3a4080a4b00f9b2faa006e0d60f49aaee67b77036048996f7ec8f4b1873f60ad

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Size

102KB
MD5

f30906ddfdb153c1d0a2c3240cc71fe3
SHA1

435d20715f52f73ec180652e9e1fc626b2f606af
SHA256

3a4080a4b00f9b2faa006e0d60f49aaee67b77036048996f7ec8f4b1873f60ad
SHA512

c9bfba0f976144e66f5190c9f8e9c2dfe4a67003688364ae3618faa18c55a0e316c1b9260298051e6f80c0f445583d606c28b0744922f803b3b1803a9d655643
SSDEEP

3072:BlCmP9RRQ1XgVEuX8t1qeAcNquECM7UDcdl:nC4Q1QVHXXaPMp

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe = "C:\\Windows\\jusched.exe:*:Enabled:Java developer Script Browse"	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe:*:Enabled:Java developer Script Browse"	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2748	netsh.exe
2636	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
3052	jusched.exe
2200	jusched.exe
2776	jusched.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java developer Script Browse = "C:\\Windows\\jusched.exe"	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2324 set thread context of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 3052 set thread context of 2200	3052	jusched.exe	35
PID 2200 set thread context of 2776	2200	jusched.exe	36

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\jusched.exe	jusched.exe
File created	C:\Windows\jusched.exb	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
File opened for modification	C:\Windows\jusched.exb	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
File opened for modification	C:\Windows\jusched.exe	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
File created	C:\Windows\jusched.exe	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
File opened for modification	C:\Windows\mdll.dl	jusched.exe
File opened for modification	C:\Windows\mtdll.dl	jusched.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1908	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433321738"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000086c7e466ef337e31245e6f3f009a0997ee2511e4721980433224bfde8356faee000000000e8000000002000020000000efe57383b6f7dc4a74664c7df3a8fb2889662c57349c7e448ee5696ab387f48e900000002a8dda517a9a5363eaccdefd3233c6f4e101e50f616ce5d6f8fe54bcfecac878d56dc78336e632a61d0bc8b06e4532474e3db547a96cbccbc933e827522217bad764bea574fd24b1171bac1c27d5021c2eb28f9ae45e1562d43ae77471b66c081086b526ea9eab639460883eb2488a1cccb47a52a803fb99d5218e3c095f3de4d7ee6d442c60bed8428a36b7a051534040000000cebb362722b9a2ae5206ae4bd7e2fd656a884e1521d9744de9ceea5f7334952ad9e54a940e0dd7fad47fb49150a4f3cca5a4d910bbc4e704da8ef5b7710af1f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000cce2d5dc3768626c4cf999082cf2b3e9c481872d10ffbd37ba8614b682912483000000000e8000000002000020000000b907491a870dcabcbb56944129fd2df2209c94f50eb8d5f6e68f16b4c6cc8fd5200000003144c8a30b3b9eee56ee53ec8933347277da220ff75355694fbd69d7dd5358e940000000c47fa714a281ca19821fa62be8777e5ff4dab41856a72e433c7b241aaafa71cc1bd27b71c25dd426a9672cb40ae2ac41ab2611142992d2ba0f6a44f57b90768c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10d1065e4c0edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8538DF81-7A3F-11EF-A641-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2992	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2992	iexplore.exe
2992	iexplore.exe
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2324	2384	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	30
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 2324 wrote to memory of 3032	2324	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	31
PID 3032 wrote to memory of 2748	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2748	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2748	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	32
PID 3032 wrote to memory of 2748	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	32
PID 3032 wrote to memory of 3052	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	33
PID 3032 wrote to memory of 3052	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	33
PID 3032 wrote to memory of 3052	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	33
PID 3032 wrote to memory of 3052	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	33
PID 3032 wrote to memory of 2708	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	34
PID 3032 wrote to memory of 2708	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	34
PID 3032 wrote to memory of 2708	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	34
PID 3032 wrote to memory of 2708	3032	f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe	34
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 3052 wrote to memory of 2200	3052	jusched.exe	35
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2200 wrote to memory of 2776	2200	jusched.exe	36
PID 2776 wrote to memory of 2636	2776	jusched.exe	37
PID 2776 wrote to memory of 2636	2776	jusched.exe	37
PID 2776 wrote to memory of 2636	2776	jusched.exe	37
PID 2776 wrote to memory of 2636	2776	jusched.exe	37
PID 2776 wrote to memory of 2680	2776	jusched.exe	38
PID 2776 wrote to memory of 2680	2776	jusched.exe	38
PID 2776 wrote to memory of 2680	2776	jusched.exe	38
PID 2776 wrote to memory of 2680	2776	jusched.exe	38
PID 2776 wrote to memory of 1908	2776	jusched.exe	40
PID 2776 wrote to memory of 1908	2776	jusched.exe	40
PID 2776 wrote to memory of 1908	2776	jusched.exe	40
PID 2776 wrote to memory of 1908	2776	jusched.exe	40
PID 2680 wrote to memory of 2664	2680	net.exe	42
PID 2680 wrote to memory of 2664	2680	net.exe	42
PID 2680 wrote to memory of 2664	2680	net.exe	42
PID 2680 wrote to memory of 2664	2680	net.exe	42
PID 1136 wrote to memory of 2992	1136	explorer.exe	44
PID 1136 wrote to memory of 2992	1136	explorer.exe	44
PID 1136 wrote to memory of 2992	1136	explorer.exe	44
PID 2992 wrote to memory of 864	2992	iexplore.exe	45
PID 2992 wrote to memory of 864	2992	iexplore.exe	45
PID 2992 wrote to memory of 864	2992	iexplore.exe	45
PID 2992 wrote to memory of 864	2992	iexplore.exe	45

C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\f30906ddfdb153c1d0a2c3240cc71fe3_JaffaCakes118.exe
    3⤵
    - Modifies firewall policy service
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram 1.exe 1 ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\jusched.exe
      "C:\Windows\jusched.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\jusched.exe
        
        C:\Windows\jusched.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\jusched.exe
        
        C:\Windows\jusched.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1908
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14767c671bb5c1d4bc805ce93d8da35d

SHA1
a57935cc9851173723f481dac09f78385f2420b5

SHA256
cc88b1d17a15f188af341cc776ecc104566aa05ceed274fa4a82537f10e6ffb1

SHA512
808b82eba16be55048acd396f4c47b8912ac14742d594e087b9f4cf680f24c45906dfa7a08d6a66ea0332c672b0112db007e9743a702bd8d00f99da7b08849a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e51b5bd49f60a285404a804ede4a895

SHA1
e66f6940b7b87d34b2da2e73731d2e1134b271ef

SHA256
70a60670308b850bea0639b67daad1fc1317e2226f03ae479261fb2bfc7f2b53

SHA512
05bc0a5a0eb14bfc4f8a4581ff8319770e4a61b4e73aa5dadd03280ed41566a2ccb5bbdb1533f73a635a459163e2e97aa7e53e376b405e69387b2003c7581cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a5cafc4a0940996349309271adfbd91

SHA1
904f69a08eb6c5f08341f787d8128defe5369dcf

SHA256
347acffc592b064837db318261cbabd3279820f1057f348a343f20acca261bc2

SHA512
309913d1c814a4d47523960f796988a307216cdbf520b25543d074aef73ae1dc5544c87a146f7db9a7bf5e78d0fe368e9598d099d05016540f6317a94037170a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3ab5b595eaaad94397576cb3737981

SHA1
5b7bb7c8700cc9f77c36508fbf3b052b39323792

SHA256
7c0e1c6ac0faf963477f98df97aae2a054ee66caf49ed6c2bb7e7d1efabd700c

SHA512
a9c5ccdead02d4ad9b8f4624bf9fbf21e5c009e9060210cc5928971f016d9fd294ace372a090431910b492a2017572de228768b875a37e76beafcb622551cb21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff2f9aa57d6e52b6a67f52bb9a64c8d2

SHA1
a5eb175ad34dda942fb1f7990b8cc5ea6cafe4c4

SHA256
03da75a261ee208275c7388958217c060748fa895ebcbad9c6800b76cd58a651

SHA512
3fec656afa25841828ccea5cff8dcd5d7b55accd3e5bd0bef64cb2bc98690a9e48ecfa70f5eb41c05966b714b8ab73d1b1a6742314658828e5fbc378041135fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01eafe186cfc393037612e90d9ecaf15

SHA1
2df2e9e8ae84596b313010670d76238baaba3a77

SHA256
608957ce563b87c1160be984a7334a365676dd687a1c82865afa1fe627a79e5c

SHA512
6ec59e45b77cb3c6213fffae70bcfa9cd967c8528a3ed0c4e6fa366c19cc87e835bb4751037008d5272aefb9cf8999fe9e0ff8d0d6a7363705f4df97b9e6903b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62cc28c438b1910b1a25448230555056

SHA1
b6a6e7c44de573549b93afbf7e8a28562da30246

SHA256
ef41a07e1d211b34ccf896c25c59763d335d692941734a37aa37f4e5096b32c6

SHA512
a098ee3da8ae5383787c9cc14fa0887c74ba74a1b39fa4196e0d0830fb2b07422b936dc708541734e3768b5e004c05dd0db40d6ec9b06341f8c8d4652188e482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc482c5464b289bdab34c9803f23e9a0

SHA1
4174187c1403b5159e057a399e5249cb13d64983

SHA256
ab056f0ef1d9f06ae5cb219ccf48c49fd3270c888af52bfce3636983693654c8

SHA512
ce8dcf98102c354ebf06ce8ff1383b7b71800e3c6d5be27f6f40f4bf81f1b5ed15d739916ccb115a209d7c81938c5d663e7d0599b1ff4c69018fe1c21e2df829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
854c257eeb045838c7a7bbcfcc45beb5

SHA1
78b5ad98332b6450b6d1fe368c2ccb92ce70ac89

SHA256
22ce0b8bb607dbca14e6b57a9a645f414dfb72699bd7305b4c44408f63cdd4f0

SHA512
be924098d137eee70d90dc6989a00e42880aee778f385aef6f05d1eb4bde5b0f78a68499191ca80d4c32f1d2b4774410857ec253db9943e5be29006b7c8a39e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d80183e857e9baca7e598c8541e739cf

SHA1
680885b7d5875f7180d1743cda18cddeb2a3880a

SHA256
6703b0142b44a6a9555dcbc864096c9d60baad93e646ebce61322371f1668dd5

SHA512
333f7231e8f9b78c800e9cef8c1db1ddcae87e1ef4a4f60486cc32aad600c636116a87d7e086fbac012e4e17eab73e6d14b7c5d164165eb87c2a89adcffce598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0473636b8e5df66a0baf039131bce11

SHA1
5577aff5ccb140a4366b67b98fb973e10913fe58

SHA256
736eb25274503e45b89d15209043bf5152871d0cbd58c5d7500389bdb64e6d71

SHA512
9e270573c70bbcc847d1eb600ce3ebbbb092c3dbbec5f2f09f779dbd44b589c2fab4f92091f30155af9e9c460cd37052dd2ee070ad233178154543fd1bc8d249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d70e6ba19c7b90c902ef9f10942717

SHA1
663e54bbe793efcc81367fe32569cec0382d403b

SHA256
00ac9c4f33b08bf6185e9a280bd414310874093ec1ba3f126e608eed13280400

SHA512
390c33c9737b38db8c45fe7a53da4514e454cf54c76f63833144f4443b997ba4871b0fe76d4710cb6b874a21b599508e4c396302e6b2bc324bb21f7c3e2dd8f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
292f6cfa631c009680880cce1ef142ad

SHA1
8c280e6e4c67dab3da05ea5f84618b0392fc942f

SHA256
89f3fadf5098497f06e88f022f09548bc258f595eee62a07d656bd8947bbe749

SHA512
97a6fe77e134dafb08b208a19e5094687bb8fc45c21ecb19794c1077f8fb67aa930cc71410e6ea83c78e2e638165c7bb1ec3fc716ad27720edcbc5b72d8e8eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0de0df15f1e4ed8a685d54943f6691bb

SHA1
69fdaf4671a62667d576699b0c175d642b2542a2

SHA256
aeedfa7ce3eb503cc4dd381defe2de29c321d5f42b2e10f540bc465b570e3878

SHA512
de6beaecfb3a99c0620ea75369be36f099c4aec0c8a787c026f9e844296b86c13f2f5f29dacd6096f63d05f74d61f8bab4cefc78989b51f240be9f0b333ab120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2452fa0c55f8e1a9f6f54cd23038bb7c

SHA1
9020eb2f82a9bdc4da94fa95c0dadd6c42e6053e

SHA256
a2d7934f14091af1acda135c541fb102855eaff15c6a72cccc07dfa99eb76b35

SHA512
a2d865a55d130049815dbe6b9545a0cba0221c44b6fdb5ce988bdf5112678e9fea44960afb451a43a9eca9aad100159bb4c4c8b41a7e75b314fe426bca234514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca97158b0c91739aa9b47ea68316dd7

SHA1
ab618f0907c230db3a0528b65a9b4920964ef480

SHA256
e685ba07fc6d8f13b54362953a54d90c2ae6b3edbcc778ccb7a21825ad2fd698

SHA512
372ea066c0a1e9c740e6292b714fc5ee3ad1a1805db1773130499ccae0e44dba127f792a61f32c1f22473b054e2581461c9d18afc6d67c1adb2206ea0474a569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1d57c49d2eb32c579079f5babf3e512

SHA1
ccd5c9589a422cf982e762f38d9a5dcad81c0cd4

SHA256
213f8d6aa9d60a0ad5cd1340f17a172393592bb0f158b1cb7c736669119c84f2

SHA512
cde7fb95ebf818b9bdf06122747738f98ace029aeb6ad23048037c5e7c61d368b1aa7f58b0e6d711a38032b755a8432e75ebe34f9a5a624a4954ee432ab44f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22e0a5ebd2f691d561f488f8ab5b6009

SHA1
1f5b5f171115396bce9dd9a2d7ee05f30c2957b7

SHA256
cdef3696567b720db904ae3f625d1ed86e0dee4bef88fa7fad38a7185bda21f7

SHA512
a0d7e289f2135026c9b32e65ee0afac24afa1b4bd938d6a83d99bd4ea70e30f373d848c8558ae4ae6e086937ba75694c19f6a0ce2ecef158a5c1a3a1576f8db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e428ee503067ac5d201eab3451e2b8a1

SHA1
228f03635afad7a9137745f090a620275b57016e

SHA256
a317d45181b9f16ff99605b235f7a3e2d37db5a511661d78fe25b1c3fc7e91d6

SHA512
9bca74c720f1c4699e5c5e383b1f6a7e7771c941ffcf4c29628c969d7fef04e5963b1e32ff3fc163e099a794f3f3d59d94fa86d33df2f486d8aae36e57d6cee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb262bdab5ca8fa343915602afeeb2bf

SHA1
9ad3b50c58896dfd1d3507045d49377f3c47f997

SHA256
4c625c6fa44baa60a981060c85773188029a2237fa4cb6f2ff4af30e0e3db548

SHA512
53fbfea897145ea7cc88216954e8442b75286870032320ee9ed1abe209bd4dda43e08bb16561f11538e707e0c0523f52fa5074efb662c3582f69a8e16ef97771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b259e8252754e094317d0a8819dae6fd

SHA1
d89be5c36fc02bacba97aff0a557894a3713e6c1

SHA256
4c2478c99af45ab191226c3314cfb930ddc242a461185e7b23de7dfd8961d916

SHA512
42d79ecbd708c2813038b587dd0100c527b42021d8b386671267a4523367824d3c405344b97374d41a49f9c47833d69f3b4694cf79ba1851b5c772cb8d3de95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8724ecabc44188b885f9ea9e3108ac9

SHA1
85a65bf12b9c58cdce15de0f42e764bbaac0f56c

SHA256
155168bd6abf0197db08c262f14b7a347f20531a8e12b615ead17ba78d6b65c3

SHA512
4cb31118e2cc7cb0f84c7d8e4d56e43f187a4942ac8792afc4c4f3f8a571b398a544518cd0a254657d1a486c2930010a5f67b4cd64ba9418247f542d7be4df72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
311c449584d60a9f70f1a5e9b0755b20

SHA1
397a41c570de82f1b4b91ed3cf7414dc6e2c4900

SHA256
b9ccaf6f8f6b504d5344f73e7ad994299eda76d93df1d036b2754f8942e2fbaa

SHA512
e109cf333631cfd21be517bfb91f01443dcbb75a4776108f92de7ecaeffc230e984c97245ac5d64d33bb2d5a7310478d6c018c8064f4459606b4354ae53c5ce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
788e5a2013004746f6f4e060292365cc

SHA1
bb45dd474acc04dae0c7f50368f82e8a3d9ea31d

SHA256
a4d60fc52bf87767c535b24fa34b0fa2534e927173229377230869a8129300cd

SHA512
74ceaac992448bf2953f08380f49b6ae0071e2f3a5727f6a6829d3dbc153dcea032b98bade56ebd8e7267fffb5b9a41f39299153c456f884ddda481426ca2a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be11fd7198436fca1b7efa604ee4109f

SHA1
242bddcba0b863a666280d19c2c1f6190a38b0aa

SHA256
eb5137774115a5b9a988c7474e46aeacd23ee3227d8184a9e4de0f0368cf3c24

SHA512
da281488fbe04b14101cc6edf16613972d16263e3096777e6a3e5f3f55288f4d28190f5f2d26a42fe357ac8b3cc365a9055f88fb546338302674ea99ea3e11be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8574ddabef30da5ecf9f83cb0b929c2

SHA1
8899527b4acf3ab6587956a6a6a7b34e6b168d99

SHA256
23f3bea87fd1e759b6379cd4811d366192af367e00fee588c6983ffb14d904f6

SHA512
dbc63757099082430e3c7a2c00e4a208872110584dcc403dc91c490b4344468c926f0a1298d4d27f2940129e14d2ec126cba99300036636d95ab75783329bac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dfc403de298a52c95624179a1d36743

SHA1
f21e868c33f743283823af616bf142479425c754

SHA256
a56d0b953b807622d997af06c0c971a6a5c7aa618447110e8e2e386e11798dfc

SHA512
c6559151d240d6af03053848c27e551c30a2add3f9b050a952da436c605b84a368b04adcab8330a6d7f6852ec5d8720e1b2aff7941930eba9947b6ac8aa076a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400805d8eb36319e33b5a7eb5dbee5bb

SHA1
c62fbd497d49aa06326b55c3d6429bddd23ec4ed

SHA256
b7f3813f5ad5ecb4865d5630bc581d988cb61ceb3e60ff5121151f4f7b8079fb

SHA512
6a5ce4e33c463b62811ce66fe48379e4902416f89b6b2cb1a916cea5fb92d0e73956c5eb0923122d69c004928f6457eed273b25730e1109dd49dae4ef1e1ff7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8d92aa5cb2e7dd3459c9fb9f26de93d

SHA1
541e31ae35c969cff45af3c79ac4149cb9f07221

SHA256
aaa10654446192e4ac1ffa2adbcbb04f51d0dd270a20e73be942b14836023cbc

SHA512
16f0225e4d0e1721f7f84fca99570af83bf74dae9c4e0e3bfbfd1161d12e8c438d4178d4a49e0d1e2fee8b5ab504fed5617b82d4dbdeee01c733ca9d277a20fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
681848a8695b6997800acb79b24073bb

SHA1
7af14a2912f745132464e9fe82393a089810a90a

SHA256
a13ca8061a32321e4c0715e5bfab00c00ddf3c34509b68aaa2adfeb7bc045e2d

SHA512
78c2d40181164be1542a94edaabb78607c39729ea6f72f97b81f52a874957a1562098c53fca488bbba4dc14f88ce62700e1e9c676ffcf2340fa137218010e162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e804e6a0269a5eeea02d5fee6329db56

SHA1
719133c968eea41c4679eeb6cccec7d46fc12bef

SHA256
00baea77da70e25d9b2faf1fe0c0c48c52dbb8af64405876786500964592b3df

SHA512
6c50bac5e2b86fd7108b8d6e771bde6aaef84f8cd8d1d5f4869b6fcb6c9f768cc20dfe09cc1b9452a726edb7cc36a0e89284e8b679307322357b49aea9d54c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5393dffb4dcba5a7146957b67d0ff3ee

SHA1
95e3dd657215f4569da4982cc99af9f70fc66746

SHA256
5d841af1a82798a5d3163cfdc72e8ed6ba3def047c189b1cefe49de597e57685

SHA512
4ad2a4871f772cc5c7c546de92ecd6788b2545d7dae0830dc78608abcf6dd64c9b1e2bdbe38a23df620b077fe9c22069b8ef56a20a420714f47407266460e504

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaffb3fccc219cac8f714ea61471ed09

SHA1
877a5d4257d6c806788e7d39b087379b2e4ddecb

SHA256
45dd9db4bbf6360f641d1a5cd43d1722c0d11400951ccb668de8e0cb5797b59b

SHA512
0d526bc4d3cadd9c4eeaab0d5a2f5b480800926d62888ae386d1c357bb73941be6141709ecdcb05b41257aac84aec047f9399e0523e927f0b8170b2fc668be62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce72b787a58e21bdd0df9f9e41485830

SHA1
29f22d107c78af9bb12dc91e6ac2c2cc0a08d20a

SHA256
67413772de5462b0355cb288c3b1d1e70a20a5e6ad99cbe348dc3b1ae610a7fb

SHA512
2bbc585a95b9124bd48efd2cf96ff497310965a90fa51349f86a9734e9f4006b0ee8dbd46ccfc42c857376f9a7e6d10521adc491b00373351c54c996270be3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c214b61cd1c4f2a6f31a5f41b60fc4b

SHA1
2bae6c9a88d2eeee11716b24e89444fceb9782f0

SHA256
594faa3d56fd2e86e7343d4dc4cb879bbf71e6a10231f20389c4d00567681c13

SHA512
1fc4324e5b7dade2a65025644d27c70c40a189d4739486fb59c7433442e9d72de87d09d9a78d207b607e11bb7932ee5a0c14fc993bfc8402ad92a0707415bc0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d51bf8d36b25cf5e8697dc926250b8e8

SHA1
645dde83756f75a09e45056e30309b0acfa1b962

SHA256
7ed2b55ae1681ec86d1077d8a4e4ea45507eaf8a5616f78ebe241eee90fb64ab

SHA512
5273c1dac9599a8e6746cba969f45f71524dbdafbdafef07f72a3e95bb2e48a687f3164c8e7bb1c4a09c2b85812f4f4681d7283dfb160b8aec400569661fca9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaa4c52e0020a9abb4aa7cd1959b5df0

SHA1
43cd588a499a675519f18fc98ddbc4df5946203c

SHA256
5fd62f47740e6a37c0d6f39cd12246164daa229a59535e85d40434ac8252a199

SHA512
ab469101eecb89bc77871728e93bf153404929abfbee14ab445f32ceb0169a40562c93eda9791df887b6d352e985517d82e36546fb9c26ac931aa48e8f345365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db87d037a4e39c730d4577c9965ea0cf

SHA1
dfbe25868153c015b8fe993d30700af4fddf13a4

SHA256
c80264dc65e0d5358c857bc7eefd204b32007f17dc026fca47d2f8fd53f3993d

SHA512
b0d02272c229efe674c0d62660fdc14d4c4458407c0ea4192b93e31eb4f11c4d015f33edb3ed943d68c6014d9ca922e4e513af710a7d544adb643646f1b949a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6464ce2ac5608652d30635f902ca847

SHA1
60a3a419e94af5134739eef7397da671888400c7

SHA256
b2ab016db6e406c1f4f8a6add9c161503bc527f44ddd4592589cb926fa59805c

SHA512
1990283370020c4b386259b16518ff9a6e7bd799f864c300d992376f96356d1273e8809341a5b32c534450ee760ca21729fb0736744a40aa39b6c0fb250848c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
311db1c9b572d6baa898125bdf6031ae

SHA1
5ad59227183999140bcafd45cd00bad4e2fb3eab

SHA256
ed4a96348344c93c7b94715425d42b605ae9c1a9b6e918975c28c55423459826

SHA512
c5e214b5615758e61ddea80aec80ee530403c31fce0db50a1613defc68cf7c1350de3cd4e34ec2fde78cc5755d8e5a29f238fa37cdfe6f28e5d3c1c7e9c7b7a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ef1126855011e35ace0c90c34616c89

SHA1
e6985b120547e1134485ff59f8ff4185a2563fab

SHA256
709655fe6e59c656ec9a7c1297ab0458223473ceb84af7040e04f5a4b94d4d02

SHA512
f68d509a6650199a1314842fcce1e665db9fda32bde0776921b4d8899a8f752f330916ebe8c375ea93f35fe743ff9465ab6b4a84cd990eb0e82e817d65ac4d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
140ff331c776034494a0d6abb0e32e61

SHA1
f642e676155a24125cdd9051f1782aad552ae3bf

SHA256
e1d9e7f1eb25e9f181fa835f7c5cd0031b5c62bd778b90d49cb335b855976652

SHA512
10c184ab51061a3a08296a36caeec68bb2edc74ba5bff0349c93dd938a5b8fc10c54f888d5df4c3024722d15abbf546a880261af1dbf9251bdf972c4bd8c489c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed158b47aa47ffc24ce78a2ca8efcfce

SHA1
de64d8d9d02bcdb6b69c2b21c0a81f21dfdcda5b

SHA256
06626a9c457a84bd9d149b72e6c85eec2ae76f181750782cb667414483b3dac1

SHA512
03305966fe8b3c5f54b65c0d363ed0df04e144ba5c4e2fae84f9ac0b8c8538bdad01d18ae0ab558e4dbfd149e60d8f91174fdf3da5d6d22ca15f14fe898c1957

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC332.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC47C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\jusched.exb

Filesize
102KB

MD5
f30906ddfdb153c1d0a2c3240cc71fe3

SHA1
435d20715f52f73ec180652e9e1fc626b2f606af

SHA256
3a4080a4b00f9b2faa006e0d60f49aaee67b77036048996f7ec8f4b1873f60ad

SHA512
c9bfba0f976144e66f5190c9f8e9c2dfe4a67003688364ae3618faa18c55a0e316c1b9260298051e6f80c0f445583d606c28b0744922f803b3b1803a9d655643

Download Submit
memory/2200-83-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2200-76-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-19-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-25-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-13-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2324-35-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2384-10-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2384-22-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2384-8-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2384-9-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2384-21-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2384-11-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2776-2780-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2776-86-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/2776-3220-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-3218-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-3214-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-2777-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-2345-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/2776-2781-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/3032-34-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/3032-38-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/3032-89-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/3032-91-0x0000000000400000-0x00000000006FF000-memory.dmp

Filesize
3.0MB

Download
memory/3032-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-30-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download
memory/3032-33-0x0000000000400000-0x0000000000700000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads