d9fb00c77b80178d3077879bcf40c9d6c09545c21b07aaae6055f614e7c6295c

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe
Size

348KB
MD5

00fd7f4445b89c9d040da092fac61212
SHA1

668575e74cb5346fb0424d383682dbd98bd1eb92
SHA256

d9fb00c77b80178d3077879bcf40c9d6c09545c21b07aaae6055f614e7c6295c
SHA512

bfa014aaa87ce178cead649c89b93f2fea7614ae6c541b0554da0d89f577259dd0310b81f05e48b85cedd810993293fa839c6c61150ccbb940e1a37b1bd0dc1d
SSDEEP

6144:Zlw9O3WW38XcEbXt32pUsx/zfiqlw9J2arXPie54BT/XHmNU7TBFg:oOAsEztGp/bfEpr8DX1

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000017079-4.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2820	mdsn.exe

Loads dropped DLL 3 IoCs

pid	Process
2700	regsvr32.exe
2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe
2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost1 = "C:\\Sierra\\mdsn.exe"	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mdsn.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ = "CBrowserHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\ = "BrowserHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\ProgID\ = "BrowserHelper.CBrowserHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\TypeLib\ = "{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\0\win32\ = "C:\\Sierra\\BrowserHelper.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib\ = "{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\InprocServer32\ = "C:\\Sierra\\BrowserHelper.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\VERSION	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0\HELPDIR\ = "C:\\Sierra"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ = "_CBrowserHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\Clsid\ = "{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\TypeLib\ = "{CA0BB8E1-0C86-49DD-B44C-2A1978A254BB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ = "_CBrowserHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA9E4FAB-1683-4EBE-8330-5CF738C6565C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\ = "BrowserHelper.CBrowserHelper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04C1DDB5-5839-4D80-8BC9-7D74BE9E321C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\ = "BrowserHelper.CBrowserHelper"	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	mdsn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	mdsn.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe
2820	mdsn.exe
2820	mdsn.exe
2820	mdsn.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2700	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2820	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2820	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2820	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2820	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	31
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32
PID 2644 wrote to memory of 3012	2644	00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00fd7f4445b89c9d040da092fac61212_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 -s C:\Sierra\BrowserHelper.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2700
- C:\Sierra\mdsn.exe
  "C:\Sierra\mdsn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2820
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 -s C:\SIERRA\rEvents.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SIERRA\rEvents.dll

Filesize
87KB

MD5
ed60f6da2a73090851837703f97590a7

SHA1
6d4b09800c63f2230215cf8ebf5dcad65aa0bf92

SHA256
6b28be1a102dbd63b3a7a187e22c2dde10bc8a796ec2d9fce95bc3e5571e4650

SHA512
bf790b6aa5f5c7e6ffcb6b1ec1025cdf0fab05e6f68b0017bc099d3b60aba44511dc63b41a1d0672509b9c37e531b1a2935e27ff41a065bfad49529d49e48398

Download Submit
C:\Sierra\BrowserHelper.dll

Filesize
49KB

MD5
e1c7061b24dfd3326ecc5705617cbd3f

SHA1
a4ebeb4ec2616c0d7c07041bed1616926df75448

SHA256
dd9682f31da2c4bf1a462760c6e6badf59ea041bbb80576d987d16e77f014f82

SHA512
1ca64be44afc3fe554b541275d50356f1637113069b2ac4a837d6ff48a71d25d1000f3a38e50feca2ca9e8262195558e3c1b3f9d314812375a5cf2c93286bd63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb2a772ed92698d2d2a86e9c7a9bd17c

SHA1
6a500c89d20a16ee6ae1b75f5286155073a6c72b

SHA256
3a34114e9cc4d01c8d1e8633d586d8681ee410ffb6f8249859fdb5c16988b5a1

SHA512
6df2da215326596ab41277804f1f9add4854f8207445a4d655b5d7471b8b3a11d7f58e8a08f711e5f6ee6712bd08af6f4e5d057b1ca8a935dced00bc9b7b0e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45cbd467de2d7a004423b2af36ed6c18

SHA1
2afdfb16e0329d47282a622042eeeb4724a1628f

SHA256
b52cbbcb6e03cdfd03b9b4b9ad205f37c23c60f9e52470be024d97492241bc21

SHA512
a9ef48459b384cdc373532fa157b211b96855f492e5e742ef15e524b38d22950055ce875275a060aea69fb4655be1903b5b4564458d55aa54f94fd6a84eb654e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
199087868b2d379eb33fe46a55222750

SHA1
2054e83d726723b2d934de3603f687750192011e

SHA256
2cf69da5015fe589fe68038fea0b8a9811c9a8ec860cde4fc34b3b21f4763ff8

SHA512
7c7b1521f5e8d46b21cd3b599dd854c6ecaf5ff53166d6d283d400d92f04560b1d2b760974e4d3e7486037003aba9537b58958b002f6521edf28b65597e50093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea64c2061dd6740996fdff1560deaae5

SHA1
9b1da19075765bb2e299fe02cba1cc9626850e98

SHA256
674c2b80ba16f1d038d56a5b8c86294689392ca06d72fb85c25b17497a3d3d32

SHA512
0ea30d842954fe96c0bb0dda13debaf5760974f97e976dd2b57d147b783bbed3437972e721af37eb5f7fa944a14157e9571b0ff9d32cc67c0bc168088ab1e6b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728f3a840314a566f66b43942bb0721b

SHA1
4c594dd5f19b3810e5e155828a9213141b8b96d4

SHA256
e4a11dd0c71e415c6c24e54302e084fe05f4f94460544b0085d34462c1a024de

SHA512
e18beaf3f808e0885bde48b7375f33abf7faa5a5a3929bbb9ad851008647299a33633b36a52068fb6690e8e27bc6f1f4131594ad4959d061f8a790f597409b67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00e505baed2cb899e284a57a82f0afd2

SHA1
19244110600e5c8bf91dd43471315cbeabcd7810

SHA256
116acd096a12241e891a29352f887c15d70b8dddc5f0bdab3878571b9b234190

SHA512
7c21fd16db8b868dffdaa030111d625e44ee2b3c6b069a3be860dcc392da9d1aa7a6db6609006bdc93c54cae3d7bf23a0a7dcff58fd50757d84e6ca4d5d17ec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6942048c683e37aec1d83c5642a99e34

SHA1
26c9b78aed8d8c83cf467815b0011b39f8cc8043

SHA256
701eebbeb4fa90e965bc675bb81c0724f15697c823575d9ba5ac96bc5a13119b

SHA512
aa267dff52a74f8f3e5bfb5a37442fec790c1d81282af9ec35c2175d51f4dde6747fe1e19c703ea3e0f163a623d4ecc73174b8f2dd492f2e5606f1f2a0874ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26e12a2845325a0fc6155143ef3949f5

SHA1
66820061975b2fee1064ed9df13de5554814e75a

SHA256
50149dc5985b8a297ea558992f1b60d39ee2139a6fdd36f0b39ab533ad63d2cf

SHA512
b5667b79a30c9c692e3896c172128cc7d3ec4539627ea5fd7032f4701b5d90429ed3ec3ce285bd9e03ffb9369bc63b5f9ae5a2efb9dcae44e8e3e2a9f9b340e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef6ea15d6dfd649ca2c0cd757a7da39f

SHA1
e1ce5e3e1f842dfecca08c4d683f2bb0fa43d779

SHA256
bee92a979b7dceb863641094868f72489b1b8ef65a9291aba7e9b5eb817fe0d1

SHA512
6db3af6232d959c3abf14c89e6c9ca6d3983d701119ad7a934226d94d4cec33680c01a3d7fbcfa61d594630b48eb8c9895666c097c9726a25d63ecb3e399f03e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3edd5cccfdddf65e21fc05b32ba8b6

SHA1
957a4b190073c33bcf00ffc464cf02eb5a3d1c7e

SHA256
650a5b3d510e1215cfcc35696e88b7d4877dc3ffba61905a4fcce391e8d62b89

SHA512
d5e8bd8eb6cc0ddc9bdcfb5f13f609c3e8914094d71eb36fabca8bf46778fc03a97be04af4c7948965cb92457762242ff1db38abe9fce5db08e5510e09e0280d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a77988880a5442ab942ba86ecc7afc3

SHA1
c350d4c5d31d50ab6db61c9974609de01737c0ac

SHA256
0d54bcd27d66813a3ff421ffa9644b12474d912d21389c2bf211cc5ab10cfd7b

SHA512
264cb9cf4a4b5a71ed4e3174a31ca0b74dbdcb078987a1f00f11194f1b079aec9377641112b95d6ca51f1d22e8dea128c313bd478e85946ce6b0c512d2d6d403

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02482ee4340d65752802af0f90534a0

SHA1
975717b1c0142c2ac830454f0dc098473283fc4f

SHA256
4159a1b273fc94205e3d1b8f8c5fff88da2f5c12eced8a106228efe4472789b5

SHA512
7b7af49ac71bc334403491a676b258305a5cb83259d963f82206b79f608c86bd534eca24ebe177ff0a800b49b0a3e4fcb03864d4851135299392846335164fc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf14dca48f47b088c91ae8fcede1310a

SHA1
b544b0cac8f16b92ff0c3371b4b36b1bac9fe9fc

SHA256
2e2efdb25e3f7f00b8cc93ca8e5fab783160e6199bcbce07d79dcd38e50ec3f8

SHA512
aae58d68269b115d560458a770b823616da583f770c9a4f93a5850679046fa6f625532fd99f1e87b50e83bc8e4d752b18755a55785ceb78c6059955e961c2a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ac8b17064f0c63e8651b21b0aeedb47

SHA1
2a115b9046fe8203312ba7c8f712b9e79d3fff40

SHA256
6a5c587d03078c396476a40135ba891cb6f5d7308169d7bcced2ac41a30ad84a

SHA512
f062681ea6389151e3a45b57b9e76f98c65a2f1e33d3abc5d33305305af537e0591332fc1ecfc8204449442b2572927af6599e2afb713a3af311ed8f1049d636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45312f7c5cb39b19fce300d79396d026

SHA1
11a88858ac4164b33ed696af215023c1a6898d88

SHA256
5d36ad0412eceac1ed391b8b9b87d45b50769902fd5f160cde18641a7f4ea4a8

SHA512
b1d5433901c8145c82c0fe178093303abf3f930f27e054e5b025c76cf21080677e7e3864b54ff7483b9a960accbc692d50ebb34c1f9217735e31027818bd1072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a22e57a15aedc4669e72c5ffb4f45d1

SHA1
a8efc918ac2c6b4d119dbcf153058dab7f50f091

SHA256
9f9525cf417efc561008fb0310ab1f96c4affaedc3460a4488d07ebfdb9bd6b7

SHA512
e2f134e0e8dd2b1737578782311d0b51128f29506154fe79d8f9e967cd736a26d44df0a4178e73e089908eff081c650dade82c0e0d5d6404062906ec098ae1c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6902e57f414fb6c77bd9254a16ae3635

SHA1
d0dad1a1d85a59e0a57a85ad93c74389ea01597c

SHA256
99da9a6860848664329c6c6624b2e0ce0fecd2be1ec2e0885b9a03a6b31df8aa

SHA512
638978f18214e362273945c48a05380e1542efe4576e9fa0144c85d62b3a05a64fb82f6a5558c2e5c23f67e7c69095846e8f0213d1a516eb0908d89b545f1ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e51292b265eb684d73529bd327268f

SHA1
345f39f9d1e4ac5f3a8b35e79f2bc4a399c4c33b

SHA256
b6279338eda1838a3f8f9e08b2f3f7f708424e3f03815bc064a3af078fb86705

SHA512
a221ccd1ee6a16f8f7b6353c5187d200e00602e96c15e401cb0dcc5dfc2baaf5309e54d83e89487816b22f71344cf44bf7a010544ff0c955c68b33866dc60f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c60a98ffaeb370bbc4bc3a12309e01ca

SHA1
f837983027be907ea41b954f4c230f1ddffe3e99

SHA256
4ddcd0937c980cd3072adf1a1d684539d67c10827a2f6aeac97079fb7aff1d4c

SHA512
ad25c2b10a8500d633171862528f88188f15a012c3c52624f258e85507d92c93832934feaf58f0a367e7b99173b1b6c9c3d18f79eeea60ec6e69a20da02db55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed2c406b5db7ed1f7a4a18ae3e23bee

SHA1
b784076b25f8f1d0a2f48ed52ebd8e8feadea426

SHA256
41d053f1a5208c6286f426897e78a92a5e2f0057bd94708abb6e5657dfe8b5ec

SHA512
2ef233532aafd7041708f4fa63edb8f70892ce5ebb49c3a92c7457ebddd68c3d321801a681730a548c6351cb8e23f31571b9095ba3fbe44abc8e9af98f89083d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e33555834d259a6b6036bf0668aaf11

SHA1
8dfd61f3395769b904d1da40c946b04e8b6a5cb5

SHA256
a7cc6e4dd60532d9fe70cf10fe634ce3396073026eec7db151f2370fc76d0839

SHA512
02be2ef61e0d765c3f702ec07866cb9880a41bcc89774313301e9fc6e96739dcef95d1beed4ac250ec7af9653490cb9c88ca16661e169889a6ec98eb392d4ed2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf4a67e589cf2da61f1a9c1b943cd8fb

SHA1
80fcf884bd522eedf90c9a635a6cc03446092887

SHA256
72ba30668d87ef233a9e3890902b06245114ae3faf2b6a89dc89fdc2a7017a66

SHA512
e97c8abdfd21c88ba114cc579f40109b1076297e97b3796ff104a8151885c19df8925770e5ede4a8428ff7db330f1c2d302e86fb0bff7e50bbf23e55158ee638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8616585e6467714cee8ef03cdf382200

SHA1
e294da496df51548009ef7a99b6adb4be4708f1a

SHA256
8de006e1f072b696221e0ff120759d6b141d843b1bab0c713e64f7fdf2bddd44

SHA512
a7b95fd1fac94a3aac59542afbec28c6264855551c00d708dc57a994bb097806c8293ca9ecf1a226e1fba90efe8b0c3b1fbf88fa679446a349d730f7354d8f29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17ec84e48f46cdeb29a5e5e4c9474678

SHA1
df6a392b5bfec97f419d7775739c872486bf63b1

SHA256
3cc9d121250adcd6d1c9d7ed9cbdb52bc5cef55ef4894251d30181ac9d4eb30c

SHA512
03a71bd6393f9c0fe645a6720c80fc51d238e2ab1d6ea2ebaa54030695b861253f86e30fdc56f5f847d2e691a4716fbf38771c435e2e88118f3e30c859ba5afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
456ee278e6e9e45227f70d8d144a5281

SHA1
208840a6858e0907904059d5e836ba8e7a17b547

SHA256
0b91f62ac7496db4318bb4a1af44070e7a7f2a5947943f971b82842a2bb3ac32

SHA512
d8150f7a126951f80c83bf83dfb3634297d23013cd2f13fb11d72dea633e265c1e56128ccfc8616f94fd56e65729edf0dcded602e8b6636b2f77faed8caea364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6954b9445d806cdd3cf35aa8c2f195dc

SHA1
78074ec30abaf2f4acba73d1de5563ab525d957b

SHA256
266b0136938b5a924826259a747509428044a05781866bde2f0f36ec40327fd5

SHA512
8ef3f9edad673672f4dc5d168db646f5b44bd744d9583049f354c0f02f48b62e7a60e08114e7d96425ac23a4f70c089e5429e9270ad81096c710e7f0d4acfeca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ae1a7e04c20a70e963686d913fb7db

SHA1
b2a5c0c1d6b490ac853cb2c3446caec6b678a8df

SHA256
f743e55693a2d45f6e340718d9580d6d4265e18d346300d492775a33cac5a8ab

SHA512
10f041da1d7ed15836cd5f8a2d896f3aa144cf6cf9ebcd61089033779abe9d94d27bebbfe753fd1e6644d92a59fbf77e173af5e9d5626d0e24588fc8a55f399f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfa6ba0685ed1f2e122b1a2df274036b

SHA1
8af65db8269768c7de1619e3ce2b0f2c5b4dddc0

SHA256
b8d34fe9504ff8a6bfb46f3c6a54f0b8c82bfa4d08cdbbf69942a05b4d0557a1

SHA512
1917ce064ed11ab89e4350efecfafc5871e402a35ed3330054c0038e3be811af8a1cae186a2477e862d46be782be97cf35eecd2a9cba3873387384778245ea99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47b646e9351ca3f16cbd0c4e6b3decb4

SHA1
8c4b32bd914787d749bf71038771a8ea7d9d8dd4

SHA256
42183c4fd4d020c2c730d2eedc75a0563ef20431fe37efef538af909a4513e30

SHA512
8544157fb0682bf69d5a9aab3256c84e0c7934fa906bea8edbceeadf2533807b86a73e1332cde6d0481b2e93ddf2710419d18897bceb10d76cdb0444bba22b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30e23ae5dda33b0a343d5b53cbca350a

SHA1
863f6125c40bd46eef14f38eb80c04a37f0654d6

SHA256
92754173f36733996c26920faf251c0ff1b0f622e7af30362a71e414ba552277

SHA512
976d59fbcbc8e5b4e7b9d755491756015ab32c0a36488d239dd3bad85e74660f2eb3e2096989576e1bb9362bb87bbf062731b94caafce87a20297e2fb620a6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc4c1c02b8fc97f56763d535a6691a4c

SHA1
7729e3e0263a20bd8bb092a1306707bb0d61ca7e

SHA256
99a7657f636e4e0eea29ff790db2ab4b5afaf2858427896b8da444d4b14740f2

SHA512
64cd13a1fb5ba04abeb84ca8e4a79f66ad782b3a859798553b8ac8187b8836366345efbe0a2f847cbd154e30a69ccb99931122eae575fb43fc3625eee24614a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar966.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Sierra\mdsn.exe

Filesize
43KB

MD5
171eb5b65ee10d6bcf8ae444662ce3dd

SHA1
3b6bfa088c6b6a32c80155edb9daa436878f4f46

SHA256
63073a8e18be5c5d7efe0c433a08567967ec913c628260fd79733f0de8471456

SHA512
86aaf99a337347864e8ae35e7a12306fd02bb8314b771a9af7c828a11ab6d2b5307b93b5eecc0b52c94c6ba3a59fd6ffe7349a381b22e85cf57c3d5caccc070b

Download Submit
memory/2644-50-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2644-16-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2644-17-0x0000000000480000-0x00000000004BC000-memory.dmp

Filesize
240KB

Download
memory/2644-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2700-6-0x0000000011000000-0x0000000011043000-memory.dmp

Filesize
268KB

Download
memory/2700-7-0x0000000011001000-0x0000000011036000-memory.dmp

Filesize
212KB

Download
memory/2820-26-0x0000000004C80000-0x0000000004FC7000-memory.dmp

Filesize
3.3MB

Download
memory/2820-27-0x0000000004FD0000-0x0000000005105000-memory.dmp

Filesize
1.2MB

Download
memory/2820-19-0x0000000000400000-0x000000000043BDDD-memory.dmp

Filesize
239KB

Download
memory/2820-18-0x0000000000400000-0x000000000043BDDD-memory.dmp

Filesize
239KB

Download
memory/2820-1375-0x0000000000400000-0x000000000043BDDD-memory.dmp

Filesize
239KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads