cycbot | 1cf16901d4b1c5771c9106bb40ff5363fac71e04bf953b6dbd318c99549f763b

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Size

194KB
MD5

acd48f9e8580371de9bd5c4f766abcd6
SHA1

f7fe934fc644c7d7476bbde7aed3589ac1d36e63
SHA256

1cf16901d4b1c5771c9106bb40ff5363fac71e04bf953b6dbd318c99549f763b
SHA512

d4f741c6ca217da107a23c10dcfb7dee3af592f255dba55ae800018682e64fcde7cdf1376f45963f7d7de7b4db4db26ca54e309d64f00c3756624cd7e41e6059
SSDEEP

6144:Twz8li9ir/ur/qodUb2YY0aSYK+QG3GZx/v:TSUrmrCodunYON+QOGTv

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 10 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3036-133-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/3036-132-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-435-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-625-0x0000000000400000-0x000000000049A000-memory.dmp	family_cycbot
behavioral1/memory/1724-626-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/3004-739-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-745-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-911-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-1230-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot
behavioral1/memory/1724-1348-0x0000000000400000-0x000000000049D000-memory.dmp	family_cycbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\766E2\\6041A.exe"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-133-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/3036-132-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-435-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-625-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral1/memory/1724-626-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/3004-739-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-745-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-911-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-1230-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/1724-1348-0x0000000000400000-0x000000000049D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ForegroundLockTimeout = "54522204"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0893bdcb869db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000257903e589d57e4ab535472a241f309c00000000020000000000106600000001000020000000b2c1c7f519269ae38d6110f704aa4916eb5c553fb414175349fd10fadfc474e4000000000e8000000002000020000000ccb664842e7342d095356bedaaf7b68d976976cab2e3431242caaf7182aef7db200000001e04232261b5f0154ec7f60ece2e3fc37f452c28f1ca160133452fc63be1468c40000000884202343ef2f961e0b5cf3e52491115510a9f45f20e51b9ebb38a5f6fab21406dce666a6c1e1fe2b560249d7f487fd88dc6d24b6e6c0429524bf550bb9b8f21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000257903e589d57e4ab535472a241f309c000000000200000000001066000000010000200000005d50ce3485503640c2e18cc5e1d014a58dfda8a1ee20352c22cf315b01f897d5000000000e80000000020000200000004549d9f5bd1f3b3a9adac01a77c14900075d9471649e7915f77481ebc770463090000000896f34e925bced4fce4c3991cd00775913d0bdbc8148afd3316590fc9cabd497eaabce78f923ceb33aa4ff42fe480f0329d10decbe6e9bebb0a864472fecae37cc5ade97ae86b516e1ea001c475d96b369bc5efa937a82fe1bae5dd4497a5357d078b1ffcce2ee7d49a32421af8b9adfef4f7b56f44b0e2915d93f77e2f94f5277f410fde12e82eec4b269c8878ba74840000000234fb0f8c39c603271cbfe7a552b13d257a279738c4ad228b669da940422a4dd9cff5233e9b0a53bc79e1e14c7448d36d3998cf1f5f9e6215938c305798f0d66	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443373914"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{10E31F11-D5AC-11EF-94A4-62CAC36041A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "about:blank"	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1152	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1152	iexplore.exe
1152	iexplore.exe
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3036	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	30
PID 1724 wrote to memory of 3036	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	30
PID 1724 wrote to memory of 3036	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	30
PID 1724 wrote to memory of 3036	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	30
PID 1152 wrote to memory of 1260	1152	iexplore.exe	33
PID 1152 wrote to memory of 1260	1152	iexplore.exe	33
PID 1152 wrote to memory of 1260	1152	iexplore.exe	33
PID 1152 wrote to memory of 1260	1152	iexplore.exe	33
PID 1724 wrote to memory of 3004	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	35
PID 1724 wrote to memory of 3004	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	35
PID 1724 wrote to memory of 3004	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	35
PID 1724 wrote to memory of 3004	1724	JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe	35

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer Automatic Crash Recovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe startC:\Program Files (x86)\LP\1A97\AC3.exe%C:\Program Files (x86)\LP\1A97
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_acd48f9e8580371de9bd5c4f766abcd6.exe startC:\Program Files (x86)\E2126\lvvm.exe%C:\Program Files (x86)\E2126
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0060c8d33659742774cc5ac904318fe7

SHA1
24972749d040bdbd289f4b10db32e93b63511a15

SHA256
16500e3808124f37dcd9fa2aaacd521aa52c05821eba86245a128ffb0753d1b6

SHA512
35a4890fcfb36acf88fbeb48af2434c3f6fa5467bd51de8a667b53034bf2e6e2bc00eb12e67eb6d200389245aee68b16dc32b740f02bb4045eb1e32846eac9da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a267ca9aaf66b76aae21f10cd787248

SHA1
d0b1f301bed665382b5fc75e7666436d27d0eb46

SHA256
6a662376afdb963839ce95a62cd8d61a9a15706c9465f78dd7d71b7ae2f9c369

SHA512
001e5e2f277cd42399cede2f6306f10a0cad1ef037f3dd60b0e517739db305142beac8031b6145def7acd93b9ac477bf1fa1afaf5f780914237ead18aa070d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c130804944432e9283a0f8731651f776

SHA1
2ce3a4031a7a9fd4b072e05f2c7841e4ba08ba94

SHA256
8ef9fdfa6f04ab8f4e85f02d5888ed63cbf7afc36dcebe295837e322fc58f657

SHA512
4b521890f830227d729c00205fafa7fcb126dde44f3dcd26019e11a9d6fe46641cf5a95fcf267620b26a6d185eb8fb73d7a7403febb7344ef8047f10608cbe0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe17de2251c055b99ab51fd186c8cd30

SHA1
d4aa23400f5743593c41f1104d9f30b33c73dc85

SHA256
fab9c4a9efca7ea19eeebd0285b849adb43bb8c7cbf685ad39661d6084d9213c

SHA512
16f8eedbc8e538f31b0621d4e424f4f66bb183244698f5d7bc4296fe0af0b8a8696df39403bba494804839257d7f6f9dac5eb101215ad670279650340595a755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2a186d73abfce0d961ef0151296a390

SHA1
c0735e7320c044451fbb8255134b70f1108d43cd

SHA256
cda6a2c69bcbdcc71bca8386de05870a78b403ddfa8a945984fb2af28d09c60c

SHA512
d9ed0eae76482a892457f7df9060034dd39e0f6ef26fa40d16d519c3e941ffd15b53c6ac7b1aee9eb3f64d71085833c732b736468cb591c141dfd6b85fb322c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb3a7fee3e37ff9ac93987fe89e9a69

SHA1
9945ad19690b9d0349f67ba9f56527c5b8fc606a

SHA256
5e0e8801bdfd85303db32d6a377c4569678a96f0e9f4d9df86c8ef835c40783b

SHA512
b7e1e1dfcece9f4ffd8c76d41cad2e1e950d2bc1c42eda46f28e534964a85d2d3362c4dad1e2e8cdd645548192981a8a707289e846b924cbbc9a6019e229691c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1afcc9ed8cd85f10a73e3746f686a741

SHA1
ba97a83f4b24d949791bcb1492586c4e8bdf19fb

SHA256
3887671e15e1b69df15fc11cd04b91e9f8af572358f4201a0bac3c3788fbac41

SHA512
ad69e4f855be0dc5dfb6849f45727d581bcee96df591b1536ba2d391eb0a7b2f591080e052aa33a6572326e0e8e040041d2d8d8670e5ddb0b992fa77d8e22623

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f4217b61c3249c9750f1bd4727827b2

SHA1
7038548c39447324b23ae5ef476feba80d382ac7

SHA256
4ba6a910e70903625e08dbaf144d06644d3a64f5afc1a8fca294920a230a16f2

SHA512
2eec516b5cddae8b7fa6ae2dc3679ad55bb22bc11b77281717e1456e71f558aa6208e16b1de0cd6c0dd2aa4aeaef6dbaf5fb9f05622c66fd01b7945ad35c6fff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3601db26aa5b10215c9bf5abdb1590e9

SHA1
f7b19132ef7d6f368011018c3502291bc4c4a799

SHA256
0d1e584aa2aca0b57af265b7226977f11f41274b473da7a108da68211828c0dd

SHA512
0a74a15fa77f15b9acb15ad189a782021722980ee737d3f2ae98a4efaa8a2b5b6080be6bf479e88c5c9cb934a380c35f6626b72c74bda91ae061a96255a6415c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0534c2dca74c0327298304169de7e850

SHA1
6f5f871af98defb9aa138828dccd14516dddbb81

SHA256
632fed91eab825d500114671483e4b9a20464d20c2b3d1f7d72977e9f7eb5d4c

SHA512
55d2fb145daeb55569e5e8f35fcfbb4c6fd978fbf1b44a7d11e24896120c92f5b70f3e6a9f38e162b865ec1400e8be809ad3110d610e6429555cb106fe246b68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8928ba793b8d783544c0cef39ecdcfac

SHA1
7669520253a84daec55b501de58d70bdea2f669c

SHA256
976d07caf7e77d93985e55f149f1417451c201918a8adba619aea3c626e3ddc8

SHA512
21db3ce32a8d307858e781cb47480eb0eeb53112bdc7820a4ac40b9feab296dee29f85800d27048a17ee653bb47bcc2b38824af50755820f32313efae9d5d07b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2be5efbd82b061fac4dbee92a27ab3d

SHA1
36a40fd25a9c6278c737b42f1a0a48788047bf72

SHA256
875066c1cc913be701c7912986dcb4601d2c3998bcfd30a3883971d7ca85c16b

SHA512
b06db3d1096246526d859ee42b587555c3ab126cb10f6f3733582b1c3dd1ca9207dc8194ebc441f0653933f009a24fa5da768a9c24550fffb5e75f8d3f253831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81e7319354023fe7ff70a66b344d0565

SHA1
25d343763bcc09e9d1ec82cdb95efc1fe183795e

SHA256
a1640579c32b443536c090bbad82ce4d57d3fdcd37d922a977793ae6bd256af2

SHA512
ce8446c8a33af12344dd70d9f50dc19b6558ea38601a5c0d9213a9c3a4ad16b4803005faa366e66bc68aa8fbe395301c0d942178a0f833ba02cefec9ebd6d3a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4296e149e6381123a3443b12f86bab3e

SHA1
e620cf0e83426a91da06f4ebb2c08a190fb135b6

SHA256
8799ea870dff0a5ac5ab586f5b10a2dd4950c256e8192113f976ddcd01a59d40

SHA512
0d671745f2a536fc4ebf0db70c636f0b7d4f6a2abb619be0a05228e779b188913bf597e17af7f73393ed26351193bc4f9e89d0d32ab08b2c42b36d1d4fe01e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e61f49ac97006824eee0f5c16c929b36

SHA1
73716af7fdbd0a5cb564fd4f5f5ff198838d437b

SHA256
944338b6a38294e8d68deb314c7da8a68b025fd858920c55c16e20affea1311b

SHA512
4996378e12be2a0173c11183ec4f0f6bf534210263454b9b634dffa18a697a38441c0e989b520101d6715295a97d797f7714fad12014a493ad5cd95efc787f23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ff0e7d4491edb7739f661dae7baf380

SHA1
9a20a1aeedccaa997aa0e0197c156c317c8704bc

SHA256
52e78e9ad11bcdca60612e472d95420128d49dfb7bd0d88651245b4076915b41

SHA512
2a4a0d88670e2c0b22e98d7c67ec4b1fc77b13a4b845ec6983f3632df39f039a533ff7d28f3f5e7b7e3aa32ba4cdeee9c981cda7cef703388c92abb2fc34636b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76a19b0c551e5e5bfcc3e3b022d01d13

SHA1
7147dabaa2fad35cf62b9622868f839812284417

SHA256
24cf260bda2c71663d3a3bd21d038cfcc3a70f4c5b55b0c97ea441b4b046ca93

SHA512
e3bf764cfc95f5b81a4415e5f0585cb8c1e4545b306bbd7939ad26b3c5be384657aaecad527eaf5924bfbd88b6819d4733732ea22e290278745702ac21447b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6614fda7b42f3129090ab3dc9f20fdd

SHA1
54a7678bb89ba77d21d58678c0f085198384eedf

SHA256
94cb377712e2b318c603ae5a7cfc8d3d215045c53d54cdd326ed0a7eae50d761

SHA512
08562156decf62a061fc8c89bfb05988c491b7d11bc64af52a7a37206080b231a229cba9b2ab90b0f48023688606fbe40e322b6f4e5c6db8f044714dccaaf172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26ccb8a1c6aa835bd4662984248519be

SHA1
c2081da412ed2816410d59025847423d43cd0608

SHA256
5b71438b3b9bdef317a93e53fd447fe23d67118c73e5aed012b3d3ccf892d411

SHA512
d79a849c01183fc1cb1b59659471d622a03d110bf81ebaf0d367eeaaeeb995f328fd9164392df00e082b3f5a4fa2082fb8ce19d07bd7784ddf718b6949fca8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC728.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC799.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\766E2\2126.66E

Filesize
600B

MD5
f1c8c59b29dcfde9fb2781608afa606f

SHA1
ff453784ad101af8f9462f587e81c839e42aa47c

SHA256
3e23e6464979fb080d45f283dd8fcd53e306f8866d757e8743b97fe34f819f37

SHA512
7aa7a3f4e53dfc138b5cb24f397eb1518b45ccb00ee44f44a13dd33a4673afb7b524f82db40caf26ea0340120c446d33935e5540433d87a530a41545e2d63fa9

Download Submit
C:\Users\Admin\AppData\Roaming\766E2\2126.66E

Filesize
996B

MD5
4a4e15f90c120ad4caae587dbaacbae1

SHA1
8b5f6db783098082aa4b8126826cdb2a331a71ee

SHA256
46b8d42c7bcb5225a16a4674a2c8200ba56d77f3ef0d2ad4d032fe0e3bfaaf7e

SHA512
03b549f663ef1a9d63955385623c7003c0fd3191233841f3386fa6198d0f05cfbee3ff954eadd2aef1fc7c2ff7f329b663b6a1daf680986a34a77325adfb66f1

Download Submit
C:\Users\Admin\AppData\Roaming\766E2\2126.66E

Filesize
300B

MD5
7718b87b417d9e3f8f720fd724bf1674

SHA1
aa7e7175aa597d92a127c85d60e7ac4f604eef67

SHA256
493ff6363582508b5acdf83b0ce01e74342142075daf2e0cc2617fb8f03de2d7

SHA512
9705ba4d09b86be6d4a5dcf714b6a3563f5d2c01c2b5a18dfe424c80d28293fb2ad075490c4502afa6595bf3c8f55287d1e488e53439fb2f9255e8dddd1142b4

Download Submit
C:\Users\Admin\AppData\Roaming\766E2\2126.66E

Filesize
1KB

MD5
ab31c4d19bfd359100d4b79b2703c02f

SHA1
631f566114b0b8756a9c5fb0bc1e5254384fe25c

SHA256
6a88bb1fa0be6531b324597346c287b11e2e280eb5b85cf07f12b6e59711773f

SHA512
ae5a0c6c81d2999923d809c8a23cd2cffa6c2d21f90e4fa83f642f280e924daf049aece2e14a13c36423079cbf945175fcaab1379e1da57651cd7009af5fead8

Download Submit
memory/1724-911-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-1-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1724-1348-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-1230-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-626-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-0-0x0000000001C30000-0x0000000001CB4000-memory.dmp

Filesize
528KB

Download
memory/1724-625-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1724-2-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-745-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-435-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1724-128-0x00000000003F0000-0x00000000003F2000-memory.dmp

Filesize
8KB

Download
memory/3004-738-0x0000000002040000-0x00000000020C4000-memory.dmp

Filesize
528KB

Download
memory/3004-739-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3036-130-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3036-129-0x0000000000320000-0x00000000003A4000-memory.dmp

Filesize
528KB

Download
memory/3036-133-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3036-132-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads