2571e10d7f8b6003ef89004e3c190ca98b1c34471c9ab5fe7d96d9a182dfc182

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Size

1.1MB
MD5

ec126822dd8310d7e84dccf132ae6d29
SHA1

da3f61262fb6cf209add4f23f7ee668b852413ea
SHA256

2571e10d7f8b6003ef89004e3c190ca98b1c34471c9ab5fe7d96d9a182dfc182
SHA512

9e0eb9bf78aa8832324ced4b73520e98a38cbcb48e5ca7cddb157eb0bc04fb02a61af23bc37eb61bf72883be8e0eceddfe8cb1da38954e55e149ee183e03429a
SSDEEP

12288:WsM+aTA3c+FK1vrlVYBVignBtZnfVq4cz1i5pP9kPQ7w:tV4W8hqBYgnBLfVqx1Wjk2w

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2672	PING.EXE
2368	cmd.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\hyourfreeonlineformspop.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B4F9F2DE-5292-44F0-ABB4-8F9C146B08AD}\URL = "http://search.hyourfreeonlineformspop.com/s?source=b47e0b3c-d27e-4b33-a4ea-aeb9897bdfd1_1787875_v1-bb9&uid=bcc58c48-34ca-4338-91e0-7180ea7849e5&uc=20180414&ap=appfocus65&i_id=forms__1.30&query={searchTerms}"	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000031f564b9e31d4567b85b7c094376a91f9ee1638a9063dac2cefddaf53b7f6de4000000000e80000000020000200000000082f5e931769a3764edf0b5a41c53afc1392caca037deccb29b4033d2e74ccb2000000090963cbcd5bc43b6e35ff558c2c53617a983e833c0835651e374e81bde2ab4ff400000004ecbf23f31a42eecd9881353403b2435633bf1535d455231df254124fb10acdafd90852c67d25588ae4ab6761b32cf479949026945ee1c7cefde89ab4cad72eb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500aa10ecd0adb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36DC3BC1-76C0-11EF-94CC-EE9D5ADBD8E3} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B4F9F2DE-5292-44F0-ABB4-8F9C146B08AD}\DisplayName = "Search"	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B4F9F2DE-5292-44F0-ABB4-8F9C146B08AD}	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B4F9F2DE-5292-44F0-ABB4-8F9C146B08AD}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}"	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000006c61413deb65605c05730189fa299aab15b93ffa5eb412b8f334f2e7da97bbfb000000000e8000000002000020000000263b2a7b86175b17857cde426eff283fe41a8894e19616eaf9bec85e2a8edc2f90000000a83cd5ed98502231713cf89c587dfee3316f363540c231413ae91ac158f0e710337cc0159eb32767a5a5ed8d2aabf31f74f4d4e3d588eb30a5b3116ed37230474c42e2425161384215015948de91d4d99b569a311f55103c48fdd17311d4e497b9925e3f530b38c4a68f67ac52b21a724f463696e0d49f709524382cf6d03aeb4bb23825635938e485d54efb3743d59e4000000039c852a318b3ad16c42ed045ad5644925b24fb4e1029899a11a9076fce8f7a068f00027eb7f2d0faf516cf9f08e565f271d9e65cd1b3f8679a306b7fde315b1a	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage\hyourfreeonlineformspop.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432937207"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.hyourfreeonlineformspop.com/?source=b47e0b3c-d27e-4b33-a4ea-aeb9897bdfd1_1787875_v1-bb9&uid=bcc58c48-34ca-4338-91e0-7180ea7849e5&uc=20180414&ap=appfocus65&i_id=forms__1.30"	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2672	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2820	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2820	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2820	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2820	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	30
PID 1628 wrote to memory of 2820	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	30
PID 2820 wrote to memory of 3040	2820	IEXPLORE.EXE	31
PID 2820 wrote to memory of 3040	2820	IEXPLORE.EXE	31
PID 2820 wrote to memory of 3040	2820	IEXPLORE.EXE	31
PID 2820 wrote to memory of 3040	2820	IEXPLORE.EXE	31
PID 1628 wrote to memory of 2368	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2368	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2368	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2368	1628	ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe	34
PID 2368 wrote to memory of 2672	2368	cmd.exe	36
PID 2368 wrote to memory of 2672	2368	cmd.exe	36
PID 2368 wrote to memory of 2672	2368	cmd.exe	36
PID 2368 wrote to memory of 2672	2368	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.hyourfreeonlineformspop.com/?source=b47e0b3c-d27e-4b33-a4ea-aeb9897bdfd1_1787875_v1-bb9&uid=bcc58c48-34ca-4338-91e0-7180ea7849e5&uc=20180414&ap=appfocus65&i_id=forms__1.30
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c FOR /L %V IN (1,1,10) DO del /F "C:\Users\Admin\AppData\Local\Temp\ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe" >> NUL & PING 1.1.1.1 -n 1 -w 1000 > NUL & IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\ec126822dd8310d7e84dccf132ae6d29_JaffaCakes118.exe" EXIT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\PING.EXE
    PING 1.1.1.1 -n 1 -w 1000
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
cbfe7a45d7c3c7587f6c4b9ef4ecf74f

SHA1
d9d0f61c10e6b1dc62e33e2c015754b34e2e4886

SHA256
348d1340368309f555c14def2cb480c8cc24f9c4600194b039bb5cd22b7782a5

SHA512
ee6a6d1e5b1438dabc80f4f50015cc67a86d0b7411d36c29b43403ff54607a321209b891b33c0b4fb016e7c402ab93b3b5cb66296fae072d0029308c3b307088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66e2fbd544492b52c3c8945174915a19

SHA1
769273c71a76894f2321fdc36ddbdc60cfed47ba

SHA256
450a34604e1f0d3b2c369d9e88a7e9a86a24638c7001ab5a79daa087cbd518d2

SHA512
38ae0be53c5b7dc7292bd226cf2209e04a740218c15648caf37b6061c764f6b1542bb5da2c5185e9e059408f7647fbcb36fd58c6c1ab0e4b5c37e944f747743c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf8e186cdd4d2f66f6028522514f870a

SHA1
70aaf2651c568cf8d3cb06c7abcff4e78098dce9

SHA256
c1476cf60415185242f39f7cbf9f5172533bd533b480b2f340c068d281c189f6

SHA512
c6bccc61a98c3e4b6dcb1adc9554de12380201a04e5a630df264d1fcca4bb3113a23e718b1a057635a363a32189b215f11912f56d5dccb4cfb953d3f3e08746c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac148d7dd0ba75804fa3778cb5be671e

SHA1
0d60e6e4ee6139b5fe8b3894df22895a901ef885

SHA256
d6fa391ad2c2cf6375f846d6e63a2ebda1b72fb1a2e4222db1cf73a681d4a4ca

SHA512
4129a748fca34ad3d4960d1c8846baa424b16b75c1c6db34a0032df7a0ccf20c6c8d36facd9aa1fcd4bae619ffe14ff98962b8f342394e330ecd92f07d86797a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
106da4fe18dbc76a53651062be31989b

SHA1
618024a4c52433adb83597c3d34945f464246589

SHA256
25bc8bf0187e6be7efbf25aa216dd7ae6c14b0c25ae9c8c67e987c3ff4ff0745

SHA512
4faae282102b254d424fcb6f17cc575ee55e5fe3c4db90c05d6779d28e0095bd0f1cd3feaba07e5551e7f568a60a8db1161182fbca85226a5c34824d771812fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f50bd9b2717f33be955387a4940ff0

SHA1
c772c17263857097f4d6479e7e3cac3a13884681

SHA256
134109991aec66d2d28093805e4da5a486859211f9e14ed77c1baa0ad0f094c5

SHA512
525ef119d75ffa01b1b5f7a2fe92af69384b70350313cc088dbe188439037c1f94b4f94118bf0cd1f98317a197afcccaa5a4cd9fa0074db7e03114d7275b87b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e56cdc5112d4d2bb28abd15ef9061474

SHA1
341d42cc03cb835329dc170d63b198bd1b31be6e

SHA256
177cf6c1dc71d3647f618c29f9a0ae7cfb7dd64f326fb0b7cd3e6a1254305f80

SHA512
c58ae21b82e9763320aa7d6ab0e4e15c86a91a186806b71a8ed348e396b8a33ac16563c66dba95a822d7676f374371bc2282a42edd49160cf13a536c49543a75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d3f6a08eb134aa1de02fbdeea509cfe

SHA1
88c6d936109f9055e69151e5d10cbdeeb5bd6453

SHA256
d25fd50ac7ca473087a19a356ae1263de3b7c723932f760aba7ae10d9f211822

SHA512
f1a783cf0f1d190a7f6d5f8bfc936270f6a67e5e7121e916fa9cb26ad1cc8395d89e8dd880ac93853e50f46388f997f41a21fa8c9dd1b44e3651d8b079d5967e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b8b9b63a4a45a1a4eef398bd69f3cc9

SHA1
d7caa080462eca31484be804214ce6851b960102

SHA256
311fc8ea6ea255e122108c341139da67943b6ad12b780fe44dd7281651702f09

SHA512
6028677f1c9d7f586f9921ec880978caf7e0bf10945096ebc94d2b9d0c6bde808028c352502f5f8581f220bc95deb712a459dcde88a7a634a39d66a3a5daa9e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcba04834b25c803dee2f7e6982b9e78

SHA1
53a117dda3158ce940f50d77e6592cafa5225615

SHA256
bb0bc486cd63e398e75209c7028456c4c92c7a80c49ffc700b284a13bc52b5c1

SHA512
53f4c07981bee2c62c78efc4931dd29107a5968d09fb0b0ea7f922853666392d0c8bc8157666da8f5b341d31c5415644654829b089a9a0bcb3be6f17489f3f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcc1a94c568f1e7ff297b7cc16ceb0a4

SHA1
59d5a64b7f636ea82564cf3d3949b5093ce542df

SHA256
c0fa61df2e075c5713e6a71038618f4c9cba6ecefa23cb6e8bc70fa86543e0d7

SHA512
b1f897c7ea8c6e2c6aff301f02bee78d259f30a66dc5e257269bbfdcc15b05a3db7ca53b72d4dcf2713dc6aea058c4dd48b413e50a346699566bed061021188a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
926d3c73891fc3782773365eef953e2d

SHA1
8c672755412e7ed4d1e0dd4c14fdebebe8c031f9

SHA256
6281a761cf5ae6ba18a6beebcfacd8701555eeb811c61eba35ef28a5efa6417f

SHA512
6bd887d86720db02ee1f32ab6200cba86287431379778b898f784c6f635ba2378a6a1cd6b2e8060c4dee1b14451a53812ac8c1f660745f5d2e3235a62c01f0ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0214959d8859d8840e05e358ffd91e0

SHA1
dd6079803c65c47e1b83443d2e065dd460eb7bef

SHA256
3c12cb55468890b7aa9111d65d0ace444c81ad18d6efe1e3ff67106a8fc25efb

SHA512
f3aca0fa892e0486547df84947c8fba2181ba23cdde196cd756c9e7e4be70fb4c61ecfcc423e679a226761c5f6ca5dfa8dcd5ed852b06ccd191b106db792a935

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
485f3056a03b9413dbed99fe853aa711

SHA1
1d7e60c9e0f4937cc11ff6978b494f4f6a64579b

SHA256
958079facfc824a64f1e0b9474916c63198a6d6de72ae2ba2d6289869f2ea061

SHA512
cc48313161b1eb856b3d3e46541cac30bf88e518f6b7f226ba037d925fa6ab047fb4ff2a57f94aef667c7b95a53434ab1e94eb174aad7b8cecbdd7f2a262798a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f63e8e72560c2daf5dee926a9a3e320

SHA1
ca31d6ab19a85590ef9efcd1fd94783f7112971a

SHA256
a92b8081d09650a09cb01fe88f0492ac3350659ff2231e46be957f2df446cf4d

SHA512
525d7843e3ad21ce3245b31f2b8b75ad454ce71fdb32531f1d9bfc27205ae0cdcd016f29df70e4e1185caa04dc7403cf50f1d11f197898e667de2d89be896440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db95b4a8118d78a5d48c12094fe8eb9e

SHA1
a122c7f5c142124687ce2d0caccfabb895752663

SHA256
b103bb646513f60b38d507101c7c5351e8b689975f5037140cdffca875840b64

SHA512
917d98290e441cfa4ca0c5c402d643f29757261afb182bec01314cde92cbd38a999b908c58c5d1b8bf0ab4b6727fde1b70b6cac3fc59197736540b29d4e831f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57fe6a3f7d088692a416514831bfd063

SHA1
5eb7a96cdd0d12be5b48af318172c5446fbe8274

SHA256
3bcf10c06124bb7824cc9537e91d663b52557a3e40ed4ed603b511e2cd293196

SHA512
e723d8a58cd5718d5d4648b04f2f7df1f2e87dff62f971205fa31427b52a6c5c9230b907eb6e67c0ef9a4a2aff2dcb4e63657e7458b5a190d1a8138340bbd3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03692f64fbf505744f078e043120dd20

SHA1
40657a1a44abf3606a8e75d33301c027b7c8a269

SHA256
7f6161cc93effc14c20cac0bcb1c34f39ae93f538ec4e8d1ef416f544eede61e

SHA512
e4f7ff32940daab803ab246095bdc0da82d368d73b2dcd84a21c6383ef80efab7e99817ce928474d847c31c269756d2b6bcfe27de04001141778d1cb6cabd501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd18191b6ce201a8a3555f4f7c56fbda

SHA1
0bb75f0dcd7dac0b19172f4dc72ad94324159f36

SHA256
bf3f94098cd59ccfdd638f6c17a722a74bf71cf2212aac75989eef37b0351df8

SHA512
49da4fef71d78c7cb92fbd0b49c8892ebaee0989caf2e3213cc7a053d426974005371b12888dc7a47381422b11093a2b85c7cfb48e832488756c48914cf338a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3390ed3503b83dc15df6243148d0cf22

SHA1
7b7fcf950c68eb010171cb2455883ccf8e1f5116

SHA256
8d55ef5d9a9ef9af29153de3f5d96da008ff9e49230b663d545c34c14e5faa42

SHA512
dfdc4266ab66689d5cef3296e92b129771b7266ec67e69ada4eba67498948dc62e984be016e1458680e5b3154edda23f54502466b47d721bfffa021b17220fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b142ded6d2fb29fe9f3ae675c76f88e

SHA1
107c5fb173878319875b84977a4af2db89599afc

SHA256
83e505f95ca4d4dc66a97798add83d9a3e730281c3d38a3302e87b451a8fd625

SHA512
32db3e1b6fc86630ca9a3d71f9ad27eddcf9644766f705c87650428d905d0c59f653e79f96692fde09b9af8e6c58b0de8bad43ac7635e4279b5f6952c057cc35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfbf09e8e3df4e35b28a8a2ea6864fde

SHA1
6993efe459396e1ca580233c5adf1be9a53e9405

SHA256
055bf911d3fb3065b2ed9767c7d2483cf942fd566a6c79e9df49795f18da5e07

SHA512
4dd73573648b2824dab130323ba4789212f08e1127da17af08e6e77a00aaf7d66a12c8c621698245ab8a8d6eb7f4d6ae262fa726861db46a6e49da4d2cd61a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfc0bcc839e09d963366f2b876e04036

SHA1
0a3b0aa18ddae07c4a5b637502d3b312a9bc67fc

SHA256
9cbe25225de6074d56dbbae23ffacc6844f5f53baaa545fe545b48f211e4f3c7

SHA512
aa002dc2af96950c1d7498a99d31b54d6f29e12007829945aa755d037b8e0a9c43e76f60c733107d6865af0073b9e6e1677d07529767eb4bc3460449de14508f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
551126828f8c5e957bcdaee3653db095

SHA1
d9ac83aa4c0aa6848f91f943601b92b69ff37acd

SHA256
19797f06675f09ccc990e08a45b6eae3501e54a2b5783b3a5330cca22e5d7f30

SHA512
63060c05523385da8d7c2a115f427175257a54c6b575919d0351b3ffc06a6bcf6aac400bf994b4f870e1d7d3a30a8d9dbeabb5ba5ea264d77409103be02d6d43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e65185cfb1fb6ea3fd6f60db52b92e26

SHA1
eb2bdac09aec07196a7e8eefbee4f5d4d4dd6f8e

SHA256
789e1b0b8d80ee178a0fdd535613747b2892d71a74c9be06ea3b3a408e1fa897

SHA512
a9994a53bf4861537c02f296cee51c81bbc42c14b24f9b20ed640ea1827c167e21b75a4eea620b766b3252792fdd59076dd60c8980ea813ea61908ede2f1a11b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ef29025c6a01a1924626ae2a1649b83

SHA1
9fd2b8901bd9a150a17163c520255744ae1efceb

SHA256
f66a420ada25b109764bd8ab9d13664740c17cf3f5764e995f1ff2a3c098bfee

SHA512
c7cc76e8efff1745767efdd1d6b761eb20b74985a7a64ce2770c8b204fe0c2aa50647bd4b5a7b4793a74cd67b9163143600133a1ae8e580a2cd3d37871ae5a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2b582cf6934bcbbac3575180b9c7d37

SHA1
3fcbd1420d00ce29529da48b0918ac285f231747

SHA256
2b4b21ac2f6bfc0377d915d9245076a7d614fb09deebe056377913eea50fb63b

SHA512
e14f6ac41c8cd400e81fc9cf79a77c1fd443c428b042d8a9363a24af09c70c6cfd0e33bb0aed631380e10701e0416b5db8cc7bb29aab833d1bf85d44a29dcb94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b01c458ae71602b947db30ca1fb2a83a

SHA1
0ddcfbd4334f766b26e501f78e55bff32aa301bd

SHA256
861cb8b3c8d44c918bbb5452d90a8679a6e68ca3ff898ee01e2725309b13dd1b

SHA512
4c27d5e4bf0245b36911c025dab9c88f6e3bf0040cc92ee1dca0684a59e5ede42dfc46f04b7ebae205b4490902f5b96e2cd5a082887f8f1932f679c4d21a3b0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0866765136d8897485dab1e98bef651

SHA1
9b7d19230f2ec0e40f0f9af353ba4b6cad5d1742

SHA256
1dd4de1b8bde846a0ffd9d633db1c72bd20377b3dfc18d0dfd7c000432375ae8

SHA512
e73d4ecb35b66d26c7070cf794b09f577fba61a8eff3ba64d40ec832fa0b3bf10d34009fd9e4ad3c1b8027722041bdafeefe02282e1bbbb8fcd6644ac7c58149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d5ec20202aebd3e7da0ddfec9c3b565

SHA1
9c7e49f2cfbfd8e8910d1aa28428ca0accbe4357

SHA256
4bd8b55c49431291dd6b2f8067c817e226ea77a8dd736e6fab38495111563eca

SHA512
2da44f28b49292984fc360241189228a895622f13fd15df62521bbc2a654b6799b8b35b603efbc1584d8a3712de9b0bab45c84333f2848c8a63070666b306c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c099de7690f6cac06701d3674548076

SHA1
5d17f5b36fd2cceaca93fa88cdbd962ecbf8d0ba

SHA256
ce40a7095956032bd3953803ae34052ca4fbf1dfc52ef6b72ad9d9c316660619

SHA512
3690b64fa5a5287c40e86ae6b58d738cf1a0b95e36e5d8667126f4fc9e57b44769952fb180b5cf29af967ee11b0d02c75609c563ca85f381a894fc391378d31c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df467a0a525b4092bf9f8cc173c52eb6

SHA1
332821568ccd711deb20964660cc6e3e76946509

SHA256
8e3b715fdf61bf1c13f31001ba2fade14e8b8373d98094de7b9292f732f10b8d

SHA512
15f70e951db879f1808f33bb1f3b4c8f033fff7c36fb31e8a80fbb09ba8035e63f634ee7876392674d10eea1bc08a7a45a359a46c1cbc6911d69cd78717dc4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
110KB

MD5
21dad233a6e1236b3013a10e8fcf5635

SHA1
7b5cd0536d9b57140ceae9a1643a0c5fdd89d1b8

SHA256
9e5790d540b38544e3b20df40148fd76ed8f6aff873d4e31427bd315db3514c8

SHA512
8e386d721427c22f379676aa166d39478e0f43ffed741e4bbf7ceeb70f6fb30a85357cc06b191a40d5981ba205ba64e0e57d9ea411bd15c6dfdc19ec18977026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\favicon[1].ico

Filesize
109KB

MD5
504432c83a7a355782213f5aa620b13f

SHA1
faba34469d9f116310c066caf098ecf9441147f1

SHA256
df4276e18285a076a1a8060047fbb08e1066db2b9180863ec14a055a0c8e33f1

SHA512
314bb976aea202324fcb2769fdd12711501423170d4c19cd9e45a1d12ccb20e5d288bb19e2d9e8fd876916e799839d0bd51df9955d40a0ca07a2b47c2dbefa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M984TR3E.txt

Filesize
120B

MD5
58ea8ea552557edd715ed80e6ce7bfb8

SHA1
849d53150691f4e93deb9621b7ee7a53ecd40015

SHA256
d00537d7d6c297799d9e4394f1ed014e01bd6e25222b69df2ecd5e00256fac56

SHA512
46c95d5ed589c66898b74c849e29fd45cc300335cbff52162733f0cc5ebabfc9dc450eec6f4ce30ef74bc7c8437852080685c6acc1c568f5bd51d687e9351f6a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads