82862b63e98f31321f6606f83b1530d7b7b690022a21fb91ea7630b4f7bc2e95

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2b9a077b11241decf5340b88c80420_JaffaCakes118.dll
Size

94KB
MD5

3d2b9a077b11241decf5340b88c80420
SHA1

15c283e0022c6f6a41f77bbf34ec3795aa784803
SHA256

82862b63e98f31321f6606f83b1530d7b7b690022a21fb91ea7630b4f7bc2e95
SHA512

53cfb950e9748bb9931bb6d0f4fcac73cee9401cda869f3932cf042716b608a1ccb9059620e455e13437cd7e52798db3392d872c69785839f4f26b35ed336294
SSDEEP

1536:FuZGiRHeP1rSbHjPWnqWF/dXkWI1RZWEphDz5ZiKB6Wo8H5IRQm7n0:FuZFFepojbskWID3PXiefC57n0

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2676	rundll32.exe
2756	rundll32.exe
2908	rundll32.exe
2832	rundll32.exe
2680	rundll32.exe
2668	rundll32.exe

Loads dropped DLL 13 IoCs

pid	Process
2824	rundll32.exe
2824	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2756	rundll32.exe
2908	rundll32.exe
2676	rundll32.exe
2676	rundll32.exe
2832	rundll32.exe
2668	rundll32.exe
2680	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\PROGRA~3\\rundll32.exe C:\\PROGRA~3\\biaj.dat,FG00"	rundll32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2824-3-0x0000000000150000-0x000000000017B000-memory.dmp	upx
behavioral1/memory/2824-9-0x0000000000150000-0x0000000000181000-memory.dmp	upx
behavioral1/memory/2676-21-0x0000000000110000-0x000000000013B000-memory.dmp	upx
behavioral1/memory/2824-37-0x0000000000150000-0x000000000017B000-memory.dmp	upx
behavioral1/memory/2824-53-0x0000000000270000-0x00000000002A1000-memory.dmp	upx
behavioral1/memory/2676-54-0x0000000000110000-0x000000000013B000-memory.dmp	upx
behavioral1/memory/2676-55-0x0000000000110000-0x0000000000141000-memory.dmp	upx
behavioral1/memory/2680-206-0x00000000001F0000-0x0000000000221000-memory.dmp	upx
behavioral1/memory/2668-205-0x0000000000160000-0x0000000000191000-memory.dmp	upx
behavioral1/memory/2668-499-0x0000000000160000-0x0000000000191000-memory.dmp	upx
behavioral1/memory/2680-510-0x00000000001F0000-0x0000000000221000-memory.dmp	upx
behavioral1/memory/2680-952-0x00000000001F0000-0x0000000000221000-memory.dmp	upx
behavioral1/memory/2680-962-0x00000000001F0000-0x0000000000221000-memory.dmp	upx
behavioral1/memory/2680-967-0x00000000001F0000-0x0000000000221000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\PROGRA~3\jaib.bat	rundll32.exe
File created	C:\PROGRA~3\jaib.reg	rundll32.exe
File created	C:\PROGRA~3\biaj.dat	rundll32.exe
File opened for modification	C:\PROGRA~3\jaib.pad	rundll32.exe
File created	C:\PROGRA~3\as98213.txt	rundll32.exe
File opened for modification	C:\PROGRA~3\jaib.pad	rundll32.exe
File created	C:\PROGRA~3\jaib.js	rundll32.exe
File created	C:\PROGRA~3\rundll32.exe	rundll32.exe
File created	C:\PROGRA~3\jaib.pad	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 5 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	rundll32.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434946368"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{272E75A1-8906-11EF-B4AF-66AD3A2062CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1596	iexplore.exe
1596	iexplore.exe
1184	IEXPLORE.EXE
1184	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2772 wrote to memory of 2824	2772	rundll32.exe	30
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2824 wrote to memory of 2676	2824	rundll32.exe	31
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2756	2676	rundll32.exe	32
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2908	2676	rundll32.exe	33
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2832	2676	rundll32.exe	34
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2668	2676	rundll32.exe	35
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2676 wrote to memory of 2680	2676	rundll32.exe	36
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37
PID 1596 wrote to memory of 1184	1596	iexplore.exe	38
PID 1596 wrote to memory of 1184	1596	iexplore.exe	38
PID 1596 wrote to memory of 1184	1596	iexplore.exe	38
PID 1596 wrote to memory of 1184	1596	iexplore.exe	38
PID 1596 wrote to memory of 2188	1596	iexplore.exe	39
PID 1596 wrote to memory of 2188	1596	iexplore.exe	39
PID 1596 wrote to memory of 2188	1596	iexplore.exe	39
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37
PID 2832 wrote to memory of 1596	2832	rundll32.exe	37

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d2b9a077b11241decf5340b88c80420_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d2b9a077b11241decf5340b88c80420_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\PROGRA~3\rundll32.exe
    C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG00
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG01
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2756
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG02
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2908
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG03
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1184
      - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        6⤵
        
        PID:2188
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG04
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\PROGRA~3\rundll32.exe
      C:\PROGRA~3\rundll32.exe C:\PROGRA~3\biaj.dat,FG06
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cb960c72d00d7e2c03b86a823b0ab42

SHA1
59be79676455a97aac0bfff94f34657b0bc21195

SHA256
751fab147d7a775cf790ebc99c90a2888186bcb82891db1ef8cb2c8071680040

SHA512
09925edce3cfca5a4bdff94fdf13047e1c99beb328e7714344cfd0e602f40a2843bdc4ba393175ba4f79d31934284d09fea3b5fb69e5593b771e5e2d4c379429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e98d8f471f1d5b23810c0657280397b5

SHA1
47b7921208bd5aa983b65ec16df946f19de6e0a8

SHA256
513a7925338a7437481bb07cf1ab2d325bd58062fa7ee533e1270f33eb8bc6ee

SHA512
e545f0ced3d82296ee26a6f09c36e7c9aa45687175cae41301d708913b03a3fc110ef4cd3b651d3bcb52645160f368afd1306f13a7b47b22e6e0d90c641ac392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f0e9f297f2442147660ac0a1dd92735

SHA1
312d6d55ba7389a067ddd784bf80b2ca7580432e

SHA256
bb0f1bda8423994f8302474a5cde895f742909b2ed529f3f3e90f05cb36c18f2

SHA512
b8a8cc2ea275b27b43288a3167924700f9a7b1bdd726ab461b02ad4de734d4ee081d3f1dd5d78936616232a0914b3683fa4c272dafd458d089cf3080a9c47e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fba37d34230bfe54028048f565d6f002

SHA1
9c24dfdd7579c530a1a0f32a1f6f1f5f67f6bc3a

SHA256
c84803dacb37e8548e89c0287c520f2a45e24121a281037b0a4f7e337c236090

SHA512
51f99cd07a6a8114c93f1b97cb67b7d218e8c288687a798d7be6ace6bae7d262a4a20a6df776840b1e831e0b5cd7b9c106fbc7bc15c3e3d3072885bd968ea5e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aac6b52b4a517533da21eba58757c302

SHA1
cbe66c9e1b00d5971ccb21e56658ee3ba7d1b192

SHA256
2f9adde5000e03580339dac880a2f0fa0063edeb0defb62a482dab7bdd8b2ec0

SHA512
0d387c1b2cbe4c9c53e7ecdba82217890141e11a6ec69252a7905ef7448dadcd22c19ecc7458dd188b844dd0a6bf408c2474f690477da3ac1437386a02a16129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
661bc067cd0cbf99e01949222c605f6c

SHA1
8ee97cd87dafa5565ecb82ba6f5a97abc9874874

SHA256
da1f4c4ac5bb714b265e7d516c7377d539ffe63bfa721dcdf6825b73264f2464

SHA512
b7b20f87aa492c3a5fd8f43ce2eda0924d45c633f70262ec189bb574a369f4e82ddffeffefec4dbea7cdf8016cd7cac0d7cf99b8886af2a127d500d35a6ba32b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
761707dbe638be75f443c91d9955d0c6

SHA1
e83e03ee11f1eb0886826db2a1a77b7d5c9143f7

SHA256
30ec6009fcaac733c9468bd33831397edf8b86b8fd0ab041b9031a87bf315021

SHA512
1b6b7e76811f1686c69566957701352cbe10f60dc44d8aeefdfe2cb4d257e2b24c8194bf6a13216f22e74f3720d762b1fb6813d8fa48706ed623e01d5f8afdb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a03c5b135688407b724511a44febefc0

SHA1
4652dd5139e193e99ba6a8b08a75c7862a381c0c

SHA256
b03772c728579995568a2cadbc6b7e196039ea65d95f908791c61d8843f892e4

SHA512
9985d2bd0aa8b80adb8609d57e19222193f6f48be264e6b24d7fe62f966384ac9682629643016274460ae170957c9604ca2bfc79f94615168a71abf99decaae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1f8dcaca0d5b4b85c392f5c6b9b0f2

SHA1
a4ee66ab936a1defebaf66487665b4e06de83a4c

SHA256
92a18f7a57a788de700834e1501a0547c1c4afeb31768321f2a125289d45ffd2

SHA512
26bdf60312142e1b48bae0a45abb41fbc71f5d0ab92cf18ed02166a7426fba6e983789a33c7ec0c23ebb63d1e19d551ce31653e7c1ce96f17ca71b46022e81c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e70a9d15c14738c22db2fc890d3dc3b5

SHA1
0481f6e5c1761ca13fee56743bd3f840a695ec9c

SHA256
f7979e4df8617e76dd35b0581891b6c944fdd0872105b164526cfac825a3a4be

SHA512
3a6f02df05bc64bb1efd63ea79e420c76b10903b400abe48f45e279f9037fb16e2c1bc6739f7376d63e730f096cb46f5f2aa3ce44ea42a0ad74bd119943505ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0706a628623875a12008c1e3132ac8e9

SHA1
84cd61142f64894145f2c1d50c21322af122512a

SHA256
ead5599467ed7abb221be950409acb28491a3ce6032dcd8a2a4725c342e9db1a

SHA512
8bc23be65775d33b28a8de6488ad68561704d4430257c9173bb9c6fa0cb869b4c593f788ebcbc920da2f8f929e2aed85105509a0c67d5a6fc08b5df538f2abe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fb8161f8f96cd653a1f05a313d442cc

SHA1
34f463d3f1125655093ef8cd2f0fa4ea58b820f8

SHA256
325b6aafbd599e13bd7059c322ee72b77663146f3bbe847a1f136ffd77a2f57b

SHA512
c7b4fafe0c512ca375280674b7833561f422b8d7639a883a5fe417a112abbf721354b54c22277998d322520ab396b2a00f33fdcb248819c24e199dce9da563d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1edab38a47b711e18afdf6ca68fc8933

SHA1
4943be7e7d11a86c2e431a3175d7ebe704c84935

SHA256
3ff999bfcf7c757a0baec0844e3d31f59d9a6515417af92f02128bbb1e8e2564

SHA512
08467b4fcd0e05743e4d9b861d8211724abe7b101f0c70f1435593c96d3e09ded7b019c73125079e5bc2da6ca78694f09ec952edb78b4322411cf2336cbbc14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a916bf9be8b3ca487a14c2102b2f657d

SHA1
442a63186771e6590c51bddfcce321014bda2de2

SHA256
4c2df1b1d97be7dce97f6de377277b9d11f64f5dfb6ffa58eae61995c6b86c7b

SHA512
255a91f3c798599a473a1bed88ddf9b9e4cd305e16d82ddee23cac3f066ff60e42c528a21ed1abd63e7b4ee4bb588ce03f2106e2e253b06c157b1aec66225b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc21ce3727670bef0ccdc2144de3fa8

SHA1
7f7a99809daa8fe37f362ae28194dc4478434e2d

SHA256
0a0e65f9613e6a912cfaf7e4a442dc397051a203ba9aeea699d1e08b96aca816

SHA512
64b8a07f7f7f59c134c18d996489f4713d0808163ef397293b909eb2dd6a0e5b70a398cf07736d3a47d1a8ebd9fff935c3a35d170a191c8d6f86a45612b81144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b58728cb9c7f94f245f72e8f9263e6af

SHA1
d3d20eae5af4a71b3a2ced083d2439287991e8f7

SHA256
98ef326413bc9e9ecbfcd69c088f76d830f23bf642cd919b370dcb656d461eec

SHA512
78f6c896f1eb715614c1df149a662f49243594de069793f8f5eec959a89e7feac97b36939dbdc8c3dfc66e2f557a419e9a5ffbfcfa589d23b1043e9c3eb3c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51b8ec7d40a329e80afef9d066097346

SHA1
91a95a4d30e3dd18328b952026e5db020f68782e

SHA256
1032cefccc992ab2f9eefbe9f8efe1c3bd3665cd5079c23fb00c308f796ca0d2

SHA512
540611ea7d4703a1149d6ac2602e795f749fcb189910a1bc8543fe80e9b851a58eabdd51619dd4ef9faaa130eb389acb029ed380c90456472f1ac1a1e716450d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7cbc81f2b429609de48334b5d3511d0

SHA1
f7b1451e3128285b4be9a57d5edecf861f3aa1d8

SHA256
7667386e656c4c983067082aa2690c2975e404bd7b4b53c02bc9d7e8fcbfcb15

SHA512
bb546fac5ea73b8d066c636f3478a90fd8c82e66f62307569f3d2c183927d2edac645f3ce9c0f234c0d10644918cb34b8eef1673e2317521ab45eb6fc4261ba2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
067badfd8b3f00a166f68de88ab39f62

SHA1
c4c13b0ddbd7d0d4a9b95df8e236aa3193cdea03

SHA256
3977a259c4370279f8aab9d44e1ba6236f680759760ed14d1670f1f3cb019ef8

SHA512
7ba8bf65b2b2b918e710f6edf859a494b6a444a47b4a9f5d5920231b77f2b7086ac528e1e539cf8990551eb266b0d6dd0d9527aa815c3567dde67b2a515d6c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77d7437261634ffdc066969c941fe253

SHA1
dc0dc79569adbbd689e7571a99bf245e06a15f6c

SHA256
1d4b8875345d4559d1f9d80d9ccc907b83ea6765d5713ecd3057aaf9e59dd420

SHA512
a5ade5d031e0223cb43372ef985bf85874b7aba501c97d48c685ee9b29e798fe5e2e826f97073d4ac66a5548d40e3037b0b1657f691beceee5bd28a8d0b850db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F28.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8FF6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~3\biaj.dat

Filesize
94KB

MD5
3d2b9a077b11241decf5340b88c80420

SHA1
15c283e0022c6f6a41f77bbf34ec3795aa784803

SHA256
82862b63e98f31321f6606f83b1530d7b7b690022a21fb91ea7630b4f7bc2e95

SHA512
53cfb950e9748bb9931bb6d0f4fcac73cee9401cda869f3932cf042716b608a1ccb9059620e455e13437cd7e52798db3392d872c69785839f4f26b35ed336294

Download Submit
\PROGRA~3\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2668-499-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2668-205-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2668-48-0x0000000000160000-0x0000000000191000-memory.dmp

Filesize
196KB

Download
memory/2676-55-0x0000000000110000-0x0000000000141000-memory.dmp

Filesize
196KB

Download
memory/2676-54-0x0000000000110000-0x000000000013B000-memory.dmp

Filesize
172KB

Download
memory/2676-20-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2676-19-0x0000000000110000-0x0000000000141000-memory.dmp

Filesize
196KB

Download
memory/2676-51-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2676-21-0x0000000000110000-0x000000000013B000-memory.dmp

Filesize
172KB

Download
memory/2680-962-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2680-952-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2680-49-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2680-510-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2680-206-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2680-967-0x00000000001F0000-0x0000000000221000-memory.dmp

Filesize
196KB

Download
memory/2756-35-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2824-9-0x0000000000150000-0x0000000000181000-memory.dmp

Filesize
196KB

Download
memory/2824-22-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2824-37-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/2824-0-0x0000000000150000-0x0000000000181000-memory.dmp

Filesize
196KB

Download
memory/2824-8-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2824-3-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/2824-2-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x0000000000150000-0x0000000000181000-memory.dmp

Filesize
196KB

Download
memory/2824-53-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/2832-47-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download
memory/2908-36-0x0000000000190000-0x00000000001C1000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads