6c1b60655c1025dc0098cc979fe73a2e9db9af1906090643de5a985bf2a23861

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 18:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06fc36f1267f604b356f2f25f80d3f70_JaffaCakes118.dll
Size

152KB
MD5

06fc36f1267f604b356f2f25f80d3f70
SHA1

7764cb9fc3f65cac90e07b65ed8acd75402d1042
SHA256

6c1b60655c1025dc0098cc979fe73a2e9db9af1906090643de5a985bf2a23861
SHA512

1d363aaab8bcdbb757fc3926b161905829404656e89167e74a7fd7c102c638c11c81d82724b93cd1dc709544ab1647d66ed023c611a3cd92d2f602477e69c618
SSDEEP

1536:xszmzUP7+QouBhaBRkWmZUyJdfF3Whbp7OBymRaF/i4sKse61+wo2Hy60ngkg8q4:xszmgP7+Qv0BQfFGphGk/iLJo2SWRP

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2200	rundll32.exe
2900	rundll32.exe
2176	rundll32.exe
596	rundll32.exe
1208	rundll32.exe
2736	rundll32.exe

Loads dropped DLL 13 IoCs

pid	Process
1896	rundll32.exe
1896	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
2200	rundll32.exe
2900	rundll32.exe
2176	rundll32.exe
596	rundll32.exe
1208	rundll32.exe
2736	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\8wige.dat,FG00"	rundll32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1896-1-0x000000007DD00000-0x000000007DD2B000-memory.dmp	upx
behavioral1/memory/1896-6-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2200-16-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2200-17-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/1896-41-0x000000007DD00000-0x000000007DD2B000-memory.dmp	upx
behavioral1/memory/1896-43-0x0000000000180000-0x00000000001BF000-memory.dmp	upx
behavioral1/memory/2200-44-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/1208-46-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2736-47-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/1208-491-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2736-502-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2736-944-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2736-954-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx
behavioral1/memory/2736-964-0x000000007DD00000-0x000000007DD3F000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\PROGRA~3\egiw8.js	rundll32.exe
File created	C:\PROGRA~3\egiw8.bat	rundll32.exe
File opened for modification	C:\PROGRA~3\egiw8.pad	rundll32.exe
File created	C:\PROGRA~3\as98213.txt	rundll32.exe
File created	C:\PROGRA~3\egiw8.pad	rundll32.exe
File opened for modification	C:\PROGRA~3\egiw8.pad	rundll32.exe
File created	C:\PROGRA~3\egiw8.reg	rundll32.exe
File created	C:\PROGRA~3\rundll32.exe	rundll32.exe
File created	C:\PROGRA~3\8wige.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C9A99D1-8026-11EF-8BEB-4E219E925542} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433970693"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe
2884	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2884	iexplore.exe
2884	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 2172 wrote to memory of 1896	2172	rundll32.exe	30
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 1896 wrote to memory of 2200	1896	rundll32.exe	31
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2176	2200	rundll32.exe	32
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 2900	2200	rundll32.exe	33
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 596	2200	rundll32.exe	34
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 1208	2200	rundll32.exe	35
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 2200 wrote to memory of 2736	2200	rundll32.exe	36
PID 596 wrote to memory of 2884	596	rundll32.exe	37
PID 596 wrote to memory of 2884	596	rundll32.exe	37
PID 596 wrote to memory of 2884	596	rundll32.exe	37
PID 596 wrote to memory of 2884	596	rundll32.exe	37
PID 2884 wrote to memory of 2756	2884	iexplore.exe	38
PID 2884 wrote to memory of 2756	2884	iexplore.exe	38
PID 2884 wrote to memory of 2756	2884	iexplore.exe	38
PID 2884 wrote to memory of 2756	2884	iexplore.exe	38
PID 2884 wrote to memory of 2612	2884	iexplore.exe	39
PID 2884 wrote to memory of 2612	2884	iexplore.exe	39
PID 2884 wrote to memory of 2612	2884	iexplore.exe	39
PID 596 wrote to memory of 2884	596	rundll32.exe	37
PID 596 wrote to memory of 2884	596	rundll32.exe	37

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\06fc36f1267f604b356f2f25f80d3f70_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\06fc36f1267f604b356f2f25f80d3f70_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\PROGRA~3\rundll32.exe
    C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG00
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG01
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG02
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2900
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG03
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2756
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:2612
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG04
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1208
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\8wige.dat,FG06
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8471c22498a65267090fc64366d6301c

SHA1
193cc42093b1cd80f16de657af64cb1444d501db

SHA256
0d3e955b0b6353c59eaaa1d0391e43e4a71b7e5e87253d1454783a54c8fedb4b

SHA512
086a0bab77fea5da201380e12113c187724f1e0c1713e391f9b8fa49c00e5220263ed003702ce6aa6f007594093dd95841db83640c8076b6e1de7288843196f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93aa4e65a95933024d74f249cc4b7a3a

SHA1
abbac9da75563410ff5b3a2c673ba343d4c37ef7

SHA256
3b73bf88875357ff7239b2f46cea706dde4ee7059aae7b801486eff7066059cf

SHA512
c1e5e7ce040a4b95e684dbae6bf751a246d3b1344b6bf583d9bc21f48b559bff4f77f96f7d0ab3ebd5605649269cbb8ce21d646b4c42aa10b83f9fd420f78f13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faa7d72e359aedc43071c7276d301599

SHA1
7e305d6958b9cbd38a697d3b7f3cbfda7b68af86

SHA256
0143a01ac6386d325837036dd8fcd6b2a19273badadcde9a5ee3e301b393998c

SHA512
e7ecdc850ffcde5f811bff8ee9f8b30ca4a2799d8aca71af97a1f418e6483881f895bbb6971ea4342da01f5246ca8668f62c253b836bcf8e79bac344d2ae69d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42159a3860d5b567b5365492cb00c286

SHA1
348fc342a9018dbdd4308ce6bc54842afed0c81b

SHA256
99e9037919dffa8785435f90605bdb7ffab49d51ffcb3e0983a8d7b2abbb2a78

SHA512
a067cd8c52184fb93b151e686173e1ba1e148eeac1102f4b25e2449420976552377a0ddc9c922d18a158522b3d9d6cc370221674d658af9da0e1b16e9d0bfba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04a217dd4b96e782a3fc5842494c0dd5

SHA1
208cd19099a56ba777bd99695116165e61330422

SHA256
73b7da7c86ce8bf42c8419f4b629dbe210ace6c7c927cdea21eee8c8397b8fc4

SHA512
77e2cae3d44bc9a381acdbe8c8f6ae49e7737e43f4910fb8c502eb8551ad2dabf7e648a3595c625011703616aa398f693f024e95afb1d568fb3deceb7404a69d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86eb53771893f822bab730c53941b6d3

SHA1
c97f0a7e510a3ba08f8b467a8baea875e4fa72d7

SHA256
6a03790aff0235d1d6152458b6e617c51f3b1ff0b9e225f4aa6d7fb44ec0ec46

SHA512
22ed1df53991c06505bba814c64461d48109dcc21d3b2e344d5840c95fb5f9efa79a59d1095f8a1307bfa6835d292d657e72e8ae61ff2de1a5ae2d0bcf9d32c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ba85e412901509fa717fe2036113f5

SHA1
5f55041126f9c4048f8eab9f01bb1997f97eeddb

SHA256
0e2cb13c2f7b15c3f44d4b930cce1cdf5bd73ef4a84d972b564a727954b75889

SHA512
0cd52ac04b4b04883cf091cfe500c84dd604bbc8bdc37a2db1b9ef3ea22ef2ee2bc818b79059b7ff57bd01a8d34f73ed7aa69ca7718f3f3fe020435225c8cac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
113b6273b5556740d5f08d6f7090c563

SHA1
73ea3a75f9ba91bffbbf77eda9db9ad2c532a3dc

SHA256
5d0e069785f5870e88d41c2e78a01b053bded819b957ed1883032736f309360d

SHA512
eef16619de838ed19534d053d763477422ab4c4c17f15526f704b822aeea32b02427709b036a8efad5c409df43208f167aa60e3b59090c0aca26a5e36cb8bd0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a182e12a7f87e86407d04050d109a2a2

SHA1
85a614465f0089f62e21dd795af2e4aea42f7177

SHA256
754f273113781679002477f1dea6ea899d4c2c73586cb4c645b30a5cd0a5ce6a

SHA512
dc62c9c7b4290eb5719196edac75ee8f08557b6d7db25815bd62736dcc7e3210bb3afd133beb87e93e480074769006a2d872e2f105542f0273626f1e7fb193cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
782745c4e24833d2fdca89eddd6c9f28

SHA1
98e22cb841fe4fbd7b4445ec2b29af3d6212d0cd

SHA256
42f251add4ccd8d5f935eb299780816498d99143d2c8c7bed07f6b3895d4dee9

SHA512
ec6f68b6b685775069cd8ebeae967f6a1f178c31c31bd499eb94cffea3dae0acefc779a1c12471f323df45ea2d04fd431b92dc157167f5457c427e2895e28f0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b45579dcbfa85a11b8b51885d4d49ffd

SHA1
5213dff1d9edbb7bf52ad281ece4bbcbc3ac025f

SHA256
ca442842eb0b4bac8704bb8c200577318bf9d65d5cb549287428a321f7be1886

SHA512
dd4c3295b05743b9e114bb33ab8ae1de7228340943f3ac42ae9d2eec31c84079fddb10f48fdb1d0aec73d26bd4ca01b6846c4cefad2510c4ccc250b301a2b7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
922d0e964a5395fa0c5e4dc0361d99a4

SHA1
7714b88b6ac6bdb14bce1871b7e1f3f6814d027c

SHA256
4aa147928c1e94ca5c61b50c6f492145d76667b1b4cdf537d818070f42fc5105

SHA512
40083b798ee6bc865bc41323ff635998af2c9204d51971f70b05273a4b9284273a01ad6b9578d6fa319c549eeccfbcf29421a4511f2ff9707369cd4f1e4080be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a33548fc35f4b67c785a95bc4c7493b3

SHA1
1435cb678fb927c61f9576e983a678789bfba724

SHA256
3e81890ba293b6b6123cc6f966d14e77935d04f9789080ff7ef1c047532bcec5

SHA512
c6e2057231fd1b36fb17b32736ee5486a5550c519ab72369f65c4e6e90752dfc9a709f19ed2f0fb14918ad849167e109f0ee82cbbc98128b25da1d2a996c3bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728985a67a923803a220939e9849034d

SHA1
f87c579956c6099722af7f1164f5951b0c345a93

SHA256
6fd1fca1dcb281c7b10983e18717ded0000c02705a6a31c1003ce9fc9f5abb08

SHA512
7ca572cc38582bd3d131ac15d62210fcd15df780dc983595722e20e86389153ef8ce27bf66af68893a3fe4e183e1d21f172a82a22c120150e4d3f50fa0e239fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a08c4ec867685b8ab8b8b5fce2d3742

SHA1
47e21647eedc4ea627ec360a5cc8d3a233c2d060

SHA256
a5f643c273be7ef1afbea4e5b272b57da51b71aded9e7c50798744acaf6f704c

SHA512
23a766ce470640fff5d3b98aa3ec9fae53b05a34640cd7e1ab1fd62f3fdef82ff35a3fd2044d1ebc93f988cc513c63298e8d3b67745ec3a5aa472ddde612d88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23617c2faa529bd64f7983f486828783

SHA1
025ec6a2b2e61f25c0e6751493f7947bbff29da9

SHA256
660947e859cd08dbcf840d661f35dc2b9d7360db66f750be311dc5054ff62f8a

SHA512
d38a5866b4a884aacd2c06b9f60d8daab7a2e9dbff7cd8492e8492e0a961a83167730cc6f99eca1f3845bbf1b1b0455c36b4f23856c8799c5514f08bc956f9ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8882414bffb1995419c2136eab70aab7

SHA1
dc404bbd0d2d9d49f9cbc3e2bd1225dc551bce93

SHA256
fcd87729b7e1b1a5a9c2b7e9d6ff52c518dc465186b4ddc064359c5c92cbf61e

SHA512
be9a516cdb57a8547084490e3ff5286c25455b7b071042ba7b0ce3cd6173d374bb7384adab7cea1b0ddfa961b0175ecdec616a57e255325558f04b0365bbda85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f161d75569875ccb865ad0ffcd66a4d1

SHA1
4b6a7e7aeef8fcc12184b1b83cbc75564e1ab074

SHA256
c2f01aa6e354bcb77a06c1ed1e745e2ece066b9f73a325fbd45e7fc55fe6def7

SHA512
d58be00892cdc632a467574cc19ba7a2280563280550df51c56dcac0391d157fa9336ab4341546b767c61cc9aa9f66226d86c86427b273c74df10c4648c6b4e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf93ef11710624f8e2b41c1c9f0076fd

SHA1
1a9be68b3c1bb64369049623674d84615ff421c1

SHA256
b261cfb362261b0254e3ca99197a2d2990f2ac68bdf5878ece13324c22be8989

SHA512
ed1daaec84848fa1a72fcc3d78bb3d89a6b7fa23ef54a1a4a88ece1e631e1c95ae5233957ed37955f19ca4b545925543a90a9698cf8a67b0c1dadd2d008a23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab173B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar175E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~3\8wige.dat

Filesize
152KB

MD5
06fc36f1267f604b356f2f25f80d3f70

SHA1
7764cb9fc3f65cac90e07b65ed8acd75402d1042

SHA256
6c1b60655c1025dc0098cc979fe73a2e9db9af1906090643de5a985bf2a23861

SHA512
1d363aaab8bcdbb757fc3926b161905829404656e89167e74a7fd7c102c638c11c81d82724b93cd1dc709544ab1647d66ed023c611a3cd92d2f602477e69c618

Download Submit
\PROGRA~3\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1208-46-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/1208-491-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/1896-43-0x0000000000180000-0x00000000001BF000-memory.dmp

Filesize
252KB

Download
memory/1896-6-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/1896-0-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1896-40-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1896-41-0x000000007DD00000-0x000000007DD2B000-memory.dmp

Filesize
172KB

Download
memory/1896-1-0x000000007DD00000-0x000000007DD2B000-memory.dmp

Filesize
172KB

Download
memory/2200-16-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2200-17-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2200-44-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2736-502-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2736-47-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2736-944-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2736-954-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download
memory/2736-964-0x000000007DD00000-0x000000007DD3F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads