6a46b2d397c4e896402a23d59eaff7120b8443bc11187519276da8c8f4f7518d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
Size

78KB
MD5

a00b3b460cd7c37b8690daa779a29373
SHA1

de5d375adbcce6952e7b083efc3a0d076209afe0
SHA256

6a46b2d397c4e896402a23d59eaff7120b8443bc11187519276da8c8f4f7518d
SHA512

0cc6c0bfb9e50584b2655694b415817cd9721430266c74711f4fc62e3a0b088caab8941f85587a8b5796d26536f3ead396f1923b911eab82e6255668f62f8d67
SSDEEP

768:i0hOR598fJGo7AgBHgyTrRZpHWdxV/4Q/p2iLPFVR4NJ+xblRXlG//hOp3b6S0RF:isLfJb8OflHWdLwQ/phLlBlOhOlYFSd

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe:*:Enabled:Java developer Script Browse"	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe = "C:\\Windows\\jusched.exe:*:Enabled:Java developer Script Browse"	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2568	netsh.exe
2876	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2788	jusched.exe
2212	jusched.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 2788 set thread context of 2212	2788	jusched.exe	42

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\jusched.exb	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
File opened for modification	C:\Windows\jusched.exb	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
File opened for modification	C:\Windows\jusched.exe	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
File created	C:\Windows\jusched.exe	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
File opened for modification	C:\Windows\mdll.dl	jusched.exe
File opened for modification	C:\Windows\mtdll.dl	jusched.exe
File opened for modification	C:\Windows\jusched.exe	jusched.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1896	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20eb813a25f0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63600B81-5C18-11EF-B066-DEBA79BDEBEA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000621e7c83a2203235568e3e55aafce78eca335db67c7a176e00f47f53e09ca890000000000e8000000002000020000000f71bc4a9cc3fde8ab873632c6f86f5fc65b9e51dcd326c0c2a725b3043b56b139000000017f8952f82e152b7c3e0d3854fa309e73c343fe825b45a52c60a11e95dfea5fcac38d3612fd7c3f709315fd6aa1949ec8de5d49392c57160810f697f4c65de6dfbc05cbb7c784b52dc8471ffbee4405ff093b19d0689c87c631c6199f205dfe2d2d4f3487a2f2a09d4b06c1625bc93c7de6364031dfaffcdaec54733efc0e5d35d50f4804e306cd98475958989bb60e940000000124f2574dd815c2baf42a50337182651bdd4d400d8279c8d9ccea48b12b40ebaae81ae95e016755a671b5003b4c79813985bb5e2323c845f6d974512469907ee	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c920000000002000000000010660000000100002000000032cd4ca71e7e349931d4e02003f35bcbfe96cc733c8c490a3fcb85ff515117fa000000000e8000000002000020000000feb2acc4a7aa1af6304b953ba30eb41d4c88472206a18b6c509784096f03ff3220000000d85f32e11db5f18d38f69c3ec9b04a2f3de0e977f13b291bacfc71b8e4c39a9a40000000ffd949d17fba8b31621bce8ff0406d8e6611c80a35e2fc7e1c3cc4e784f1a83d7f800ee70cc3e1e0a2ed9623c431b9974d5a342b76ef90400d93aabcb650f490	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430006396"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	iexplore.exe
2684	iexplore.exe
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2068	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2068	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2068	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	29
PID 1400 wrote to memory of 2068	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	29
PID 2068 wrote to memory of 2932	2068	net.exe	31
PID 2068 wrote to memory of 2932	2068	net.exe	31
PID 2068 wrote to memory of 2932	2068	net.exe	31
PID 2068 wrote to memory of 2932	2068	net.exe	31
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 1400 wrote to memory of 2384	1400	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2876	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2876	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2876	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2876	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2788	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2788	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2788	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2788	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	34
PID 2384 wrote to memory of 2908	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2908	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2908	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2908	2384	a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe	35
PID 2788 wrote to memory of 2864	2788	jusched.exe	37
PID 2788 wrote to memory of 2864	2788	jusched.exe	37
PID 2788 wrote to memory of 2864	2788	jusched.exe	37
PID 2788 wrote to memory of 2864	2788	jusched.exe	37
PID 2804 wrote to memory of 2684	2804	explorer.exe	39
PID 2804 wrote to memory of 2684	2804	explorer.exe	39
PID 2804 wrote to memory of 2684	2804	explorer.exe	39
PID 2684 wrote to memory of 2664	2684	iexplore.exe	40
PID 2684 wrote to memory of 2664	2684	iexplore.exe	40
PID 2684 wrote to memory of 2664	2684	iexplore.exe	40
PID 2684 wrote to memory of 2664	2684	iexplore.exe	40
PID 2864 wrote to memory of 2348	2864	net.exe	41
PID 2864 wrote to memory of 2348	2864	net.exe	41
PID 2864 wrote to memory of 2348	2864	net.exe	41
PID 2864 wrote to memory of 2348	2864	net.exe	41
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2788 wrote to memory of 2212	2788	jusched.exe	42
PID 2212 wrote to memory of 2568	2212	jusched.exe	43
PID 2212 wrote to memory of 2568	2212	jusched.exe	43
PID 2212 wrote to memory of 2568	2212	jusched.exe	43
PID 2212 wrote to memory of 2568	2212	jusched.exe	43
PID 2212 wrote to memory of 1600	2212	jusched.exe	44
PID 2212 wrote to memory of 1600	2212	jusched.exe	44
PID 2212 wrote to memory of 1600	2212	jusched.exe	44
PID 2212 wrote to memory of 1600	2212	jusched.exe	44
PID 2212 wrote to memory of 1896	2212	jusched.exe	45
PID 2212 wrote to memory of 1896	2212	jusched.exe	45
PID 2212 wrote to memory of 1896	2212	jusched.exe	45

C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\net.exe
  net stop MsMpSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MsMpSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a00b3b460cd7c37b8690daa779a29373_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\jusched.exe
    "C:\Windows\jusched.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\net.exe
      net stop MsMpSvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsMpSvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
  - - C:\Windows\jusched.exe
      C:\Windows\jusched.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2568
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1896
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9636870cef592af74d846f9e3782080

SHA1
e014584e1d981c76af9db51e5cbc7d8064c12ebe

SHA256
599de420caa6077c9b1a0ed693f498f81d8499dd5aae38ee01a968dc964f0337

SHA512
8f936c5f94f782eda69154225893b5218a981301c2847e12b4224d8d57b60017a73fa0a2581eee75a328eb3be0784967d69b212619e94ebc8e9a5ea1fe94ba7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
014af5f3be5c0395866d87c3743d4f9a

SHA1
97a194e238b7da7c3b32b10999c4037d9c944c30

SHA256
fd6ec9db7afdc865ac7b095db06fe7f71325148b6b90e032d3d08870cc1b7418

SHA512
97f9204bc8b406e447cc98e62f4591c7e942eb8079dd63b34b82cf0e95a65b6fe7c96336a14dc8b6010722cfaa305f80e0cdcf4007bdb129b1ec3a2f578d597a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec7a5f306d4f68f2e4f55f8942f168cc

SHA1
c5f436caf7b9510c7067bfafd37e03c079d47d10

SHA256
a557f6029f6075319a08c2fe3828f1402e548f458b4ad94750c0d08fcba8d18d

SHA512
5e41128dae24377670b1fa1b75cab9ff2d5c76d39f0c45b39ed88c90bdc42835491ee738d0c228637a0acc9bbea5b81b7672d912fa99696827181bb8816166db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ae42d04a449ffef65286960ff48f14

SHA1
885dfee3bc09a05ae75e4b13f079820132dcb2f7

SHA256
e7440553825a540f2d8de8c124c3fba16d06c73ac0d3e17f5a7d40a68be038aa

SHA512
61fb5e498e36594f34fed68098ae4a852229b7f576d91c14908034418751de1decd2e89cd8675f6363e67ebe27cb93e2a6723a7e6c9d6f970c09b5805a764873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c722a5f5ca4e8f6180346b6e2ce00447

SHA1
159fbf4cb277981d9fea5abb60272a75b89def55

SHA256
f4419e8ce7c99e8e81abfd0f7bed5a6a9b37639fc9e9f7f637fb8d2a96cff232

SHA512
45a46392eb4c82b01f9e2cf44f419a3b3f61e9efc4954ca19f26907c66d6f9478845489ee8abde407360416b44368d974bc5ba05926db5179dd7f48233f395e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a359b39e891b8abdcbe962036f0270e0

SHA1
8122dc640fa22f337166a26b2e7f75e33e9c9ec6

SHA256
d863495b9e4561100182f5a7f25d73ffc1f61df669d0538fe4c125a3066b683e

SHA512
aeed68870ef1eb6e22ea40d6c816081d4ef9827c41fa08f90c5dff9134f13602810193b4fb6f01f855939d1a9c036c890386b8896fa588f93516b961c27798be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
887a13d9a51f2c18cdda1f2fa61e545c

SHA1
49c0b5c071334a2408219d80a21b14b96b13e419

SHA256
05b3a68db797cb8174c11c6169ae3fa74f5212ec3c8456f1232c4bea41817341

SHA512
f3b711af8b74405a11734f78cb3148545e400b99b474a4eb4b9454de5bc3dce21d9926cfe0e2a6908c1c6fb4c2fbee1060e132ad6ca54850eaf07caa7c2ea26c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f58c61a93cf78f432ebcf102fbdbac8

SHA1
d1a50ba6f9801f751cd76954373302fcc9b0f89a

SHA256
0ba0f7b18b8cc55a8c5630990212b7bd6a3ee7ddf8eb806d400cf5ef416e6102

SHA512
9a41e2efbf97d30b18c23be47453bd58387ca8b9b2180c25b5731932d6447faadfad9a3caaa5d717a8775e4717695a088c3b0968cb9064625a4905e2fe30be99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e1f0e33421df9c337633ac546d806c0

SHA1
7738b794974ca5409ef3fafc39b57b1d52d94c93

SHA256
bb5b45eac575a003d84d7c03cdfe65535c87e9d6d04e56401030406842b5be48

SHA512
e965f10010a42aca2ca921121a9438dc0c15ed43bf76dc19ce3eeeb87d26114801d33d40394f17e41a075462e9cb6278dabdfa7e81c08fd6da5a220bbaa41661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5382a9089b17a291b58e567d519ead30

SHA1
1bc380c829c22c2371c4c69239e35b33da6ecb19

SHA256
c80f8fb38532efb7b272816668b02027f461c444550032765455b4f32efa573c

SHA512
10a3a2dcbf1181de16e7eae5f1f47237c06614f44707ac5c16d7a3867865b597b56f77b530ebf5acc2210bf324ba811dcd70bc393f55735456c12453de568aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
039d5d4df8654a776e61e706ba31896c

SHA1
9aa2a8acca2e06fd2bc26ef3595ef59f606f73de

SHA256
12f21f2d09195507a3b0238b9dc4310a8004412ac514cf1d9321cec402b9149a

SHA512
eac7d6b909d7d2fb2d5735be659fca5f0bfc518870d7963d2a04dff0cc8405591f5edcbd3380fa2c01804f629c7d0d73aeedab6afe61915c0e67a157cae2e743

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d1a2d90c3059c36107038920464f46

SHA1
d90c1646b4256f761050f16962536fcf92dd31fa

SHA256
f52d612064906fbc8c28510df7fb379e67785dd490953a23102ea1c007f06da1

SHA512
3dcb02ee359aeea1e27099d00142fe94b88a449de0f8724de768aa3923a8aaebbf0bf1fde5acaf41f12557795eeddd23a01a86e96c96df9d866421404f4200f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bad82cd64b0391a4028a10780992604a

SHA1
8de103677383b775470041baa0d9084f4b65e308

SHA256
589062c09e0fc398d9482462c1648fe3500ac5d0892bf215721d8b9be4ce892a

SHA512
79991ced403138816b793d61e3ac9a1b55e866ac40ef0684e0c8e593e695c4f344875e4d19eebfcbf65d0869b09dde97d1a5beca7b27e4769ddaf62fc8c74225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c14f17b4eb081d546e2bc16a5942a825

SHA1
e153bfaff8c6191c4a08c656263ebd7b90e5d4ce

SHA256
1c323b568f81dd5a114354bc28e09817f300a2893dcc2f7b64e4203cf509472a

SHA512
8f9e46a6af73c9481404fcb7470531000cd644eb104f2e1b569a53e0beb185f6ea641fbde93dc7dc71cc8dd0ff23d210a45dd26969249c623abe24980e965612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
168ca8a0aa52eda2a8d5aa1887d078de

SHA1
d95082c2a2c48b6c62c0fcae433b2d0e013c34ff

SHA256
b9a5b04f0e8c14442a521cff2f38ff5221b085498cc467888ece78f3fc55731e

SHA512
e25c52d7b63664b8588cab172a9f0f65ef2f4bc613ad94faefefd824a9508219a08b680d679c512b364f377b93ca86cd7efa0a52c80ff0b866941f794c78d439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc32c2144adb174c8b7c4d9f57b95de4

SHA1
76bc5e77f89249768800cbc36a64283e1453a678

SHA256
c1ae50bb794ed8257f8d7d4bca5c22b6aebf100f8acdc9d713df504f00cab70d

SHA512
b76b0d17688c1cccaccbf8878b53d726d295cdf6f5f77a77ca9c782f3af463bd75f2da7db7ed7ed12fb77c38f35b1c57643723c812cf6ca82acd6350cf48f525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c6ea0e47744ee1bb9ad1b85868039b2

SHA1
03f6982dd8d7b0cd921472eaf7c92b4d37a78e63

SHA256
38327f43252fad875f44f92e89eba2e91c12a102f1466c7beef0f3780a1f823a

SHA512
0f97d4798f1c69fa03efba8c35b27f4d2d0010b6a01065d5bf53a39389a36b270823f23b18e38a83f72607dc1016d37055533594cd255fc5955e2f1cacf68715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdeadeb7a221f44b28c1f89c4c82a8a6

SHA1
152992a1570fb5a8c0783fe58b3972c187cac737

SHA256
1a7172c5a6663bf643912b1eb0d14a5fe87b82650a09b617bff2f1d2930560c5

SHA512
cfcc5b6298feabd337cb8b7a424726a8e2416bbe86cc3c97138101139193d0189d025e9b15bcd54f3a27c13f696c5d79652cad2e0341c71f5612a96a08b07c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3a50cf2d546cacd908e503f3b85bee3

SHA1
eac212d123aba952253979fe207e661c8c946f25

SHA256
3bd0075f7e304988b0cbef64a5fe64eb98c7875a190e895131977d183307bf4f

SHA512
c6b783596a4a76226b8fe356eaa838973e2ca70b3d645c07ba36d6b64f4b071ca9f6050b2a1e2287798c3341a8cbbb5e102461ce34a280939364eda7937617b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21300c5a05fb4cbba81099ec189e4d3a

SHA1
f3c09bc7932fdfb91eb2ff957fefce2382b86799

SHA256
8c3c2ab1e203566cb51d4feb95f70ce6a89c513056d949080e9c401bc0ac68f6

SHA512
e7ad35523f63c5b7baea1e21b3f30b517088511c1788aab7e1de0189ce12d726956700cd751ba6aff9970e73e73253f33038d5aebc8c0279beb95e8347a7734f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdfe8c8a6ec8bb4d1db312044e57506d

SHA1
f733e66f980e21d93d0c658b8b8e0c39e81a98c4

SHA256
58667bca4eb5a2440c9e30ccac7188873acc0c51d6a6d64df5a3d00e1f8936e0

SHA512
a7ce922fb9523036158bf05b550fd825a42e88b1df23d13c5784abad97da1980edf3caa5ac94b6b9b4d838fa61e82aace862167f37fc445a4d9b940d609bfe0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
295b340cedc1b9b49fdddf39d4f29e47

SHA1
5f905dbc7217c333e36a3ab4d6a61d8ac9f88673

SHA256
531ec8b7d7efcf8d8dc7332d57219f2e3de168d78981fa315d761ee1b8b17c74

SHA512
f23e075ebe7ca95a9d255cfe9038e3db941da6be0904392e92c8dc9bdafcc3d83e900d3d1a3b1a1dcfe0e94e1fd2514758964d29bf0d4344502b6e3f49929174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d536e626ff5c04c6f828d7927e9ccdb7

SHA1
0d8c7c94ff3065e74fce4faac710d6c872353be7

SHA256
6692e1bf46d641615ca1470c188ee6f745deb45f585d443a19ae7bcad81429ac

SHA512
8067424a718de7df9c31782056566b96c3e423c3b37b4c093ee696f7d04da2ff9e3c5d9e018ac71f6900c9a0336999549347bd1caccfa5fec17086be29724d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
005c25428ab89fe0ab6c9997c6ad56f4

SHA1
d08f1d1cef27f33e6818542692e83ab7e0099888

SHA256
375e0f31dc2198b078c2e23775c6c0565e3b5e2b0dc9dfd4fa4e36ddc37ad7a6

SHA512
b4d6859b945439c38e8e3a70daee1996af70c1655c1c6ed1e7e69853a0496e53b3f3461c4b0cd4293f8aac5a74a8c199c23ca5bb25ac06116229c62f140b8140

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b7ca183ad314ded376e224e10c36d3

SHA1
03427ba7e42712b0397714ef5ef4ebc8eab2f08d

SHA256
1fa1b1c9c32eeb71cc35cc431f53502669f2c32c60eece7e0b0f9bf9918370dc

SHA512
a4ff443a6e6d097576505a7d62215972c67a0f6099c943fa56ac2728bc27d2dd6c99b7027dbc40dad87278964db6aea496840d9a065c91df6b9bb7bacf197fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb6f767ad16bb1417cd82950eae70361

SHA1
fe6dba399fb02769818cd32c8052c2533e5df407

SHA256
67766432765183be1a8f60784fe2ff37fb45eac3db210defc86bfd3681dcf656

SHA512
fd5c9f4c97b8149761be1d828a9e2462d94f426436080f2fe0490030d48559227c20acc74fd10ff92ca49a5751a2d03c3f7a450afdd422d705058b2549b411d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f432401b61e54c6d3339638ffe34759

SHA1
91ac79076f736724c9784e15e7045f5cc3ef2b2a

SHA256
0ecf90835eac98ff261089aadf36ab9ab25dde53fb3e464a887419b3d5b038cd

SHA512
94660baf2c3fe631ed990639e83eb3f9031cc5eef6dd8132c391d175629129ceb8468a15002a5bfd01e793d03bf44c5c1e1634cc94d23684c7fb3cbff4c153e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4db22fc581501e7cf658d1c2cf65bfa1

SHA1
41889538ef3b06e49c87247fdc89f7914fd7fd76

SHA256
39effc7007277461423a4e211392b29fd98db37b0c012cdfacc1eb129ec50229

SHA512
3f21507bc63754c5d47ae8b6ad91d255e7d979b9f0e5c33abcbc947a8b6bef45093d17a9513f7afaf7f34e738a18b5ae27f1a142ea897530f8fd788900646e75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cefcabd2fb4b1fcc1e1053fbda4d622b

SHA1
72d84cbefb5939a539ca8357fb1b281c19a5ed06

SHA256
79a948483794e6f128d08f3e93476f0333e07cdcdfb1691e9b9ee907125979f7

SHA512
f0bf54f9e10c733b57b105d3ad3fa8933a45b0e45913cb26eab2d63f34957f3d8706d9e49c76d9e184bc37a8f3634785f5920dadd9e5f0b6bd3d4c636f015ba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a192fdcd90a3cc81b0241683dfc383a

SHA1
7348d01ed612614225546d90ab52f5617511d0f5

SHA256
611a7a0fdfef57df7795a0068376139d14b4d0bf482d5cfb020db77ffb22c52e

SHA512
55eda8d26a914c307c14f1467890c30e1b2b0dc2fe5a234efd00d3beec4629b8dfbf37527b7890c13d7784f346cc2f11b2e8618aa128043e7df7b4f5ddf0c7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f70e9f23be13557956f0ac3a536996a

SHA1
d99f23c6954a64679a850caf347ef6463f27f5ab

SHA256
e2e6fe54784d2bd575b4f0d48e09a65e27b3d2e605c93a845d18aab46bf7f6a1

SHA512
acebf687428db7d99c3a9681a29c8c05363305d4bfb57396357974c71353ab8eea33f2a8eec14df9693715f51742a7bf1a4fa69035091bd9bb6d9a4f15031e02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e383f3a59d4c3456312295832ec5383

SHA1
bcfadbc076e8b277372ed1ce7307e93c24ef876e

SHA256
c45d61a8df8d5886952e5c2519f7803fc45fcbcc0c08de9dd45d1d4e8bd88797

SHA512
fd3551a621af5633aa11955597e460be46042e612dc39adb5c36aafe3fbbd2575ed7a7c0eb6924c385a9a51d97222ad91cca4c4ea7c7fcdc559773e904feeddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a423338fa7168207f545c6d84294528

SHA1
a643012bec682838bc54e2595aba42a8fac52fae

SHA256
1723efcb2d3d084009d71ea80326bdd8c0efb2a0f31143dda932c04d86484dd7

SHA512
9417d6a3601c4a5d8d83f98e19090a245cb1d0d6732f9359b6a3b31c4b3ff670138b8a2bd941920f60a5b34bf2dce91014ff9b2ed8c4132952b4999b8037995d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be6c0706d42570630425dbc47f1f942c

SHA1
f5ba47eee907d5fffade744d5a25b48eb6413ffa

SHA256
b0a28901d1944c4418277f3aefb2ad107b6eddb2b16bcf584ce5c0f8bc3738f1

SHA512
fc7843ad0e2a1688655a235b1c0f4afea552a921d12bfc97bad5c83b453097fa3cc66142d2bec8b5162a1b5ca7ccfa1f6ebd59415e16d250cea2c0305abd4f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f690889d77cf4f73327b2cc30192c95f

SHA1
42d3553dc25bd24bd08c9b3d8d56d4ee2667fbb2

SHA256
55c2555956dacc7e4dcfd1ebfc67fbde71721acdf98c8d6e6f4e8971fb3f8781

SHA512
39cc0ce8c07a5eccf72eadcc9801c7deb04c4441ffce42e4c9715a58b97a888f7ef409b836a621a3ae7018e9843f57083014e262694d0e0483291577ba60ff40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47215014fc819e17b5d1d4b30f9bc7d2

SHA1
b22887a0e91fb6201c226a0d0732464fe902eac7

SHA256
f0e4e8aee907bd4095af3cb199f64aa995fb31142449032464581cfe665de4f0

SHA512
bf9462b4f78ae69fbdea7155e95863b1067e3d72997f38c616697a1c800623f96a5e7f05fc22f4655c60b1f041411aa5d94d0337838d079c61c0e8edb7bd8d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9505b2e02b31610ea273d1f9fa56d579

SHA1
07a6f6a3c33de08514d2581c171db655cf7a36f5

SHA256
f7e4c2310082b672627ec621157b271622fde1f190d0e52e1dd80b940a711774

SHA512
00188fb71ec9152d246bb0a7d29bc3d6ce9ecd83df0b1d9954415ec9e68fc9cb22fb3381b4dc2d1162a4dfeb6ac8524b434cdedc32d619678259ef37aeb0a333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43355f9f6cf6e0caee77ddd26068f4b1

SHA1
5965136cc9e85f025f105ae3755e4fae07e4b954

SHA256
c2a3dcbd04e85518aac9d23cbe5ef594c365d02ce791a36dd3ccaf6570a482c4

SHA512
8510bce233b8b991e64272037dca99bedae34ee1184061916f1feebd65346ac8064eab87bd37b6ce4a1dcc35f6cdf9c5597a1204a25b8d8bbfd520c9e82e83bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d905517ef744e9e2e772150a2ce9a8a8

SHA1
828cb912d4a6e63655eb0aef5250481a77bcac0e

SHA256
4677b5e134c90e48f27072842da9a6cbc83f8912a4edcdf3e34291e96663f3c6

SHA512
dabd6376f27dc2032e5ee60e335d2b64273515eab3ffa5ce6c0c26d8e4bf028814c25cf4f5e4380d510456c232d613e14c57fcd186416c166becaa68bbac570c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b94a63439ceb27e3b370d7066bb3b2fd

SHA1
e623944a04423af7dab5a782f6238101fc0db3f0

SHA256
875c4f85ae657bb227763848f35aff698a7a9444cd9c87304f64023e9f635060

SHA512
01ffcff3462eca7d4b4b19272ed21a65c048ca031e7d408112a07237ebecb4b5598f841d77a62bc1c7a8f239ab6751b8b2dca48682c15be38a483890b0009b33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32a7d957678d514095fdc43eb728fad9

SHA1
63f63f95482c3bd0e5e5932d96932ea1cb8e5295

SHA256
eebd1b70b4c56e51a90c137b78503f8d8ddcdf83af49e66ecc8b9297c5507638

SHA512
e05e6f0cb189c397493e61e17d92ca32371750bf8cbba3c68fe7301b60bc2c152d2186dd97eac16e1a37b0a3d769181000bbccf280735adf75547caffe0f9a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF720.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jusched.exb

Filesize
78KB

MD5
a00b3b460cd7c37b8690daa779a29373

SHA1
de5d375adbcce6952e7b083efc3a0d076209afe0

SHA256
6a46b2d397c4e896402a23d59eaff7120b8443bc11187519276da8c8f4f7518d

SHA512
0cc6c0bfb9e50584b2655694b415817cd9721430266c74711f4fc62e3a0b088caab8941f85587a8b5796d26536f3ead396f1923b911eab82e6255668f62f8d67

Download Submit
memory/1400-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2212-43-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3192-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-2755-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3198-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-2480-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2212-3196-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-15-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-0-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2384-8-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-28-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-4-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-2-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2384-10-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2788-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads