8479ef1cab87d6db89639df939f73dfaa36c9876bddce35995650333f4985d7d

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 08:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2df609029dcb79fbe87126d7a2e28980_JaffaCakes118.dll
Size

120KB
MD5

2df609029dcb79fbe87126d7a2e28980
SHA1

74f49a7c5e740f0c676e1c96d11deffd247ff7b3
SHA256

8479ef1cab87d6db89639df939f73dfaa36c9876bddce35995650333f4985d7d
SHA512

2d0222c40fa8aefdcd5fc36cd443d170b1d6d9e07a5503ce694f509da3ffdb8018de049b44d68c43107d99ab90deeebc3b5542da36ddc886266d4f9345ad2caf
SSDEEP

1536:oGwzIj0enC+YF89iBO4TOxagJOOtfSC2tmyvCwMYRyfoP1W5Jbg:Ffl3w89TrxaviF2tmyvCjOyfoM5tg

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1932	rundll32.exe
3068	rundll32.exe
2260	rundll32.exe
2356	rundll32.exe
2412	rundll32.exe
2920	rundll32.exe

Loads dropped DLL 13 IoCs

pid	Process
2200	rundll32.exe
2200	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
3068	rundll32.exe
2260	rundll32.exe
2356	rundll32.exe
2412	rundll32.exe
2920	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\do87.dat,FG00"	rundll32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-1-0x000000007AB00000-0x000000007AB2B000-memory.dmp	upx
behavioral1/memory/2200-6-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/1932-16-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/1932-17-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2200-39-0x000000007AB00000-0x000000007AB2B000-memory.dmp	upx
behavioral1/memory/2200-41-0x0000000000240000-0x0000000000274000-memory.dmp	upx
behavioral1/memory/1932-45-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2920-46-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2412-47-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2920-489-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2412-500-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2412-942-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2412-952-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx
behavioral1/memory/2412-957-0x000000007AB00000-0x000000007AB34000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\PROGRA~3\78od.pad	rundll32.exe
File opened for modification	C:\PROGRA~3\78od.pad	rundll32.exe
File created	C:\PROGRA~3\78od.bat	rundll32.exe
File created	C:\PROGRA~3\78od.reg	rundll32.exe
File created	C:\PROGRA~3\rundll32.exe	rundll32.exe
File created	C:\PROGRA~3\do87.dat	rundll32.exe
File created	C:\PROGRA~3\as98213.txt	rundll32.exe
File opened for modification	C:\PROGRA~3\78od.pad	rundll32.exe
File created	C:\PROGRA~3\78od.js	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434668162"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68B217F1-867E-11EF-B729-F2BBDB1F0DCB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 1984 wrote to memory of 2200	1984	rundll32.exe	30
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 2200 wrote to memory of 1932	2200	rundll32.exe	31
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 3068	1932	rundll32.exe	32
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2260	1932	rundll32.exe	33
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2356	1932	rundll32.exe	34
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2920	1932	rundll32.exe	35
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 1932 wrote to memory of 2412	1932	rundll32.exe	36
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38
PID 2888 wrote to memory of 2752	2888	iexplore.exe	39
PID 2888 wrote to memory of 2752	2888	iexplore.exe	39
PID 2888 wrote to memory of 2752	2888	iexplore.exe	39
PID 2888 wrote to memory of 2752	2888	iexplore.exe	39
PID 2888 wrote to memory of 2604	2888	iexplore.exe	40
PID 2888 wrote to memory of 2604	2888	iexplore.exe	40
PID 2888 wrote to memory of 2604	2888	iexplore.exe	40
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38
PID 2356 wrote to memory of 2888	2356	rundll32.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2df609029dcb79fbe87126d7a2e28980_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2df609029dcb79fbe87126d7a2e28980_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\PROGRA~3\rundll32.exe
    C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG00
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG01
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG02
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2260
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG03
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2752
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:2604
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG04
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\do87.dat,FG06
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35d2ecc5e3c57cf6975df182f096792f

SHA1
51498a7cc8fe0518b5d01e8f4cfbf24e3a04ce7c

SHA256
842a7c0947769933566203f6ed653719c13f88d62f1f56a86341365f9e15d0b0

SHA512
d5ec0ff6beceab3863cd35a8126846e4e084564370cb688c575182ba865d2056435a193282df9f4e4b7012c6b4dd92f76391453999681bbea1d971cb43b8fb3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea1291c1680fa594e0c1d3af82e57a46

SHA1
17a6a94c68cbc5358ecce3a6ac9779bb7856562e

SHA256
c517479d1135717180295a62836d3302b1a09e3ad4afb480992c2c6d8a1c7c3d

SHA512
6200b01a383b58645c3d082597711f04c6a44c6d0f92ef595692ccc2f66a7b9c13950df59d97e4b1df85f0bb7faee38eab27eea930637a9868d6fd1f8cb504c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82e002f2fcdcb4cbb2effb2a46a8322f

SHA1
ca2acb91bae64f90ac9551370f7377f2a931b148

SHA256
567fcb9017497068e1873f7ff294f46bb5b945a4b1e2039be3d9d5be122b953f

SHA512
d7f8c5335f9cf628a0274d158bae0be712706fe6ef5243d5728ee40a951306bb9c9d60c399d46badc5eeaeece7f0b02bfae4746d2dfc2026665d05a028033c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a4ae3ce7057c89991ee453b0f64f84a

SHA1
cb368f4d201c5cb2f4cd469da16af11dc311db3f

SHA256
7f3f201bba42c10aa620398474692fc1dc9301dcb8e57007a3c0ecb6043dd8aa

SHA512
c0822376991247b172c1e0822ec29d525c9e2606a9963ab8302151bef5664e29d68243218a7b61fdd92564df35c6532958597b7b4ef4f0fdccab4d64e75424c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea52ef7c523f5a2e461a554c1b2f1bc4

SHA1
0f7945d7cc14bbd3ba0511f6d0dd4f45a36b7352

SHA256
c3f1de6f50b0a77d1022e620cd3556c3d45436321adc83c14d308dc12bb3c4d1

SHA512
e5e5ee1d4fccb5c53d32b3546f249ef86897a70e368f8c6646cd33459e2746566a0fe3bc72fe9a53831e7df975e5564ed992c81a87f39650db19cb130a7f9152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5973f51d2eea324b763b3f8d9076eec6

SHA1
b9785d95049d6273166f5359e8aeba2bb0491771

SHA256
5caa83a5b9de3a0ffe8ddd6cea58141591cdf064fa330cd6cb17bb23bd7674d2

SHA512
cb7513ffd2da68dd734860a51943a2b90eeb680573c8e2c87e93cc1004484b33f681cf13bb51ea9a15e3f9f412a437c008019bc9b897f1ff759c435d3e810f74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2c47cd888e38fa77874c310a45b4ab5

SHA1
d2a5de33a123899c7f995cee1c0ff6a5599d0aaa

SHA256
cd52217d266413e9f14a416a47bda277c2c8b4909dee574c7f34d58689a9a6a7

SHA512
e839da9490c79ac21e50a29b5e8f525937a031558d6ce61a1aa92f5909e77dfd42aae24bdf50ca275d0fc7bee95e746e85cf1761519d2327d662c76ae43549ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c80573471364832b5d27b3cb83ac6281

SHA1
2618f0970262f3889ba00e0dc877b589003c361f

SHA256
69833b34087504ac6d0e0f8b1edda8d827955a4c79e51ab61a61eb85ab4cdf7c

SHA512
a4692922b46a0c00cfd434b254b24a1af1bf44c8fb199908c99ee04fb4f7ddc73af00bed8fa7c26ea0427e5957a6f04b35a0ff3c4a9aac887205ed76747eed70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4aab47701ffdc3b47060c41c4da8f811

SHA1
0cab3d2cffb1f6a739dd31036f7993d9290f1d74

SHA256
0354fa100d8218ba098ef582a0e2cff6565f17726b383414610fc0ec550d4c93

SHA512
11d29a48691cbd1fd77d0ff42d8b52eeb6b4849e20fff138ac572f904e93ff9f2fd6d2b2e32806ca030a140ed70c24e8d1917e0afc976116922d157ddadd2139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f99b2de7c350692deecada5de8662ccf

SHA1
ec4399579452570c623d23926f0b455106d89d95

SHA256
314bb57c90894ebb2289ddfbd55cd8816e4f78fdc37079c2bc2949ebc6be730d

SHA512
c6894b5d6244a6cfcd1b5f4a1cb3ed99b464b5118bdbf9e92f4229867f9e6a81bd9819659c87c99abb6463c57e5c30ca3675450d4637c677a53677fc8cc4b71c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d6c017a36e315c15f3dfe65e73dd2b

SHA1
4bc9287f01becf1ed82c2fdf477d9486082f44d0

SHA256
07365ef2b35c45ac2d262745cb67c4ed416298c7d8b742086f29752062df85d0

SHA512
7c699df77bbff264ed0cbd386ffb816fef34568d0038db23adfe9247b01de941fb5c1a7ffd5fa0f5519089a9f65867ccec2283742850db1db6c4169ca6334028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d051ce1942d9dc1777f4140afaf01c1a

SHA1
28773bb0f9d6bae077045bc21bfcd98691a204e5

SHA256
205859ed3b83e436e62b6488452d45e4ee451756cd82dafeec95ea08ece77a55

SHA512
b33aab70ce7394f2490e1733b3d00c32932aaebf53e29be8ee73f3ec868387e43f2a27e472c35a106a01f0e49ff89dfe5a956de38ba20d72c09a9fbc0e2a1ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b91eba690b17d5da103759d214f64e76

SHA1
cce5361f4c19fa34cb6f50fb75c3d06548a7b6cd

SHA256
71be23fdf7cb97843e68e066371670ec47b65b54e10fc9b0ce42097e51d7a7cb

SHA512
d11b76c496fa6943198f2694242668d699689a325f930a6834470e675dc2eae035b77de8b4d7c68eb1acb1afdeda2d4cd904e5e0b8812bfab79fceb479d401eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b221e8b12266c590d512770d24fccad8

SHA1
ff7333b21d9760fc03a6bf9eb79c2cac5bae225e

SHA256
d59867c9c6db9bc97bb94a97e02f5c8d8feb13689457eb69f24b482523747c82

SHA512
68c1db18d42cc16c3b62d2080cf7bc56d86f36f30147f1008e9f6b266c118d33ee991215971724a8b40bccc53eb629dfcde61262599ac6b06982c926fc1b7ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dc69470d272f35f01ca8addee867afb

SHA1
51ed55c86f4dbaf81f99d6411f3d038b3a45d547

SHA256
96acfa310f3bf4f7d2ea883115d4c923604109fab057c7f7717dfbd7f791dde4

SHA512
711bc29abbd747e4c06cdd0b9ef6b7b2725d616454f104fef7f22f1270d68c191afc69a34940ab92f77e4f0a7291534bafd56df5c3af3741c0f47f84de1bcbdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95d2d487f2c37b131a0455054d07a92c

SHA1
35e44754493ec11caaf8d544affc683b8bdffcfd

SHA256
d09a35965da48e704b6aa3fa49003ea2bef651b0c38de72a3c2188c9b1490181

SHA512
12d9c1a93e66eaebad02bacc684a7dc1e8f523a4f6a8989934b710e62017c9178e13f243189c35908227c1f4c91af2f66b1f5a3d8f3d7d51a16a87f3940a6a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c583a56cda2c67973d44e268ac473cb8

SHA1
ea6d3c44eda64bcb09667b4733308fde33a8a1ac

SHA256
2d32a5d9c0a3c529e2e818cfc2742b6219e78f1cf9b62dce7a13b63a3c0c2750

SHA512
2f2c5ef5ae3ccb3efdac3ed1646373ae1b0ca25b38a3217327686deae54bd1efe3cd0b4b0378174d31d4aa1c79779d4f2735f10b713c8f2cddae9c8de3df2217

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42ca2f143517df4031aec1ff4976b30f

SHA1
8b7859877c4868bfe31d97aa2bf8d8a2872bf333

SHA256
adac2228d0bf104d8faa84ea0c58f9262c4d8a7f04b6b8d0fa3116e7cc35ac57

SHA512
c012809779a92a22859eab42ddea9ae46531f3744fef1488b9d060786dd53e5ddf50161a27d136457e1681a37e3929f350a67638f340587a799d6c2995a2abd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5acbc10e442f837d95f97b16d1bb347

SHA1
76d168a8f433f96045f4e55f2ae92bce87605320

SHA256
af7865dc3a2d6392462cf37754e1dd5794c2217df06fc6f4786e2322c344cc8e

SHA512
a38e656fa58591977484df6e88eebe686699cb4d5daa8d462668c4a820d976cdf8e9b0320d2877d7804770ebeee7a67f87bed300809403d7eb25861c1f103b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF79B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF962.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~3\do87.dat

Filesize
120KB

MD5
2df609029dcb79fbe87126d7a2e28980

SHA1
74f49a7c5e740f0c676e1c96d11deffd247ff7b3

SHA256
8479ef1cab87d6db89639df939f73dfaa36c9876bddce35995650333f4985d7d

SHA512
2d0222c40fa8aefdcd5fc36cd443d170b1d6d9e07a5503ce694f509da3ffdb8018de049b44d68c43107d99ab90deeebc3b5542da36ddc886266d4f9345ad2caf

Download Submit
\PROGRA~3\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1932-45-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/1932-17-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/1932-16-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2200-39-0x000000007AB00000-0x000000007AB2B000-memory.dmp

Filesize
172KB

Download
memory/2200-0-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x000000007AB00000-0x000000007AB2B000-memory.dmp

Filesize
172KB

Download
memory/2200-6-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2200-38-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2200-41-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/2412-500-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2412-47-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2412-942-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2412-952-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2412-957-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2920-489-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download
memory/2920-46-0x000000007AB00000-0x000000007AB34000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads