ad14a052c2469e5886bf81e18da365ae954411a90f30b538fe33b08eef94f9a7

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Size

429KB
MD5

252a53eb823139352a705180bedc5a37
SHA1

65e72461f8b718ce73bd7a635f8bea5a9bff957f
SHA256

ad14a052c2469e5886bf81e18da365ae954411a90f30b538fe33b08eef94f9a7
SHA512

0f62b3c1522d63137f5ad81b3ddea8c5e3e274fdc21863051c70d930d59e1d5d0ac9e808e63dfa24633f988ea655fc95ab6c2b173d93fd44042a03a1fff42b2d
SSDEEP

6144:QXEMSTj/tYm+zoED78n9vOg4N45R44Oel7QAA3CkKXBBeng2HgFUwrnKbZ:1Ff/6z0Oh45C4OelsQPGHgLnS

Score

8^/10

adware aspackv2 discovery persistence stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2692	rundll32.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x002e0000000160e7-6.dat	aspack_v212_v242

Loads dropped DLL 9 IoCs

pid	Process
2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
2692	rundll32.exe
2692	rundll32.exe
2692	rundll32.exe
2692	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{987126e2-5302-530f-f304-e53954e2b0ba} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Windows\\system32\\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll\" DllStart"	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{987126e2-5302-530f-f304-e53954e2b0ba} = "C:\\Windows\\System32\\Rundll32.exe \"C:\\Windows\\system32\\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll\" DllStart"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}\NoExplorer = "\"\""	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll-uninst.exe	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400fcda8f319db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3F8A9E1-85E6-11EF-81FA-CA26F3F7E98A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000681ca1868fb9d042bf73fb092e0ffd6a000000000200000000001066000000010000200000008b5338dc407c536676d321bc099a7eb1d71b1f9741b626b52e71872d1ba938de000000000e80000000020000200000003b50cc0d99d70e4541f9a1f690a6cf96f65555495c9c620dc4d9857827c3c52390000000874641a598009ddad509a0fd40fcc1f06cc02c3ca38f0e809ad502ca8f04b85ab6986e452764e98b43ba78616655ad84bdefd265927bf669188c97087c27c4be1c027364f983cf3357b2421274d10aa1f2957ea812e2c9e507c8817b85bba7e9ef07152e2498c0bffaa5ac0602c3b5d156d12a0fa7d31cd8e6ed9935f85fb600dd6914beead29e977ad08d9d735d04c8400000002ffeb0797cb548aa60e7da74d8d12ac111c0c9e4af8a43edb9d3c7d64d9fb2b77e3175fadd16ff52db42e3f99a1e37232a2e1ac3cb44a8a09e48dceec1fcf70f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000681ca1868fb9d042bf73fb092e0ffd6a00000000020000000000106600000001000020000000347f869836d258fe866821682440c68cbbbf15d9d6810c63ee2aeb5610670078000000000e80000000020000200000008e627f28da2437b7ab83ad2a84ed0cba2e7845e95a3ccb60cc077b0164ab3856200000007953de1639d4a96dcfaad0db9117feb60706bafe10fc90f26beb7818652e62214000000036321d4f60764baf3223def350db207568f75748bb1e828e2e8489df3b17baf4cbe244474c8c5e80e86da3a12ffbd701f4edbaa1fdcee04ac3a684a00bb5dc9a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434603063"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}\ = "gooochi browser optimizer"	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}\InProcServer32	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}\InProcServer32\ = "C:\\Windows\\SysWow64\\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll"	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90e4ec0c-1873-c788-c698-1a8c7f88d52d}\InProcServer32\ThreadingModel = "Apartment"	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
Token: SeBackupPrivilege	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2624	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2624	iexplore.exe
2624	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2692	2160	252a53eb823139352a705180bedc5a37_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32
PID 2624 wrote to memory of 2620	2624	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\252a53eb823139352a705180bedc5a37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\252a53eb823139352a705180bedc5a37_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll" DllStart
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2624 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8906c8b1869d818796b315a78c3716fa

SHA1
844fe30ed15b7516c456a7f44393ef2407eb61c5

SHA256
dba5af07d2ae5707d050c911fec724ce4dc02b2494eeefe60eabfd537d48d1d2

SHA512
bffdef5ad05e1e7270ab183ae28eee9231a23f9f5fcfcd3d63e067e005fdbb08948e90227d1ab7cc97cad2eb8e7c35ba2f49610877ea761a264123949fcb2974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f79618a0f61a3ebfb1a2efa0d27edbf

SHA1
12e3dd7157e331d4df4ff0d667c8d2439092e3c3

SHA256
ebaa137ab8158c5b0e991b452ee7241508c31cef0dd287c3b4a8e7a2f70b5474

SHA512
6a1aaa7689792d471f4e708a5f56c1e6e4349069842ff3ca174304450c670cbdacea2636847b19b9f69518d2f7603fbbaf3f4ad8c5d7004f42ac004c6c198296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff56fd4c1b6903fa9be7c8622e7be7c

SHA1
c8bb14b8a79a6cba64cfaca7372c44acf099491e

SHA256
6e4853a12b2e8e1c405bb0c2f81a36d5bc29edc06dc04e03f1ecce6c20a600bd

SHA512
58a6ff657e9b7d4b287a7c36cb7cef386701560555b35dbd619e80087af1b4aee6ae4dafc76333cc5960f370bad1285e37e6a7d86c110d352e80d805f7076265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd0b584bc752766ec5a7ab0ca6486108

SHA1
77af001e974e8cdb379af3b6682f122f604eb902

SHA256
3118c047cb121cf425ec7e1eb60ce7f1504d9e379b25e28c80981b97083c1230

SHA512
4b2bed3bcde2a3c7e15935be6cea96b6c136a9c09f16f2888ad8479be6a411cdfa8aa015744a75879917a1f3e92ba58741dab67854f546d9fec6336cdd2b1975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0ef4c1f5dde3916fc0919d256bfa6d5

SHA1
266c5cbd1d8ce86349ed3079ddf817f401ecacd8

SHA256
d15ce56faa2c5b28a663960c52299455870098aa106fe3c426a12bf7683dea21

SHA512
e6035cf069f82cbda8d35dffaadc021ad84d38e4c354deba34dc2c7d59166b5c1c2f1948c0eef1a34611cf8940875889c465828d6d9dced903ffd63c85249212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d453845fef548852c4a2b5d4f737fa

SHA1
a65a2ae208eecd7295396a57f2a6585c0dd9f8cd

SHA256
83106b8fabc98aef36f45d692d8699d6690749a142c46088ecb457b024359f1f

SHA512
c311b26bf0eef10a82364c2a05a9c2415dd2936add0bdfcacb6e6c91debceaf3ec1ab603b5705021a84a0278777182d2ac8352d3c35d230841027c290fe94d4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c2231e06bc3d59571ce53020e38154

SHA1
1f7386bbd254f86389a313616bedae85b8ab4dc3

SHA256
9e5009c075aae3ca968ebe5d68291705b12dcba90fd5fcc4a846ff507c89286f

SHA512
32c3ded60055befb7c3c71b87109addbdab87d74eb05e6cd27677cdbe33e4c891f29648f2a0d2f58d0be8b96d65cf9b7d85e2d951169ab7726cf3473a27b6a7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc3023510531877b995d6cbf0d655367

SHA1
3669049bc0cd028d7deb3feafc838c96440a6aea

SHA256
7ada2ca0baa2e1850f057c2f46e95949a62a772e767e35d0bc9df768ce9cb702

SHA512
05789146a90e90e6043cdd6d99ea78c52e25c384429687137120d43029d5b95d6076691c7aee30d5784fc8d24c71a05d27a0cdd169e6e5d746b8a0168e7077d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dacb44585ce2bf6b6199ecdf2b00a86

SHA1
41a04b3d523b501424b5915cc10d57d6cb189590

SHA256
1f3d6c82e59e568513c12ba27c7b76f40451b15f6cc31dcdd8b3bb6618f396f9

SHA512
71294dee26113265e94e77dd7df533effddeb7e2c0c72a3f9e7b84bcbb52691e64a5e7bfa82b26b26dd2493bb9cd91ddf562fe2203e55c469490d97315613417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68cad07ad288b5aaf286842f88883f8e

SHA1
9d0f1b8dcc34a34a13152e2442f20cdae1bf4e89

SHA256
5f254463114c268080d46bd49926a7faa871ee057d4b839210681073aff5bd38

SHA512
bf3f0b85efc0477d023a1f34a9914fc59202b97a72dccfbc54550a9414d56340a13ddb2153c84a3f2c0d14655e07214e99f682da130e3d538992d5a8d1e77ac7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
703669ae61e7bac485511302f8fbd524

SHA1
002ef76f9e332d7163030f6af2510c6b6e11f47c

SHA256
5783f7fc45a24440f772888ec5996c641695eebe829bfe753b677ef2373f56fe

SHA512
3476bde5aba1f0c336aa5f1b2b09a09d6f6d58343497d18f7e554967bfdf17f1bebfd5a5989bd1dfa22965258a62b67fbd4b5c526eb65c8c6366ba90cbeedf6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad20d11b9eaa5644fbe77153a21ce723

SHA1
4062c09ee7ceaacec59f7f42cae5da75b077fb64

SHA256
e15a696b94ef8aa640013345b88554fb212a7467296cf6d064b1bdc24104fea0

SHA512
863b03ad0da07a2e88b5af227de6ebd840cf0c6f0dba38bd85253b9b871db773660e1bd42d26a39d6733ce2045c5d3817ebde4e8dad43dae95db483a61b77cc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c049d873ff06ddf70c8c7bcd5886d90c

SHA1
ac4ac8e094b0ac440a9e0cbbce2920991334f9a4

SHA256
ee653e60e91884910ec683b1d3af6cc8262f63854bb09990c93efeefa33dbab6

SHA512
06be7f57314e513aa476cb393b35125066d6d9dc6ad69214739d5db0cb871cb639920593a187cd5ecd99cc28bdc5c2a075bc007f3c17658e427514fb95b07ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26dbd6a071fdd0abd4b4f6ca03d7a7f0

SHA1
16b53507343034da2ee5b7aa82543a0235a5cc50

SHA256
f5e05d3841c49e71ec2123160fe4e2552565ed09ddd133342419730497ff933f

SHA512
14dcf0e3b9b2fc7902abeaca997ae91d4f0b53d98d5d5c6d3e4e1cc2f0b581a1e47805d665c0c18b99fe6d440d1046dcf7e730747056a01b85d8a3c31e8bdda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac77a1761d429b09f51003781bc0500a

SHA1
f78c909e0c6f43d341ea24d9b05588326e6d4d16

SHA256
85e3541f17dd12b569d930edef7984f05aab4292ceb2f60ed027e082bedac3ba

SHA512
d74dc30f6381865f5b64f469cd44879ce628ca5e7612d599e6bacab88db7cc6b72a4e651e8b6b0a2e98ed1faac3802b6e6cd3001530ba9422a62d5255184f2b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b23bc004a29f2e74c628b0ece15d324d

SHA1
019784a0a7b6342641634388dc7bf8dfb3d1784a

SHA256
a5bba6aedfd069eb2f9c16c340b3f7c0e5f26ceba9d0de11ec24fbfaa587af88

SHA512
aa49c79094c839e2d438c28075cc2ed9a18eaa7dd14fe6a5b85bbe32db93adc729424166a6b6f845e8f32bf0f0072d2fa74a9d68c643e6ba35d58dd9c1efaf6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cafc24812d71dc295787f342805b59bb

SHA1
a53f4a5ff8fefc15344efdf27f83a0275ca177e9

SHA256
05ee57982e59b6cf5b0feb824cca46938a7dcefb0d904f19fba52494a8cf35a9

SHA512
fe5870be0cf4c727ebeea2390a77dd8a09daa79933cd2f13350f6f9cb537dfdca588d8c9ccd0b9aa3e6ab42455f927fd5c840d9e0a56f740398597e45d8fda16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8440.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2TFMOVL6.txt

Filesize
117B

MD5
e688708892c78f1875114e39db631708

SHA1
91f383f9ed0b48285a9bcfd07f6ad296e1d48cd9

SHA256
cc638626e3e4cd1088960fd227b66064d5e2522b250382c4b6fff1c712df5241

SHA512
cd54098b5caf2d2952659557fc35cec0242843805c5a1a6d2baec80a8fe00fa46baacb3f562f29703e8dc9c1e4e8ac0bb43eb2211fc1a8caa0c7ffabdd35eaa5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy628C.tmp\NSISdl.dll

Filesize
14KB

MD5
2bb3a180348b2b3d155cd12b9eda0712

SHA1
1f3e94f5457502ce59aee891275288f88739f367

SHA256
944bc80b57670eb187bdd59250f77af6ab657a2cb6ede3621139d8c04d57eec3

SHA512
d555b890910a8a729e37cd69fb612d5d7efe76f2821995b3c7b532d663d5993688692d8d5be6f97f683daaaf02683a134c69f9ae6710a7e005dc7cd47cce0c55

Download Submit
\Users\Admin\AppData\Local\Temp\nsy628C.tmp\System.dll

Filesize
10KB

MD5
0bbcbaee7b703ebd55cd8658a0e8dcd3

SHA1
6ed448b8b67cea36eb45bfbc67fed9a6da9623e4

SHA256
e67277ecc4f6c7beb3c7e586ce508677269db056c7541eacfecf6c719f559da6

SHA512
604c524bd00313f6411cc9878d5c9a1db77588049feeb5bb02c971df44f8becbd18d251cc20e551b878173eb2a78be61f31352769597c6334cffc0bc2326b008

Download Submit
\Windows\SysWOW64\{c67925ef-f5ac-4f33-1e3a-04af80c8b75e}.dll

Filesize
362KB

MD5
143082133f945ac135a939e885c410b9

SHA1
7f3c3839b4a1ca4c0fcbb3592d87fab2c14908e2

SHA256
11cee79ceafa393090ee9f1007e60ad172d6069e0032aa7bf6b014fd7a5a3a1c

SHA512
2dbda15281cb8b5f917cf18435bb41ad244a754e69e6a3aaaaec3351806a03359286f89f80fa369d6976168843ab2aa7f58158c3ec569eefee03d0909f78ed67

Download Submit
memory/2160-15-0x0000000001FA0000-0x0000000002012000-memory.dmp

Filesize
456KB

Download
memory/2160-8-0x0000000001FA0000-0x0000000002012000-memory.dmp

Filesize
456KB

Download
memory/2160-9-0x00000000028C0000-0x000000000291A000-memory.dmp

Filesize
360KB

Download
memory/2160-10-0x00000000043F0000-0x00000000043F2000-memory.dmp

Filesize
8KB

Download
memory/2160-17-0x0000000001FA0000-0x0000000002012000-memory.dmp

Filesize
456KB

Download
memory/2692-28-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/2692-31-0x00000000003B0000-0x000000000040A000-memory.dmp

Filesize
360KB

Download
memory/2692-483-0x00000000003B0000-0x000000000040A000-memory.dmp

Filesize
360KB

Download
memory/2692-30-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/2692-29-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/2692-32-0x0000000003A30000-0x0000000003A32000-memory.dmp

Filesize
8KB

Download
memory/2692-54-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads