dc527cfb204a2aab3e1890ff4fb500abee4aaeac7c2523cdfa7a6f87d89e1f18

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 07:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
Size

347KB
MD5

16c5692a3c8544ce5c053d412cdbc52b
SHA1

8bcab9ed90d9e0834bdf54d7a5add7714e055407
SHA256

dc527cfb204a2aab3e1890ff4fb500abee4aaeac7c2523cdfa7a6f87d89e1f18
SHA512

322619f28e7c657738184e57c4f25ae20c1899722ab5390e33dba2911d32f6d3329f5819c2dbaba7b69ae8b5b40af9e346d28ef792537f12479e585455add9ca
SSDEEP

6144:/nym5fUcYhP2Mq7CTNhJEfI3IyveXWG50WybIOi5po+tHj/FcX39nLBh:/ym9Y9fq2pLIyveX4W2i8+5j/2pLBh

Score

8^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
2060	Xj9UkYYXFVU2rlt.exe
2524	CTS.exe
2472	setup-stub.exe
2860	pStucUEbocczZLo.exe
2880	CTS.exe
2200	download.exe
592	setup.exe

Loads dropped DLL 22 IoCs

pid	Process
2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
2060	Xj9UkYYXFVU2rlt.exe
2472	setup-stub.exe
2472	setup-stub.exe
2472	setup-stub.exe
2472	setup-stub.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2860	pStucUEbocczZLo.exe
2200	download.exe
2200	download.exe
2200	download.exe
592	setup.exe
592	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	setup-stub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-1-0x0000000000DE0000-0x0000000000DF7000-memory.dmp	upx
behavioral1/files/0x00090000000162e4-16.dat	upx
behavioral1/files/0x000c000000012280-15.dat	upx
behavioral1/memory/2060-18-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2524-17-0x0000000000C50000-0x0000000000C67000-memory.dmp	upx
behavioral1/memory/2396-13-0x0000000000DE0000-0x0000000000DF7000-memory.dmp	upx
behavioral1/files/0x00070000000164de-22.dat	upx
behavioral1/memory/2060-27-0x0000000000330000-0x0000000000347000-memory.dmp	upx
behavioral1/memory/2472-29-0x0000000001110000-0x0000000001127000-memory.dmp	upx
behavioral1/memory/2880-50-0x0000000000C50000-0x0000000000C67000-memory.dmp	upx
behavioral1/memory/2060-49-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2472-43-0x0000000001110000-0x0000000001127000-memory.dmp	upx
behavioral1/memory/2880-52-0x0000000000C50000-0x0000000000C67000-memory.dmp	upx
behavioral1/memory/2860-155-0x0000000002A80000-0x0000000002AC6000-memory.dmp	upx
behavioral1/memory/2200-362-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsyEBB2.tmp	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\removed-files	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libEGL.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\qipcap64.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoB3AB.tmp	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\xul.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavcodec.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsoB3AA.tmp	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\notificationserver.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe.sig	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	pStucUEbocczZLo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	pStucUEbocczZLo.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	setup-stub.exe
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xj9UkYYXFVU2rlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup-stub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pStucUEbocczZLo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000bc751f37171cb2ac49216b65ec689a3974ba85c8e2dbb57c7432891b7e3f5f0e000000000e8000000002000020000000136e1c4daa43ff6f958932ed334a9ed453fe1d84091e32eec9be74fea4bf45ae90000000d16aa365b131c0724df76b7a7303933ac920d569071e032ce58c40125cfc191bb8814d7fbc6f80fcc4f01bad8ef7e65a2f1b14b00987353eecc95b630bd47e6b468dcbf7ad0ed3a83233b7150130dd168cf9faf1e6f20e963edb2c7cf8fc4a7fad0abb6d8ca470b06d3644b53e4c63083be153fa710006690e6cae2a19fbebf334fff144503e693b87680854c79c65d040000000c67edc360cfed1ec73c88228bb7e010e413d9ae8a73d4ff1de89522c8843c54683c95867ff5fe5c9fe70731911796479285f596adef83a1ed128edcea7319963	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11D21781-82ED-11EF-8C85-523A95B0E536} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000020b1c052da700703ede8a6bf33b3b519cab5c669ba9987c7cf4cc7d91d988c46000000000e8000000002000020000000a15eabf1814211ca4b7c8d20d5df955bb157dbe5dc149716255c8b83a3a5ab6f20000000bc5c7d65f482c82cd2ea26bfbac534a3b3f302d74176ed59998c6fc5eb884f7d400000007b415de09ab7e551dc493bd220df7009f959fa3a11158637ce6b234a71ace0f49c02444ef26e15363ed98781b488cb9152c0c50d306ca90cd806ede00a49f847	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806829e7f916db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434275886"	iexplore.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pStucUEbocczZLo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pStucUEbocczZLo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	pStucUEbocczZLo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	pStucUEbocczZLo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	pStucUEbocczZLo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	pStucUEbocczZLo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	pStucUEbocczZLo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	pStucUEbocczZLo.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
Token: SeDebugPrivilege	2524	CTS.exe
Token: SeDebugPrivilege	2472	setup-stub.exe
Token: SeDebugPrivilege	2880	CTS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2860	pStucUEbocczZLo.exe
1068	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1068	iexplore.exe
1068	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2060	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2060	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2060	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2060	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2524	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2524	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2524	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2524	2396	16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2060 wrote to memory of 2472	2060	Xj9UkYYXFVU2rlt.exe	32
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2860	2472	setup-stub.exe	33
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2472 wrote to memory of 2880	2472	setup-stub.exe	34
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2860 wrote to memory of 2200	2860	pStucUEbocczZLo.exe	37
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 2200 wrote to memory of 592	2200	download.exe	38
PID 592 wrote to memory of 1068	592	setup.exe	39
PID 592 wrote to memory of 1068	592	setup.exe	39
PID 592 wrote to memory of 1068	592	setup.exe	39
PID 592 wrote to memory of 1068	592	setup.exe	39
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40
PID 1068 wrote to memory of 1948	1068	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16c5692a3c8544ce5c053d412cdbc52b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\Xj9UkYYXFVU2rlt.exe
  C:\Users\Admin\AppData\Local\Temp\Xj9UkYYXFVU2rlt.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\7zSC0831EA6\setup-stub.exe
    .\setup-stub.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\pStucUEbocczZLo.exe
      C:\Users\Admin\AppData\Local\Temp\pStucUEbocczZLo.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\download.exe
        
        "C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\config.ini
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\7zS89818EC6\setup.exe
        
        .\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\config.ini
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.mozilla.org/firefox/system-requirements/
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1068 CREDAT:275457 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1948
  - - C:\Windows\CTS.exe
      "C:\Windows\CTS.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
738ff765b1c73ed17af893de6e7a6088

SHA1
33dfd8bea44c2aec874e0e89999d23a2da6546ef

SHA256
fb05a691e815dced3100d8cb80476f0bdbb9941ec9f3baa0fe98310df42f884e

SHA512
78448a34c19f7906dee712572d83dd60a1d2d246d0e8efd81de181a8ba994a2a32ade8eac41e7fa73c06b5d1bfab6e02dc023f1a1d0a52318231d09cd5b40bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad052c47fc047593ff89d8c153bae9cc

SHA1
fc1e1472f03feb7f7e29e678d2c9c9510d2e4069

SHA256
5c0a5d8f32bf6ba2aa31d50598ceb150f33c2758b56b1432529d8bbe694fe10f

SHA512
c0e17a03e3181fc5226042b78b02274db2bc00b1d7aae44c19b502e14fb88a05799aea48a5dd55660b40082a8f0a457b8759c35fe4f6ac3e7fffc792865fdda3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48aed32cbf6c4d3bdda3d5be27c4d90b

SHA1
bd440d86148593e04d5288f210a70d106a949d35

SHA256
6130a4851f840b65717fb29e942a935290b8fe8aba080270f1ec650b78abf93f

SHA512
8a0c4307017f6b6dfaa5e78ad99e2a5a845f9ea5d37bed4e813968dafd06f983dc3fc6128df0e44e8cfaee35dfe3d156985e59eba91d7a41be5632c4c3badffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c3e4f97fca50f94050949dbf3c971c

SHA1
df63b162aea25cb0ad6ff132a20bf32234de4f40

SHA256
dc1542dadc52f7bb7510c67f8fa320c83b3a858cd5901864e570814ce3f7f9cc

SHA512
62005a2dbdddea88fbc17a6cdb593e1f2448728eb746045e496ffc154a0cb8d49d2d1b79a180947ea35e75e4b76001ff11dc61192af4c6d922502347a06856b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9da4383bb6700cf4d074bb3defc4545e

SHA1
dbea0e153163f2d71092ed09df1e5fbbbb8b1e5e

SHA256
17e0d4f468da20c1d7d66da63093a952519acd3c7529d820815bfa14cff59442

SHA512
b1d3c2c39a69f8ebd106339ddaaad7f4ed6132938efb2ad191f7e06cc7731eb11b9edcbc97241b6d7ee298b04df5db8b417ada988d1fbd3c6bbc1de5751927da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2cb8a4adf9bb4984fb57b771439eeea

SHA1
4109918c14a8b508291b635d4560c381941d0626

SHA256
5ea9ebc664eb2f456c248cbc662c55badefde4cacf0dfd25f29d2a676eaade1b

SHA512
457650816740efc77c106e3bc207262ca5409debc61c65826d1a8056813702507a01e0e0d14a606707ad9697f4b95f35c99488011de7e41392694aa6488449b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfa7b1543239baab0f6b223af5d873e5

SHA1
11fc43ffe94cdde041fb0ef082d2ac1af0460323

SHA256
4d7d9d90050a4c1a85db31cadc3830420c1a85ea71412bcbcbcb801c92b1b71a

SHA512
25a6390b84cc0a244ef911cd500c7e936980643a3dc39f8f6b9523166da141abc2ae9ffe554dc329f55364b8165cc137ecf0ef3c3e116cb363f14d3a79be1c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8387334fa6be41f7f4c91fe8ea29bfaa

SHA1
35a641d35ca754627364e56813f08bff0e834231

SHA256
8c3fcee480d3c52e62426716d594393cfa22006f7a4c4c8583e0144971e388ad

SHA512
e25e99846b3863329bb1a11d04050908af0e587830c7fcf7ad04d2a7de7ccd9a533366a1b79ce90d23441a06681c17185ae9a40aa5e333ff2c18c8c2df8562bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f941db4eb0704c762e9e3024af131e6

SHA1
7cdf819bd97f11e879ef1a6b9b822408c1e642bc

SHA256
963f88732a5ce3c00c78acc3295ea02f502d02e2914c01a38f14cadea6be7108

SHA512
69ee9a0a72097faf9f033a33f7992ba3481a5471640f16a204d7e4bcbab0c646f836c0e2cfbb7ade5798f9d10c98a114af70471c31cf0b889bfb972e2b5a329c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51aee77eed6e17233c38df7c3dbb964e

SHA1
f573a5a9404c4abca1c8e5e964757c0b4d44f568

SHA256
6f0c4c7ad4e06abacc65c426be21ed72c7f5558463429fc411acfa47ee686433

SHA512
15d9a3304e40f04a4fe3b55c905ad53e3b1674e07dbcc18fb82f1a66d11414655d7ecf0d74bb4f541de24514394d6dad652fe8c10ee57d17b9e42340ea651b47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9089ce95718981700af931102788bc53

SHA1
afa77c5cdb04a622c64d39dd4398a7612f29fabe

SHA256
d6a946836d2179bc0c696782bbe10695ea849dd95671726b0079face6ed793a9

SHA512
fc2fc5c771876c2c9e9561bd536e3f691e6ba17787e90b30de58634102d40a7d0dff90f507b19d7a2aa89a82c213ae5a2bee898ae867676e08958a89138b7eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772b462e201aef5003cb241f066e0b59

SHA1
f56964367b25f37e78591d2ffa481f8f2a16c5d4

SHA256
05e87991c71bf9de28838b4e04c4c625e017e8d70c2707a0e7b0a42c897f9823

SHA512
8dc9fe528cfe1b9f39e2683a566bc3e1fa664669181637c26947d8a6f116ea98a0b29400dcf4cf6a77150bb8ec7a23eedae2e8252b986ea1d41db476761fa5f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
042f7582e1f648cebb3ac919ea1d7f3f

SHA1
d1d664b49056aa6a26c72b2125d9428e0107034f

SHA256
242361c92a3d0eb36affb5caef2cda062c24f1f0c88b36cdc20102181dcd5ab0

SHA512
821c6f1736e124c8fbe56edbbd16e13cb412288a7c6b75cc3e91a357300eb0055d742397c3f6334c6a411c0565ac0822640e11b3177214f25cad97ba890d3687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4865a6169603ae3cb4dc38aa8b144e9e

SHA1
2de709e5f1160cfa066d774c4c17f6e74d4fdb61

SHA256
75205f0e68a5e025807ca796f26ea67f541ded0c1144a017a1b878218515c821

SHA512
6ce2fd6950f55b38ad7ae66f2e90713af9568cb72f8fa27c2c1faf19ceff97001328986fc731c7e99ef74b954ff10f19c8df34f103704ce50408cace3797660a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2b15433b04e9c7f16bfeca7a3609c4

SHA1
8c5a9c2289f64b9738471bfd2d2e963adeb3c1e3

SHA256
4960689cb8a9a3eff16f890c7e985770fa707aa30636b80eb2c780601ec7cf59

SHA512
1ba532e1112c91b090d3945ac3a43d56ef30d1d4af8a19d165d334062985a35cb166abf40899b75bf0e13a3b04ae17604013b4002c2e5b656b9d7f8c09de3788

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
355ba941bd0ed5f4682169ade7e97b20

SHA1
d66af1f8964c56e4454d5acc1044b2b26039f617

SHA256
14930932782bf5f62efd9c0f4e21a7c658de9d256ab06a4a1094250b3e530325

SHA512
5bd1f599ab879041867d66d3bcca4bfdaa372482813bc176d203b217546977473bc6ca8ce92e8db730de99b7481e511ee478461c4e2ae48094aed182f011c695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55468c5060bab354e270e5f943c690b2

SHA1
e0983762ac6cc82aba12c2c4a93b4107864d9fe0

SHA256
e5b41fd94a1e079033e4e431300e3218c258dfcfe00b345b3cac334aec47bc0d

SHA512
48988ab3dd302f19c8ad22aac359c222520ec4f8265eff797a8602dec368b252a3161b10cbb1be92f06fb905d7e31fcf4b70af0860f67dc6da4d4292209d7792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04989ac96ccad6e68809fda6e0af3d93

SHA1
df396c4ec5b27183d1a51422311d6b5e26e7d631

SHA256
16da7c49c770cde4c4f17f19f2deeb71a16a06d8a8b4e054a418147605f5d36d

SHA512
68a2d90f27f1da90162baff3b014547c9ea49abf01f73ef0fda2d18c67376db8cdc055405319cef7280d68eb10a880e92d887d26e3c2f606cd5f5aedbdfe8336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df5922743e4ced76af359fd655961b2d

SHA1
07d538743795bacca74b0c87fe266d4bc3c2d201

SHA256
607f7559368ed6ad9a1e2871f4f99e67a220396afeabd9134173269b786c5bfd

SHA512
90aa8a4c42819bbea9078d96752fa7ecc3706404df017dd7da19182d08943e427ed964521a8aab88d5731218a921b949fb29d618d4cc05e8a9be04b81f598578

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac809473ecb6c4fbe9bc59b300318858

SHA1
9971c101db9b5cc5b5d9370321b8e3f050fc27b6

SHA256
9599760deee252c3c306f05dcce6262dbc395aedebcd850671c9b40a7a2501fa

SHA512
05fd09a096ea3e15832d3bb2756434ee220f4436f4fd8411da7063d998aae7fb5f304062f7aeb4eba65b395b1337e69a9a787d7c076101480bbd583c86745db3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9c121bb53e9ae38a6c931a95c549052

SHA1
ecc67d5c43132deb70e739007325efb779d7559d

SHA256
ef1289ddc9999e8ddf02decb9c08e4b04749427fd35e7f388565666bba957480

SHA512
fe0a5590a9ca45a91c09344aa2671813d6073e2f7a53337767d3b0bfa7ca57f700dca4b4f3ace211705be6e57ec746f78785653411c71b0a9fdf34c7a8c484eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcd9202e69d98bf3544ea80d00d288eb

SHA1
1cf1ff99a52bccd92c5877fed9287615efeaa7ac

SHA256
183eb078848ebce8075e57e8c0ce970a93ac30b536142bea97d3069f30282b52

SHA512
9de0b49c61028ae355a22a6ee3966e06ee59c7c0842284813a42f47e70e5f44fead8b7c23746128d1cf26f96ba62b58a6cec9d19bbb66699f6cf3ab47ecaf080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4c67bba046c55bc7554498f62f21b03

SHA1
6fe2219efe79592a7d32c7641da57832abf90474

SHA256
6105a3703d3f7ed27e1974b4d493aeb5468478e80a54871283035fd21cfbb1f7

SHA512
07c491f925b91789e1b9c95babf784b32dd1b4778a0ef0e5e85c8719cb9d839f46a5e0bd4abc69a69f070f6f3e8d26df52ff3f5225730ef6aaf906bd676e8847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e6de890b838f019e7e2323395ee3bc9

SHA1
612e1f61b69fb4dcd10ef14a3f073c2ead8ac24f

SHA256
91425ad33ee607fb821db7351042ca93f61ad2668f960fa93b569e72d3ac54ae

SHA512
362f178af0d2473402bd6372f59f8ca516131b496cc6827db753a0c2d94a585b4ab1b63f24e49be15fcca66fc30afa76dffd3e36157f8f514220b68f022450be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f092662aaea9f89f379e4dd598d011a7

SHA1
4213b86358b02a90a4a775199a035c77c3bcf11b

SHA256
0635e346138851656e71c8ea9898cf4712d70b1958440c39141a8c3e3f3c72cc

SHA512
7ff02e9cc63340f30989927bfed047b6ea9105aa3ba991c2e5080ba44bf51a65626e83d84b9da50b2dba78cf51a4f193a7cbecb200cf11d79e3a110691549e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b012f895b80d3df87c2a98112a0a605b

SHA1
ba4cf9017d1abb2f181c8d6b7ee3dd36dc9316b1

SHA256
3f63838627627c049bb3c990abc2d9a8c40a06885fb457ef4f610bc482e6ad1a

SHA512
92749a030ea49694baf96075f3e49047ffee473f2ba57fc13b6195e12c8757c2c9ddcaa1236a4cb84beef2a32469a20558fc7fc905c5270500a9d09f569e3b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
644c4c51aeb5f657c423737e5ba9c494

SHA1
3019bf8feb52bf36eaabaff8cd6bd3fc467fa41c

SHA256
dd4ed18882e0dd343babf593bb5caf5bf3102ead07c257444786db67a74ec8ba

SHA512
540145dd29824a37b2a35e70aedbab46f6c891113619051900f9ad1d621ce043b90bf3cfecbde363b83c55de8aa7c980c1374169428c0ca6143a0824a4db347d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f48b0cb01ec4d8b1a3c28cf6e72eb30b

SHA1
a3fdbac64ba2fb195fea9f73687d1c9d5acd6380

SHA256
cec37daa86690effb78a3ff0ccfbb4367cfa3c289063817efcfbb31ec78d06a0

SHA512
288735a8e9df544aefef01ab66769b96e0e933089bdd0ef6cd790fea79b457894873db1b5f166c7faf09c9d220e464a109c1a961ea678d3445e56814900b3e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0dcba74ff93e1ab6d92daaaa6dccb34a

SHA1
09c30f70cffc0339ae0e16ffa12c69ce571b7984

SHA256
21f45d2d43fbf92fa37941430da4d4053f67f88c65551a734f24b578329813c5

SHA512
4e9d16ea9e7597128effe9318e8d25adcaca8f7ef19e2e61fc30c57e86cfed6c5322b32ddaf87ac851051b74ceb7e3a7f8118af01d1b06ebe92592ea870c9c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
8KB

MD5
d45741a11358e7e6b36cb99295cb6fb1

SHA1
77f73ed1b5f115daf1f31fedb7acb7a7f85e5169

SHA256
20d61f094cf37287b824401c7063525cc594300487c4ca414031f04750db3d36

SHA512
fcda5dc83840792c451d30b19c1cbd243fe7557d09e609aec0e42f96be36da8cae155b0829dff097268474d14aa96bdbadabf60d38d17757baa260bcede1af2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\favicon-196x196.59e3822720be[1].png

Filesize
7KB

MD5
59e3822720bedcc45ca5e6e6d3220ea9

SHA1
8daf0eb5833154557561c419b5e44bbc6dcc70ee

SHA256
1d58e7af9c848ae3ae30c795a16732d6ebc72d216a8e63078cf4efde4beb3805

SHA512
5bacb3be51244e724295e58314392a8111e9cab064c59f477b37b50d9b2a2ea5f4277700d493e031e60311ef0157bbd1eb2008d88ea22d880e5612cfd085da6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC0831EA6\setup-stub.exe

Filesize
478KB

MD5
c7a46bc5be90833c9b9778aca6109f9b

SHA1
9dc6b2717e53a72b8c019033ef8595adfb39c0e1

SHA256
8cd419444deed88322add2b48f74709abda078df6dcda0799459c2cd91fd0eba

SHA512
92ec266429af24f3fe96977b45412523c7dc303376dddc94c7213dc22173c8e3f21f74000396265f1fa78f0c5a7b12bd89a697924772bc1c758757fe1be87f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA57.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAB8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xj9UkYYXFVU2rlt.exe

Filesize
312KB

MD5
78275c405670e0d9dd16481f26f5355c

SHA1
8581c6e6e7f239dbbba5083c65a76b3893515e3b

SHA256
0d5d6ea5c85bce2ae1e9dd5a777a35cfe21e9f9526630d13cf1795c4fb32eeda

SHA512
7cf9c4aa805cc0f161200e1e71f09eeb525d03d57f550062c880d63c13f7fd616613ab3630c7ba28cc84141390e55eb45bdde8e757c9fd29bbe8ddbcfe3a2d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\CertCheck.dll

Filesize
5KB

MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjB388.tmp\config.ini

Filesize
187B

MD5
ed23468cb20f1f37a967eb26f639faef

SHA1
5707e3d394b6a3e36e8b1e23317ec115bafa1e9c

SHA256
812217f840657b7d310c406d7224eb1c339079ad48541d922e3f15f1b2e3d913

SHA512
9a7d3073b2d7d234eee56464df7b58be4466171c3cad47ebf0d4742c0ed05555ac890a18991ef59bf8b0751a207ea04f86a728fe3b0cb19607b9f6e4f45e76f9

Download Submit
C:\Windows\CTS.exe

Filesize
35KB

MD5
93e5f18caebd8d4a2c893e40e5f38232

SHA1
fd55c4e6bcd108bce60ea719c06dc9c4d0adafa6

SHA256
a66c4b98becac2f69cb107cd087d7a2ca9ef511bc3b83367b1f440f11dd159a8

SHA512
986583610d27caae2080834301d072557c5d2c85e33f0d19ab1245d7eae8db146397461572ddb3d491be16f3af210720d54267dac838fdad8fe34afa3d6b7f54

Download Submit
\Users\Admin\AppData\Local\Temp\7zS89818EC6\setup.exe

Filesize
940KB

MD5
5300331dea94f4ef257245d145d30df2

SHA1
2ece1eb3155f8aef8db5121ff6b495bcf0fd740c

SHA256
b4f6c6b3d3f464b9747dc4ff4ab2555dcbf38f284980b2f54422d7d260f281d0

SHA512
c9d2978ee7ccefcfc03b135fa40f278085c8f58488781bc0129cb4677e0a3b06e974b4056d009b842a8bcf1691774ff0f34ca6939bde8a0c833bff816fc7a7e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB388.tmp\CityHash.dll

Filesize
43KB

MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB388.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB388.tmp\UAC.dll

Filesize
18KB

MD5
113c5f02686d865bc9e8332350274fd1

SHA1
4fa4414666f8091e327adb4d81a98a0d6e2e254a

SHA256
0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

SHA512
e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB388.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB388.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
\Users\Admin\AppData\Local\Temp\nstF9DA.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\pStucUEbocczZLo.exe

Filesize
442KB

MD5
5e8603920f9fd39ecede163aab0c53c7

SHA1
1f686ce223269087e4b036e8fdfd9214d9b8911f

SHA256
f3a9cdd9ff511cd504bc5ca96e280bbc166fa1d87e749a86a5d73d05cdd1f879

SHA512
935b7e57fa7f2798f0ba1b9a0481a43ae60339886462c9010328335e833207755046449dd97885df86ac8d4d46f471d557ea4585223765120b9401b57bf04705

Download Submit
memory/2060-49-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2060-18-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2060-27-0x0000000000330000-0x0000000000347000-memory.dmp

Filesize
92KB

Download
memory/2200-161-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/2200-362-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2396-6-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/2396-1-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download
memory/2396-13-0x0000000000DE0000-0x0000000000DF7000-memory.dmp

Filesize
92KB

Download
memory/2472-43-0x0000000001110000-0x0000000001127000-memory.dmp

Filesize
92KB

Download
memory/2472-33-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2472-35-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2472-29-0x0000000001110000-0x0000000001127000-memory.dmp

Filesize
92KB

Download
memory/2472-32-0x0000000000080000-0x0000000000097000-memory.dmp

Filesize
92KB

Download
memory/2524-17-0x0000000000C50000-0x0000000000C67000-memory.dmp

Filesize
92KB

Download
memory/2860-671-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/2860-78-0x0000000000390000-0x000000000039F000-memory.dmp

Filesize
60KB

Download
memory/2860-155-0x0000000002A80000-0x0000000002AC6000-memory.dmp

Filesize
280KB

Download
memory/2880-52-0x0000000000C50000-0x0000000000C67000-memory.dmp

Filesize
92KB

Download
memory/2880-50-0x0000000000C50000-0x0000000000C67000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads