90a2ee1cff7330a31151eb182c99a8b9b1d4aaff77ba7d33f58ce78a9cb89f7a

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
Size

998KB
MD5

02455eb202490e96ba12d213d1bc8caa
SHA1

a4154de3f1b636e73367d7cb9ec9b671e4cdd5b4
SHA256

90a2ee1cff7330a31151eb182c99a8b9b1d4aaff77ba7d33f58ce78a9cb89f7a
SHA512

0292b2170933fa2c0c0eff3b6787194d11de9f1a3a0a7bdf00265d95e429de0e09db736137592b42b762588a76a576f381b947b6046b93a13ddf3662bf26e623
SSDEEP

24576:ElcMHEslTdZzMRwOaI1Nv1EW36IzS2NNCOPVbZe5y:E6MrOaI1NSW3fzS2NNCO9bZe5y

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

congoo28.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation congoo28.exe
Executes dropped EXE 2 IoCs

Processes:

congoo28.exesky_watch.scr

pid process

3076 congoo28.exe
6240 sky_watch.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	congoo28.exe

pid	process
3076	congoo28.exe
6240	sky_watch.scr

Loads dropped DLL 27 IoCs

Processes:

02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.execongoo28.exeIEXPLORE.EXE

pid	process
4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3076	congoo28.exe
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

congoo28.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\ = "XBTP04910"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}	congoo28.exe

Drops file in Program Files directory 64 IoCs

Processes:

congoo28.exe02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Congoo NetPass\msvcp60.dll	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\version.txt	congoo28.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\clock.url	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Congoo NetPass\msvcrt.dll	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Extra.Old	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Old	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Root	congoo28.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\uninstal.ini	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\uninstal.exe	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\uninstal.exe	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\favicon.ico	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\favicon.ico	congoo28.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\Clock.ico	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\Congoo NetPass\congoo.crc	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\options.html	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\premium.bmp	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\version.txt	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\affid.dat	congoo28.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\Clock.ico	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\icons.bmp	congoo28.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\_ci_gentee_	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\autofill_plugin.dll	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\icons.bmp	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\NetPass_logo_toolbar.bmp	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\options.html	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\yahoo.BMP	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\autofill.cfg	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\congoo.inf	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\premium.bmp	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\close.bmp	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\msvcp60.dll	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\msvcrt.dll	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\NetPass_logo_toolbar.bmp	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\searchbtn_stub.xml	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\whiteList_plugin.dll	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\whiteList_plugin.dll	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Extra.Old	congoo28.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\dc.ico	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\license.txt	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\congoo.crc	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\searchbtn_stub.xml	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Extra	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Extra	congoo28.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\clock.url	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\congoo.inf	congoo28.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\readme.txt	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\license.txt	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\about.html	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Entries	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\CVS\Entries.Old	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CVS\Repository	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\CVS\Repository	congoo28.exe
File created	C:\Program Files (x86)\clock-desktop\sky_watch\readme.txt	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\autofill.cfg	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\close.bmp	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\congoo.dl_	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\yahoo.BMP	congoo28.exe
File opened for modification	C:\Program Files (x86)\clock-desktop\sky_watch\alien-clock.ico	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\basis.xml	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\basis.xml	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\congoo.dl_	congoo28.exe
File opened for modification	C:\Program Files (x86)\Congoo NetPass\CongooNP_toolbar.BMP	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\CongooNP_toolbar.BMP	congoo28.exe
File created	C:\Program Files (x86)\Congoo NetPass\about.html	congoo28.exe

Drops file in Windows directory 2 IoCs

Processes:

02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\sky_watch.scr	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
File created	C:\Windows\sky_watch.scr	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\congoo28.exe	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\SCRNSAVE.EXE = "SKY_WA~1.SCR"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.execongoo28.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BEB0EBDA-0442-11EF-BBCF-DE4765EB3FAF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\MenuText = "Congoo NetPass"	congoo28.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75} = 00	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}	congoo28.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2bd61ee0af3bb438d93a4958c93786e00000000020000000000106600000001000020000000c6906449c0c71d2797a37118482409aa1aedd0e749a652fec9833265053c4d01000000000e80000000020000200000002c678b4cafd725cf9fa441b2cf08fc720116754451dda1d59a0a22fbaf1b469e20000000209e2e12f460219cf5240cdd9285923c87ec7157ff61af6cd80d11bb77f4e0d640000000fa1ff5a8ba98ad53cc14d851da42ddf134f89957f34dcf02a6bacb54107b60a6b8ba4ab0846c289d8830225a6fa47af737fb248fb68b388434c095db617e6c18	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e0100000600000009030000bd0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ccd5f64deea524b8cdbef33692a2e750000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c56e9a4f98da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\HotIcon = "C:\\Program Files (x86)\\Congoo NetPass\\favicon.ico"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ClsidExtension = "{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}"	congoo28.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75} = 0ccd5f64deea524b8cdbef33692a2e757b31394642373243452d394333422d343862392d393032332d3941374532334335343936307d00	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001c00000001000000010700005e0100000600000001030000bd0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ccd5f64deea524b8cdbef33692a2e750000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 57d08bfb6192da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "28"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\MenuStatusBar = "Congoo NetPass"	congoo28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420348885"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\SuppressPerfBarUntil = 0d9948b51899da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "Yes"	congoo28.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ButtonText = "Congoo NetPass"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}."	congoo28.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500a6a9a4f98da01	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\Default Visible = "yes"	congoo28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\Icon = "C:\\Program Files (x86)\\Congoo NetPass\\favicon.ico"	congoo28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001003300000001000000010700005e0100000600000001030000bd0200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ccd5f64deea524b8cdbef33692a2e750000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2bd61ee0af3bb438d93a4958c93786e0000000002000000000010660000000100002000000088dfb99cc1bba95812946e24fb97eed27761f1774184efaa51c96bb06d8ab78c000000000e8000000002000020000000bae2cda47ecad89a4d825a5f0566bba17f36c1a3280d5c62a805fb047f75741a200000000b22f2288850eacf161ff8644d6eaebe567d0285895868e10a29076eb7be1435400000004970d7bdffe2d0121fa878586b5c89503f81b25e78c08c8dc6a0a657e3f829bc86da7247eed0c2819ab585d12ce57b24de167288f767ea137d1ba6c60a66bbaa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

congoo28.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar\CLSID\ = "{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910\CurVer\ = "ToolBand.XBTP04910.1"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar.1\CLSID	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\InprocServer32	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\InprocServer32\ = "C:\\PROGRA~2\\CONGOO~1\\congoo.dll"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\TypeLib\ = "{C964457A-E753-43f6-A5AB-70033A479BD1}"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ProgID	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910\ = "XBTP04910 Class"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910.1	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\TypeLib	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\FLAGS\ = "0"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo\ = "Congoo NetPass"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo\CurVer\ = "Congoo.Congoo.1"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\VersionIndependentProgID\ = "Congoo.Congoo"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\InprocServer32\ = "C:\\PROGRA~2\\CONGOO~1\\congoo.dll"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar\CurVer	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\TypeLib	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910\CLSID\ = "{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910\CurVer	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\VersionIndependentProgID\ = "ToolBand.XBTP04910"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\InprocServer32\ = "C:\\Program Files (x86)\\Congoo NetPass\\congoo.dll"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar\CLSID	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\ProgID\ = "ToolBand.XBTP04910.1"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo.1	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ = "Congoo NetPass"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\Programmable	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\Implemented Categories	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\VersionIndependentProgID\ = "XBTB04910.IEToolbar"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\FLAGS	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Congoo NetPass\\"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910.1\CLSID\ = "{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910\CLSID	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\HELPDIR	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo.1\CLSID	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo	congoo28.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\WOW6432Node\CLSID	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar\ = "IE Toolbar"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\ProgID	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\ = "Softomate 1.0 Type Library"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP04910.1\ = "XBTP04910 Class"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\0	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0\0\win32\ = "C:\\Program Files (x86)\\Congoo NetPass\\congoo.dll"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo\CurVer	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar\CurVer\ = "XBTB04910.IEToolbar.1"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar.1\CLSID\ = "{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\TypeLib\ = "{C964457A-E753-43f6-A5AB-70033A479BD1}"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\VersionIndependentProgID	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Congoo.Congoo\CLSID\ = "{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ProgID\ = "Congoo.Congoo.1"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar.1	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\Programmable	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ProgID\ = "XBTB04910.IEToolbar.1"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\ = "XBTP04910 Class"	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\InprocServer32\ThreadingModel = "Apartment"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C964457A-E753-43F6-A5AB-70033A479BD1}\1.0	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\ = "IE Toolbar"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4D24F0A0-EE10-4edb-A2DD-C739C954C07F}\InprocServer32	congoo28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\InprocServer32\ThreadingModel = "Apartment"	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB04910.IEToolbar	congoo28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FCD0C-EADE-4B52-8CDB-EF33692A2E75}\VersionIndependentProgID	congoo28.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

6716 msedge.exe
6716 msedge.exe
6408 msedge.exe
6408 msedge.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3952 iexplore.exe

pid	process
6716	msedge.exe
6716	msedge.exe
6408	msedge.exe
6408	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsky_watch.scr

pid	process
3952	iexplore.exe
3952	iexplore.exe
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
6240	sky_watch.scr
6240	sky_watch.scr
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE
3512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.execongoo28.exeiexplore.exerundll32.exeIEXPLORE.EXEie_to_edge_stub.exemsedge.exe

description	pid	process	target process
PID 4388 wrote to memory of 3076	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	congoo28.exe
PID 4388 wrote to memory of 3076	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	congoo28.exe
PID 4388 wrote to memory of 3076	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	congoo28.exe
PID 3076 wrote to memory of 3952	3076	congoo28.exe	iexplore.exe
PID 3076 wrote to memory of 3952	3076	congoo28.exe	iexplore.exe
PID 4388 wrote to memory of 2932	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	rundll32.exe
PID 4388 wrote to memory of 2932	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	rundll32.exe
PID 4388 wrote to memory of 2932	4388	02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe	rundll32.exe
PID 3952 wrote to memory of 3512	3952	iexplore.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 3512	3952	iexplore.exe	IEXPLORE.EXE
PID 3952 wrote to memory of 3512	3952	iexplore.exe	IEXPLORE.EXE
PID 2932 wrote to memory of 6240	2932	rundll32.exe	sky_watch.scr
PID 2932 wrote to memory of 6240	2932	rundll32.exe	sky_watch.scr
PID 2932 wrote to memory of 6240	2932	rundll32.exe	sky_watch.scr
PID 3512 wrote to memory of 6284	3512	IEXPLORE.EXE	ie_to_edge_stub.exe
PID 3512 wrote to memory of 6284	3512	IEXPLORE.EXE	ie_to_edge_stub.exe
PID 6284 wrote to memory of 6408	6284	ie_to_edge_stub.exe	msedge.exe
PID 6284 wrote to memory of 6408	6284	ie_to_edge_stub.exe	msedge.exe
PID 6408 wrote to memory of 6424	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6424	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6692	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6716	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6716	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6724	6408	msedge.exe	msedge.exe
PID 6408 wrote to memory of 6724	6408	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02455eb202490e96ba12d213d1bc8caa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4388

\??\c:\users\admin\appdata\local\temp\congoo28.exe
c:\users\admin\appdata\local\temp\congoo28.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.congoo.com/netpass/counter?s=28&congoo_uid=&tbid={19FB72CE-9C3B-48b9-9023-9A7E23C54960}&do=1
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3952 CREDAT:17410 /prefetch:2
4⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=b01bc
5⤵
- Suspicious use of WriteProcessMemory
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=b01bc
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd2f246f8,0x7ffbd2f24708,0x7ffbd2f24718
7⤵
PID:6424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9528376247215144639,5960587939127471141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
7⤵
PID:6692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9528376247215144639,5960587939127471141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:6716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,9528376247215144639,5960587939127471141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
7⤵
PID:6724

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe desk.cpl,InstallScreenSaver sky_watch.scr
2⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\sky_watch.scr
C:\Windows\sky_watch.scr /p 66148
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\CONGOO~1\CongooNP_toolbar.BMP
Filesize
4KB

MD5
fb44fc7a8828cefbef4b2be4291f47b1

SHA1
5b99ea3266576f9cd82a5a5ccc66fa83d362a935

SHA256
f304ab5bee48143186a428b33bffac1d02799bdf8c294e8b2b2661080d464fb3

SHA512
07327c2e808797eb0b6cd6c9ff4540e1e54ad304e891d0ece5e7e8bb2d66bf6faa2fbc42758cde7a25000825112d0f77b782f65ba707cb97c39fad5d30c8861c

Download Submit
C:\PROGRA~2\CONGOO~1\affid.dat
Filesize
2B

MD5
33e75ff09dd601bbe69f351039152189

SHA1
0a57cb53ba59c46fc4b692527a38a87c78d84028

SHA256
59e19706d51d39f66711c2653cd7eb1291c94d9b55eb14bda74ce4dc636d015a

SHA512
edbd48c836f826b5ed8d62b401cd19674ef1b8627b9c68a4639819a8564f57426c632b7c1d3dee8209c48c2396da0a3a08d160617f7291a1186ca6d9de5db272

Download Submit
C:\PROGRA~2\CONGOO~1\autofill.cfg
Filesize
20KB

MD5
446843f2772d433d0d297a12534061ad

SHA1
e5189b2397b4a9d678efe2e41f2792d0cf9099ce

SHA256
52cd3cc6b6603b36b155dea8777d8995fc89fd4f571805638ae454d590d8ec22

SHA512
416c159dea751736bd3c51a967eb61499218ac5566b8d7f94c65eb8d61be383cf34e719bd96e4cf071e642b049bb2ee43fadac84bec6332ea6462879def622b4

Download Submit
C:\PROGRA~2\CONGOO~1\basis.xml
Filesize
20KB

MD5
1fb053e7e7128da027c58cb12e9220cc

SHA1
2f2653650bfd678e1f999446253d86a513cacf01

SHA256
7c710c605c9aeb0e9ded776e007b605cae9527820594fe6ddb3b61680288e8ee

SHA512
0ca19114584ca5dc5fbfbba8f58aa79bf7387f9873408e4cb0609d9ee576e1e65a2dbf759f0989027260a3d0971d41bc8dfd326930d3e971a5c827f36ab45b82

Download Submit
C:\PROGRA~2\CONGOO~1\icons.bmp
Filesize
40KB

MD5
c34c2f1ad6a77d05f6b0ca1b0736ed0d

SHA1
07bf3a4f51d119fe5118decedbff76e2420a6ce8

SHA256
60bab2b082aa190e234a1632736b7d5d2500bf7f5099052dd149f7f4eb8a8087

SHA512
e4c47c142e625aabf2790b878e1eceffa1194855ebaefd46c0c11bd0f7698568ebe93219448b77c0a561b52f212690e0e71f5cb549bf00201123f62c45b5c30b

Download Submit
C:\PROGRA~2\CONGOO~1\version.txt
Filesize
48B

MD5
be9c7eee838724275f1b949966dde925

SHA1
5611ff6792d06171309692cb5a05f6feb8513db8

SHA256
8f7ce4b3d21d678e8dc934f102f829f4b3e5259863077e7fe54de0dbc27f2587

SHA512
8fa4300e67297844f9e76d3900a8578568e472b85b0eefe5911990b33f4c013991427118062d3ae5664a81d7505a19a6e358b1edd1d1162a9bf179b2c37bf1ca

Download Submit
C:\Program Files (x86)\Congoo NetPass\autofill_plugin.dll
Filesize
172KB

MD5
e31639927a3d03caff3e676a35d7bdf8

SHA1
03246aed83a837a957259a31850a49ba7122d36e

SHA256
eb1d8c0423420a0349c7a85f7f0ca2c72d230789734d5e7705dd20038613c689

SHA512
5f237605e335eabb56e2f13db626d620dc43da2410268a200686a1a6f36dec2c547a8d333862d9465b0a279c81599faf06aed5bae784e79a78ccf3ccc7499a13

Download Submit
C:\Program Files (x86)\Congoo NetPass\congoo.dll
Filesize
584KB

MD5
a5832b38fe20b5abb4be15934479aec6

SHA1
98380082bb78f205ce3ae7e16c90d5339f73b62e

SHA256
acad8e4177a851abc13f9abee6f63199305bbbad9f97ec684ebc9269599216aa

SHA512
616ed57104d9396c5fc499e53382191a6727ab29f9fb43176b29c0cc8188c8c19f52103390f767a09fc15c84e72d7ca3722c5a41eba991e922ad8f48f92279d7

Download Submit
C:\Program Files (x86)\Congoo NetPass\msvcp60.dll
Filesize
392KB

MD5
cb21d826d9c39aed19dd431c1880f5de

SHA1
6eafcc2fdfdf73abea334ac7afb903829f6ff2a6

SHA256
f1fd0f1a54f196b19a6f21044092c89c02353dad173c236d80f6474cb8a7ea7f

SHA512
d4223a0ad6118b1dae8505ad4675f6e87e4fa9ebca6fdbe2ee3f0ea868ced15f07fb5ae2d9a41d8992a9d41a9bbe4b16f7ac6eeb1c99324ed8fa3a8fc47af150

Download Submit
C:\Program Files (x86)\Congoo NetPass\msvcrt.dll
Filesize
284KB

MD5
e054edafdb3997d84201275a743488ad

SHA1
2df120342d1befe0329d4941a60a3205fee5e597

SHA256
11b2e109ba8012d8ddcee1dd8b6ca060aedccbb60663f964d34d4ae50449d105

SHA512
f58549d4900e996637880685b4d6e69318ee7d1ff229a1e3931c226ffcf9f6d2375713ad5587a58dccf36257b13901231f523116ce54b4587d254a579301e713

Download Submit
C:\Program Files (x86)\Congoo NetPass\whiteList_plugin.dll
Filesize
48KB

MD5
38e7d1a54f33537410722b160ca5eeef

SHA1
ad7e43c6441721af1e6c361a8c9dc15ad2df4da5

SHA256
b324bbf0461552de06e8c55fb10a2c1a4e78050853a595454a5c43b6db546f1f

SHA512
41e9324b70039cc05701f482518a2f50468a80f77b723377c6427d1a725dc27c1ae6a0fc50bf4cb5fdf20ab1cc24206552faa90e7e7e26dd11a87cdad8716352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a9e55f5864d6e2afd2fd84e25a3bc228

SHA1
a5efcff9e3df6252c7fe8535d505235f82aab276

SHA256
0f4df3120e4620555916be8e51c29be8d600d68ae5244efad6a0268aabc8c452

SHA512
12f45fa73a6de6dfe17acc8b52b60f2d79008da130730b74cc138c1dcd73ccc99487165e3c8c90dc247359fde272f1ec6b3cf2c5fcb04e5093936144d0558b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7ddd1f992724eea463bc6b94ef98fca2

SHA1
d540d793d1a0a1c7d77e5afd36e133e91b6da8ef

SHA256
288bb4058c1acb1a3c9e500ba9837899a7ebbf31d5a831cf6039f4e8cb8d965a

SHA512
0521f086a7d923d7b2828e4330bd8e922b07ae2d4d28f30103de97cc12e04df7ca15cea9715757a43cd251ada81434b013a887cff3ce3ea79ccc6dd41624aedf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
0629a9c0123d8c271b8cc9629e1170f4

SHA1
927d733c5ba085bafaa44b29e345dabcd4895e74

SHA256
fdce8915b900c062aab5523c97b11ced7b51e604cc0450da945f0ccfb6db61cd

SHA512
5fd8656d01c0a3c0fe60cf1ba932b36e09706d23e0753fb6de378da68ef858cc05208bb5a7226baa553284ed3d4178605255f164ffb173ab83b6e46489f6c296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
b0cd07b5d310aee776727c092875fb77

SHA1
adb6704de3417c404e839706a98623fd015b41d9

SHA256
b571db46bced078e966a028bd982042df6ba2c649a3213544d47657eda15e77c

SHA512
1d8a894e4d422588ced9ccfdf4747c87bd7488b15687ce4db58211b22fb94737df8b02b36eabf375875b0c5c5e9090bc340ba0a08fa500476754fe43bae822cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
74abb2bcadcb674e397fba13b3319c19

SHA1
fd28371a45d384b7f5b86f8e97ba79e795d77454

SHA256
2b0edd9029f6ddbbae628fa7afce9e2f25fd04c354421832648f2445afd6e085

SHA512
b773de4f4354fcb672af89fb46b29bf17477153fcbb2aa0f211a54fbc25470726cd698df875b424652dbd5f29d0125cfc558de0335f41447198a9620577c6328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
75bc2e9586f23fa15dc74a8a80ccb966

SHA1
977f8e547a94027f776d4428d5c6e2f7fce510bd

SHA256
dd87509981978e1cfa01e6d32fb9a8982cb7231581acfd9cff8667b2f006c2d2

SHA512
71e048c9598a590667d203c1ef549201f8a85e0fd49b86fb0cf6799a42a2a1ccfcc84478ad800eeb2951ba2355cdd275b7f9987e0a307a4058ec633200262ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LICENSE.TXT
Filesize
2KB

MD5
ba62ac3cf85a0e82e2e712e0ce76766a

SHA1
5c43acb11cf328ec68e47071cdec7d06bab14e12

SHA256
69e2e2bf2ade4f90d8b317d66447a6df988687168b8db3fdbb188d9fdb0c7062

SHA512
c0688281ee0410a83952ebdb6ab42bb4f561903b895de74982617a8a1cb067a1deef0c8c21b55d837e91e7654374630b6e791d3d13e391c20aa57dd680a99f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\congoo28.exe
Filesize
615KB

MD5
7cd2ca44e501ce4d659f8a7636fd50ec

SHA1
aac72ebfe792954a9aad5107fe63f210bf9fdd72

SHA256
0051046b4efd0221fb4fcad58bb0df2efb89d75eae56c6560783fea58f0a2bed

SHA512
d36f9da02cac9c5d2ef7e11939081adbbc5ee1855cca08b1187c422755ba1056e463a76e9abe8043869f3ab8603b4df7ce24b298241a5f4d80e250d0fe719b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ginst0.dll
Filesize
55KB

MD5
b53c487077b6cb30577e1db49fabace9

SHA1
c155dbbb63b1d6e502dadf5b03e778e7a3aa6380

SHA256
47351ff45cff898646911db5587d017b66f46d7f00199c970f414266a334d409

SHA512
ea2ae324c783b1a882c4a0d0cf33c5c2f3c957f97f59b2dbc403fdca0e53b30ae0ea89d38c24839ae62573339db78ca2ed9fe971648681cfcc612e9b74114d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfBA97.tmp\IEClose.dll
Filesize
32KB

MD5
46ef89234224c53502352ae8d99e6990

SHA1
7fe8fac33f79cd1c6a55d78f9a4e50f6a6a61334

SHA256
6ac4d60e0d57d2fe747d462d80714517ddb6ffff3595c80e21557310caf10ca7

SHA512
3556c74f238cbc5ca347c32433d80149138b189ab536f41c58121e35957b4702c388ff0c1b221ea85cc7a6e3ab1ba19561f1011e17751548682f791fe8fe4fc2

Download Submit
C:\Windows\sky_watch.scr
Filesize
375KB

MD5
144cd6ad5bdeb00b9c567a5ae17396de

SHA1
e7102b69474345363ad0f1a429b8c064058df243

SHA256
b7af6f0ad3924b9fe9b1fccf9fd715e59e8be96981127d1c8c482fa8cab21ed9

SHA512
d26124d7e2f6d347345b94de700b4ebaae8bf028823fd74226d3a20ef0f425adaa958eb0604d48a2fa5b20b3eeeeade52b2d498fb0c44aa1ab5dd6b8af2c7f7e

Download Submit
\??\pipe\LOCAL\crashpad_6408_BELXZLORQSWBHOGZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3076-93-0x0000000006480000-0x00000000064AB000-memory.dmp

Filesize
172KB

Download
memory/3076-106-0x00000000062F0000-0x00000000062FC000-memory.dmp

Filesize
48KB

Download