	39
PID 2996 wrote to memory of 1872	2996	net.exe	39
PID 2996 wrote to memory of 1872	2996	net.exe	39
PID 2996 wrote to memory of 1872	2996	net.exe	39
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2512 wrote to memory of 2212	2512	nvsvc32.exe	40
PID 2212 wrote to memory of 2672	2212	nvsvc32.exe	41
PID 2212 wrote to memory of 2672	2212	nvsvc32.exe	41
PID 2212 wrote to memory of 2672	2212	nvsvc32.exe	41
PID 2212 wrote to memory of 2672	2212	nvsvc32.exe	41
PID 2212 wrote to memory of 2668	2212	nvsvc32.exe	42
PID 2212 wrote to memory of 2668	2212	nvsvc32.exe	42
PID 2212 wrote to memory of 2668	2212	nvsvc32.exe	42
PID 2212 wrote to memory of 2668	2212	nvsvc32.exe	42
PID 2212 wrote to memory of 2716	2212	nvsvc32.exe	43
PID 2212 wrote to memory of 2716	2212	nvsvc32.exe	43
PID 2212 wrote to memory of 2716	2212	nvsvc32.exe	43
PID 2212 wrote to memory of 2716	2212	nvsvc32.exe	43
PID 2668 wrote to memory of 2844	2668	net.exe	47
PID 2668 wrote to memory of 2844	2668	net.exe	47
PID 2668 wrote to memory of 2844	2668	net.exe	47
PID 2668 wrote to memory of 2844	2668	net.exe	47
PID 2012 wrote to memory of 1384	2012	explorer.exe	48
PID 2012 wrote to memory of 1384	2012	explorer.exe	48

C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\net.exe
  net stop MsMpSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsMpSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\8ea62755d4e84d11a74d5d935d51c919_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2956
- - C:\Windows\nvsvc32.exe
    "C:\Windows\nvsvc32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\net.exe
      net stop MsMpSvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsMpSvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
  - - C:\Windows\nvsvc32.exe
      C:\Windows\nvsvc32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2716
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1384
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b77f09397ee1a874efc73a0624c27f0e

SHA1
c336ca136b87d382d325d0b6b39a030b165eb372

SHA256
49c2d240f3422468e6871ae7979dcd3b0ed6d19654588cbf2d688218939f66a0

SHA512
e7a5348b51e6174ba5731e79d227c7a9edc03b3eff764625ff71897da307d28eba5634ba641d3b04d12ac4262605ccc62c69e0703c6cc9365a1d124bb6ec5f01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9208cedc0cff9e2d5ee92aa5bc48d20

SHA1
bf2c1853c6e5edc85ad2ed8169b8ccd8dc127bbb

SHA256
40fd57df4dc9ae623835749c5e91914cf8c43d49a3679be4fd245826848cf349

SHA512
3709b4c8f8f48b83c6765e7f8c104b5c2d0821099b85cca3530a23b40c74a94405b28e93a26779e06928b10d178a4173a7ba8f4c84b114ca79f6b1732d21cf9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2068bd28f878274d324cd500503a2255

SHA1
606374d5cbf3ca0c1894183f0203b8df578871b4

SHA256
698243623c237a738b1e2fb67248ca35d9a273c5297dc0084e8803fc890c6dfc

SHA512
fac13dc110e0c69b28534bec017f5ef3ab9bd52ce0b683fbbf2d18318d55f61fac7b64c2675928940c7d28960fb846be62fe47bd7e76e62f38a17660b95ddd91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8be7d39e91c490f152d590c063573df

SHA1
b63670a8063c8e362ec97e4f5fd13ca07b15b286

SHA256
e9ca1c650facdd0e36587005c3b3acdc8ff677991fa7bfc5814119c1e7ea5774

SHA512
bda75827c613cd0bfe72b3c1bdda519e460ca8df107da1b2ceed21ad69643de698898e7f82c39ef6e11a14a3e15f3a11431cf7b5884807ed78ceb4b668319b35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eafb1e982b10952e72464cc5c76d6667

SHA1
480212cfdf2547ade308b5c32bc9127e7321b298

SHA256
8dd7525cdbe7fbdbdd55c2e03b6e6861af8c739fc8132adb9e36c6a45a16d48e

SHA512
254dc9d90eac3dea8a28badd028d920b4c8b384fe52cee9591da1272cab70c859ed311cc14cfae8ac459f8b86cd6f130ea6051ddc4860b5229ab0df5f9ca5f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeddeaaebc2a614a0b9d1b28feffaf70

SHA1
9546d4f8138f2a7f7b778c455f253bdf7e94a5e6

SHA256
da0be7c7e3f5e19a47141371aeca8ad43b429d77523afe5ab2f0c87bb792ebf3

SHA512
d143afd11ac32f059a4c854d957dc33d304f62c1e62d59602c16b8f421fa504d377bcde26b154145951967768f677b5a5b3183529b0ec0cce5d65e2262f978dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e90a9f77d15b3d89a2f29941a3344ebd

SHA1
4abea3916f8013dbf8e4787e2d68c67074ed5186

SHA256
3c474f6304f574182e23141f8bd2485a929e1f291559305a28619821b66dd654

SHA512
d003af5c3e3f923e54c9cb3d431628e97b5d7d2be25007ee06941fd42c7784bc7f9db12ad9ecf264a21018f6362fa0cc2b2a76bfac1cbdc62e33c204fed922c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
749181cecf00bbe87e50d7e986a9a54d

SHA1
d1bbfc4c3cf6b3415e47665290b7886f100891f1

SHA256
6eb5892192990dc9dcf4d47b0b841a5b53de188f95e2a5e4b45b2895a02713f6

SHA512
c7e18557dd7aa6925aa9eebba2ee55261b5d2b5f7d743376b94d77751180ff99d0d4d746f8f29550eb11bf8f962d22c4ffd22e3984c448ac179fba484396e9cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f6d2d7861e187e0616bd45aaff4d73c

SHA1
457e778a2efc10a4ab2ab5eb1d6b9acdb6b55cc5

SHA256
7e4eea8da1e23f043e038047c5e6835ec0261e81e336633000831e488394779b

SHA512
db3a3e1669f9652c55fd5ee348403bdc2359ab9d1018d36ace915e6f745accae2337d51d954f372d148d3ebae3fbb11e01f444d9e49b753f700594ebc469c1e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebc8d4696bd6dc94eb8369a874115f3a

SHA1
0ce38135a275969af000add16d98c67ce3afa793

SHA256
426b08b13656bbe7ef20c41acac16feb1b20784c72e0c6c55916787983ef2f3a

SHA512
6c232ce9a6d0c96c797079e8f3a479ab6955f45af9204d7bc79f03579a489a7867dcfc20d1f14023c4abbf5cfd8d55b5ceca479463572fda8c42ca655d8c6404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f348aaa7981beac1d8f8adf509d00b9

SHA1
ef58c44b113c6946f24dd43fb543bee45d9695e0

SHA256
648c3f0d7b1e8ff767a8bcd8fe16ba2ec730af01829c7144cbdccf1f6fae0197

SHA512
7ea98eff65a02cd1dc88788b242d9963d234711405b1a3d5088838a8e356f978a149b3e5c179680d90df28d227bd162e632633dcd513ca27ac05c396fc2546ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bbb4a02567d4002941ea26bfefffc21

SHA1
49bfec3ec094aa89f33c9ca566e949338cef13ce

SHA256
f895ac740b48c33b976ab17f6bb92941dadd5b5825007edf35e4592dc01dc10d

SHA512
51e339599e74e14d0ae1a8ad5fec052fb281f8be3391a2489f8940c1c33918c6233f303679a7a10670babc541a74a31f089d7e38f6fa5e51a4690a6746006134

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a7987e84cbded6783f3bf70b4221fba

SHA1
621e383c4b4d7f542468653e114f86c95b867851

SHA256
bf9c1e2b633518ea1c55557e88bf9abf581ba743f79615dd0849d8cbf2aae399

SHA512
6dc160d7e849602a96619f10e86f315c63acb6a97c56de04e7fa5bf724696c11971349ffea949c9e3cc17d0d92c589fbb05533fa5348b7238d0ab671adfd7df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8345229cb6ba8de39c63072254a21b05

SHA1
b506a238e7c50dbd5bf74810ec25ce21cb1c0492

SHA256
12f9560bd417c8fe0812d139e7f7dbc51afc0c2ea7bf8090c06f797638b2a2bc

SHA512
7f77f4d772f381da2ab252867c9822bba1f22b871424add7c1f6c6516d8ad84fce060f5a4d8ef729d816823fbfb4f803eb7fa9c8a03786e23c0772cea0999cd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1b233085bf1641017875763e36cdd0a

SHA1
35f3ad010c11a4c1b615fff023c8205b30423650

SHA256
e479a79e3ef505f3c78a3e063daf6c56532d5ee9b3ff8be9ea269e841a98dca7

SHA512
7ba8571992ae1f43ccb0104de932d7a6d63b91d641a3a6cc84dab9d1aea8b30ce8698c66b8b3f6742a7f4fbc60b272f59e5d86c1c0fd9d081d8561c6e12876df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96ad5c3643b3ee8da016135718cb6121

SHA1
b609deb10041cf7b4bffaac717579943b0dafd33

SHA256
c2ac9473297183c4eb9fdf39e097a53b2e02c9b38e64d6e023626cde740803d2

SHA512
728211b5adf947337b25fda8447f666364f71b42ea835e451e5b648eeb641469d5248ea25c648c2efdba7f7cc588ac7fba7afc93724fdef90538d201b8148136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c82b410b114dfb6d09114302785fb85

SHA1
06c6d3292e299819bd63de08dd98508b6e4f9df2

SHA256
32fb50f2fced390d0f6a39b8816283820ae28b37c27bcd360e8dd014fec738aa

SHA512
c9ebbbf6640ebdf285ff6343923b951d6e9d16c8eefc056c1f5495f606ce7dc41995d54a4e3848c280972057533f7ac03d9da0c2c91ca465d613cef516dfa679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e693dc912309d82e4fa53164de83ef16

SHA1
e6553ed09421600adb9d3ec878235e198a7ab02b

SHA256
c211779612530bee2a86c491e519064f20653e5842b2597cf602571e7ba7e624

SHA512
8b0acad0dc6c5f79c9dbe4360e7061d7d9734bea488f8aa85330c7c8e574ab80bafa50b66a6852314a56546d7cd7a4c548be9ce33a43bddde49c7cdc81dce7cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bb9c350bdda8982140668ed76d36042

SHA1
ec7ef79caf9bf2bb91b084b040a29cd1558bc24b

SHA256
37ee5347c020fd10350450b42e2bb5e8fbf06bcaf8a46a3a1c6ea9a470a46d9f

SHA512
662c6d267f2df8bca22a4265e050a83b5480ec142595942289098a41d2d5d06ed094d09ce73a9fc87a3ca5cca8bbea6b42bdf457e53e88f49539202bae349397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4273993e76156bc9ea8595c77df056df

SHA1
c2b64b1adc7fcb77c8df1db8cf702c50489cd5b8

SHA256
90a14c7bb6918d0ac5e0d58987eeaff81e2f3056eb9cefb6a7a5627a238b0584

SHA512
688b1c77ef3ef581851e69ca5da774fb98828260ab9599f90c0e9c2480d940740a79d21a830371eb47c6c531022edce959d0a57814cfe54abe091eaf9acf70cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
183e2ea700354a1636135db0604f6a73

SHA1
c956e1b3aa8e929c901b702e86cf2211af1c0d96

SHA256
b9b831bf60db3e9ca9b428ef6b094c093978e67f100bc2793092121dd338fd5e

SHA512
f150ebf9fd301921b425fa3ebf205399af329408020f97a7812ee9d0fec4b305535e5ca087237a8c4d6a2749ba3e3fe4bab1c120d6b718a9fa8dae322b202efb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36e0fd357e434e7256737e69adc219be

SHA1
0b6d36d2f05c618b020858493311b7f1a93c8f78

SHA256
5e23c0e53a4cb61bfd6600bde8f63df4ff64f9db790e233403eae684bcd28e5e

SHA512
068134d9a0e806aa8eefd1a5cbeb51834d1bda2927cb583ad838264f55f53f56a7ecd472794d4c0502fb242d01d4ee53dc7679777cde25a8afb534a063dacb6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc24d37be439a06c9c0409a5d26b4fe2

SHA1
8428e5c0d10acc3d54821771e8be36fb723bc5f9

SHA256
96078cd51c70b9555624afd063ee1bed66833b8cdf7b8bcce69b4b646e5c9794

SHA512
b0f02a499a9832b0157d8c962b51c3c9259c96a4f182e14cb577ca0930db4f494df632a43dbb8577bcb6303102aa5c20c1cc3307a308ddd4b6663aa35c13958c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
799877dc6bdc4e73e5643b05dcf791c7

SHA1
808674826747c7e88ccc42e5ce1a3a5f3c8ba564

SHA256
a8bbf9ae78509c204645ef3d6f41b6a65a69bf90047c0ed9d50e932264b0e252

SHA512
a3e69ed07b70f7ee9d43c3479ae0b990c2dbe30e4bedd04dac8d626fba3ec5d8e97fe14e1c306e5acfdc0a435d22b83e6b94114585166ff223145ff972c79dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee7c11acb180a62d4d4c8132264a29d4

SHA1
63b11a0348d222fa380fbd63f1ce5eeb4092b9b9

SHA256
e218b18cca9b3dfc86e94189562ae6b9113a7f67e12608d17049c70fd6445e73

SHA512
b56996555b5e76d363b86a4279791cc6eb09918aa7b3cbe57a9e360354b03703f97d4ba61b60a476f3476a0f48af610be8da1cba80d7bf49fdbaf6f2793d1913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4d1866b93c4acc937e7b50bf5fabec4

SHA1
69192102f393698c53913961ecb3db2662e0f1ec

SHA256
fdb8bda22ab853166bb4be94b2970e0021c2a5ca0e86ea61a0f8d670e28ba943

SHA512
e8192df2a809d44420a6afa77e945fb1cbe33245ce782e38b9079c473b32efe678aa69ae1bc988f15f3944ab04af4be77dad537fe682c4ab64da61fae83f793d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
095ea4b5b1ef9eb4c1d5eda071816ac2

SHA1
477fa82297f5e363bf9c4ccd27fcb67dcc321a8e

SHA256
256c00bb14ae184b7278fbde0d4d4d8528c96e21129e33ec1b288b2ebf4c6e16

SHA512
ff51c758b4db3c4895f15452b3e5626424282562644e4a0bbd11b47381088a8831740f0e4deed9517e9b1a0f5702fc2be06f7f868093bbcc4e9b6e9c4edb0183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfb377b6f0333e8dbcaa33d8d1b5bef3

SHA1
a58962923305c3065daf81e0764f27a4ef827944

SHA256
47efa07525a231d764a35938530c76f3bc7c04b2d60fc56f6b3dace3daf32081

SHA512
746ced583cc401e53cf2aea3cbf2fc472ad7a18c07f7e33d32a9ef64cccc19210306fbd9c0545e394f9f6989f7df77c1702fcdeb9f2cad3cd130bb1fd997aa67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19e2f7552e1afad46e92a6fc0a465c79

SHA1
e18783beb64c07e15243a83b8ab812afe0107b95

SHA256
5b7b4c695475c5abacb47915e355a12fa7d4cea991d4c65914a13d61ca713a63

SHA512
bcf29d7daf19f8d34eb36044de68b000f82bd005aba0310af61cf34bf956fc696fa2501ce8ffeecf1656fdd72ed44f1ff5d63a98b5b95e9bb07b79484b3343ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49e3ee5b6ee52527acc36278862659b0

SHA1
2662301254c25f58fc7e8a2640bcaffefdbf98b1

SHA256
6914b92f4cb1d29de8f10bca30a3a647f6bf4a1fc510e0118cc12457349cecba

SHA512
087b79ba3fa9bd83b6045651a20ce99a27a7cd45dcfa7e696e3afad7bb5c07ddec4cd074f5ded94c4b586887eaa5be26918a7abb22e4723e0de82881dcbd385e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02e403462fc81c78e01097b72b8a396c

SHA1
fdf623853d5f8e9d979fa38a50bac9d906041b02

SHA256
13380f5e528b22cd9b71d64fcd0c65f48940a4e4f717d664b86d31bbb6be912d

SHA512
6b07616a32727fa2e32cc62f75bbe071eddc2abd2abb132f06a94003b52ba12dd4c5a54cc09edd81cb5ca0e8361278121904909e62e610dd57d114f799258e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be1bc4707ebee46ca8754c789512e24d

SHA1
e92630909a4014aa2ebe252d65cf800257c67976

SHA256
e84383fc8d62d3564dca1fb1d4a49c380cdbbd19583a27e0141e469429be6538

SHA512
3d33972f5baefc8924bd5830e829ca8529cbec11d41a2925ea463bf4347bd17d2f04f6540177365018ccfecb10d2837b838670f122aaffe1190a6683d65c6866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11a9d564af7c03dfa7938e1b441e624c

SHA1
8d8ff4764def8a8879ff5764622753253e8c4a02

SHA256
b22103a07cb8018f6580a14143280c753bb8f4dfc3286dda5059869fb4454c2b

SHA512
5e7037063882eefb78941c5aaf1385aa1a1e76a27819a1249ff0b59930535d5594064594b03b015deab8a8b9f87b126036bda2b39730390ffd40ab02cc5c40ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ea14987136d0b46bad3497430db5a29

SHA1
dfc55a5dc33b2ae99f95095abd00c2d905c5ea56

SHA256
125b6e71405d3600aa55654d3d2739cbfeb537e48001d275add4c81c966a98b6

SHA512
497912586fe138fcb84cca530f8ed9e4a8012a04a85c356b4b9306847296d10ea8970a90b337ef8ccd4bcca93ab5df6f4e5f0562d0348628646cfab355f10c64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222ff1e6bafc738a4711d179cfa27fa6

SHA1
1c87e455ba66be43a9a1c18f19d04ae3696b005c

SHA256
651d86337be66f75366cf61d29a9221664befa9a7765089f3f9c7070dd9fcf1a

SHA512
a538b2950ca039c53d72acbb997c816f6904d1bf96db9a6c3a3faa4f1c579dc6f42a263831143c4652ffd60ff64d309c9ab92e21b4911753d657d0d7d1f89efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa1d85125404b1637ac5f84653931fcb

SHA1
5d113d63379fec3ee26b8729f5b742d56e577134

SHA256
91525378c0b71a7f6fe18cdb7c608ef5eb8f7e418cec640cec29ba7b99289c2a

SHA512
0b7c7a6396506b36b62f00ce1498f28056880060c00c512676bdf8289ef2f6cd5b3630da37d92607d34b8c4cf2f6d3322941c495f98a679b8c0135f1c88412c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e167be6295b0f9230acd15d3ff1cd0b1

SHA1
e0f1078d5c9e849d2e8b85f4564c7b289faaeb9d

SHA256
0187d188c3198f7a35c637093942caee849c47bb5e7f3835399dd8e4e324508e

SHA512
b70c3c8b0a9f2a7cf123e0facb096dd462b0a5c6e0fff33716c56872fbb325c776a7d83fa7a7aef31666d9ac1a19dc931a523748d1645bbda8cc002fa657316b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d66bb76d78b4894b9ee3f24da4db9769

SHA1
e049c59824d6cbebef8dffa3a3c780dac6f481ae

SHA256
54e24ba9b070cff97d081ce53569a4ac75367d7465f928a84cea01da6442b52c

SHA512
2fcd019ddfbdb5a799a699ef90f9a1732f99b93203b21f04e5d9889e9b6beefe72f0409c082fb9fa1e5a28a296d40445bc5b830abe997ef15b570c3f71e8cc2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e779a1478979d9c2153cbf174ea1173

SHA1
8467dabd8e369ff1cc74fcb52308dc5bdcfb200f

SHA256
8be9d372918bc1ab56245a2a6d339eea86ff6771ee588caa1d8bb01b4cd3ea66

SHA512
20919fe6d0b991c59b1a7d31200f1b5f9462893e38f727a7c1765d9faea84871f3574ea28300566cb143998c143d28ca23cd3544b2f1bee54bb779d159304aee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce3050e9f919cc0ea8344e086fe073c2

SHA1
c677e288e54c9fd2640fba9082583484739255a1

SHA256
acb313188db13d4bd3f4bd5a397daa48508aad977fd5b85788a01ec4d40b9073

SHA512
d23ce714f2bd81132396ac2193a23e545890c5a2f65ce70df7cc221bbd84e9a345e6abe2a24c15c135726c4f79f7ab11ee119fd56ec572d285e40dd52ab16066

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42b637496beafeff67e0a895832313c

SHA1
2690b1921da6c6546ef34512009519f71388e119

SHA256
f1e156f90e677d117d2293c65959f6a5d886f056273b868d462c385a89ec5cc8

SHA512
5e973b8572920230602033932683e8846a8d959fac33bb9a81a84a84fa17c02a0ca1eff3648ffe8a84cfccd6d45cea8252583ac51c65dd8671f7dfd09f7ef730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8fa76b352c1f2a863abb1b84028bd35

SHA1
a51d3a65693c49536a188f6dbb71e7de76f69b86

SHA256
b451b4b65d16c74d6aba077698575f16827300c506a7d469a5349d365b612202

SHA512
9b563cc07cf106bec9ee908202ec42d592e17cbad662f8b91e96e6cb6b7ca75783b253368acb9b94263322065af3bc357695ddb5aca2720e723e4358bb70bab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bbeddd18eb526d50b81234a9c42d14c

SHA1
5d67524b7c9872e8b7cdc4cbcd78b6a00b580069

SHA256
2ecaf6fb7c4ea9468d2c0acded3ab95ff38d5e1f330be8a0d6048c02e5abe84a

SHA512
9d63fdfaa5aa7a2701e5f44a1822bd8f3ef86f4a0283128adaf6f370fae42890ca9766fd4d9a645a935f9695d3e91364d7434dd6852c03d41b16e9d9e66da051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b0d70ff365d73acc7124e92010a96f33

SHA1
70bf1e63771269cc31629641e31a59ed2707deb1

SHA256
2c3dd99ba3c10fd7d95a25d209f2ec38397a3ec1733a411e8eb825597d81d9d2

SHA512
a38dd7d94fafc9a32bf9cd139d89b67356820053be5ab5c5181f89deb4d957b3e9db86fd91be78c33d51cd364e5145a7106b39eb7e6723fe258676edb387ed55

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFECB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\nvsvc32.exb

Filesize
229KB

MD5
8ea62755d4e84d11a74d5d935d51c919

SHA1
09241eb73c594a5e7da9824ac46de7b5e97e2f45

SHA256
148c1c94ec622ade72d4b8f8c248ce3b27c39b5cd9f02c079c9c9860345ac8ba

SHA512
79a97742ceb3f6cf71abd4c79f6c2f36809d4d1a43b3daa5484b1eee50d2b1cf08c8ba918a3da32d8179be0a9e3f7830f2549cb1202a31352efc7b28408537d5

Download Submit
memory/2212-3526-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2212-39-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3826-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3277-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2212-44-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3823-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-7-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-4-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-14-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-0-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-2-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-42-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2860-10-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads