a748dfd149c8e1f9d390b2c4a9f2646d97da3bebc25940a2fa08335221c2a898

Analysis

max time kernel
140s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/06/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
Size

706KB
MD5

103c2fe0fd8d81d0179e9831f5091bce
SHA1

c85bf81b22f92002da99ea45513ee4f48a765324
SHA256

a748dfd149c8e1f9d390b2c4a9f2646d97da3bebc25940a2fa08335221c2a898
SHA512

fa7a2d3eef2072d20719df535672c2b417f3759faceabdaabc9d4b6708722e90c8941e7296990f9a58d2d14367f3d13af68f0e20bdd47b801ab03a2633c49561
SSDEEP

12288:CdrAofT5h6l0Lbl8gWsur96h73dvfDqF3Z4mxxsT2A6NgHP9o/l3h6iW:CiO5saLx7ur9ENXWQmXsT25GleTFW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2584	3.exe
2836	RunMgr.EXE
2476	G_Server2006.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8937BF61-335A-11EF-8857-46361BFF2467}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8937BF63-335A-11EF-8857-46361BFF2467}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8937BF61-335A-11EF-8857-46361BFF2467}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8937BF6C-335A-11EF-8857-46361BFF2467}.dat	IEXPLORE.EXE

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\G_Server2006.exe	RunMgr.EXE
File opened for modification	C:\Windows\G_Server2006.exe	RunMgr.EXE
File created	C:\Windows\G_Server2006.DLL	G_Server2006.exe
File opened for modification	C:\Windows\G_Server2006.DLL	G_Server2006.exe
File opened for modification	C:\Windows\RunMgr.EXE	RunMgr.EXE
File created	C:\Windows\uninstal.bat	RunMgr.EXE
File created	C:\Windows\RunMgr.EXE	3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807060003001a00010016001c001701	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionTime = 00c25d4d67c7da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807060003001a00010016001c001701	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807060003001a000100160016007802	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000855fcb6dc437fb47b7cd194f1423f211000000000200000000001066000000010000200000000813d5c31175b9ecb8e7fef99fba77eb77d7f8d0a88a903206d6a76aa5a768ca000000000e800000000200002000000001e73a75329a2aadc1d83fa59f8ec2adf91ca1f395a2919ed90c8f1f73c9e64a100000008932b4738f0915614e0438459b4f81f94000000005813e6ddbaef3c958911b9b600240e75809a24ac9e9bbb09162c2c8fc8dbf2529014bd99b63f9263c5f5b307fba3887e8b3ebba8a2573bbb76a87248219147f	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807060003001a000100160016007802	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807060003001a000100160016005802	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2584	3.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2596	IEXPLORE.EXE
2596	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE
816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2584	2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2584	2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2584	2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	28
PID 2888 wrote to memory of 2584	2888	103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe	28
PID 2584 wrote to memory of 2836	2584	3.exe	29
PID 2584 wrote to memory of 2836	2584	3.exe	29
PID 2584 wrote to memory of 2836	2584	3.exe	29
PID 2584 wrote to memory of 2836	2584	3.exe	29
PID 2584 wrote to memory of 2832	2584	3.exe	30
PID 2584 wrote to memory of 2832	2584	3.exe	30
PID 2584 wrote to memory of 2832	2584	3.exe	30
PID 2584 wrote to memory of 2832	2584	3.exe	30
PID 2584 wrote to memory of 2496	2584	3.exe	32
PID 2584 wrote to memory of 2496	2584	3.exe	32
PID 2584 wrote to memory of 2496	2584	3.exe	32
PID 2584 wrote to memory of 2496	2584	3.exe	32
PID 2476 wrote to memory of 2596	2476	G_Server2006.exe	35
PID 2476 wrote to memory of 2596	2476	G_Server2006.exe	35
PID 2476 wrote to memory of 2596	2476	G_Server2006.exe	35
PID 2476 wrote to memory of 2596	2476	G_Server2006.exe	35
PID 2596 wrote to memory of 2644	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 2644	2596	IEXPLORE.EXE	36
PID 2596 wrote to memory of 2644	2596	IEXPLORE.EXE	36
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2836 wrote to memory of 2932	2836	RunMgr.EXE	37
PID 2596 wrote to memory of 816	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 816	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 816	2596	IEXPLORE.EXE	39
PID 2596 wrote to memory of 816	2596	IEXPLORE.EXE	39
PID 2476 wrote to memory of 2596	2476	G_Server2006.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\103c2fe0fd8d81d0179e9831f5091bce_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\RunMgr.EXE
    "C:\Windows\RunMgr.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\uninstal.bat
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c del %SystemRoot%\Debug.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe > nul
    3⤵
    PID:2496

C:\Windows\G_Server2006.exe
C:\Windows\G_Server2006.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2644
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RunMgr.EXE

Filesize
290KB

MD5
02182f44ae69e7e780515c29ebe0923d

SHA1
b2ffbef6781db5dd6786937d9c3f9c701d4b5949

SHA256
d8dc80b1c28afa0c11fca2f4ef5b49351ea0c7e8dd14e8940d5be25cad6e84b0

SHA512
3e0fac29e7270c51db0d8614f6c39236c5bb3ccd2a6b80de33022ce41c16849337b9e48382fa9ad3626c34896f007e55ea143e2a18767f0fc6c0bfa93cac780d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8cb33a1e4b18c2ae712b93ba80025b78

SHA1
963b66766321082eab840546bf11568edbf388ad

SHA256
4275fd921334151ad5333d2d21741f6c2c2d236b82e6136dc1d5b22423735b1a

SHA512
158b9814d047d2a7a2839a282a472bd0a568e678c603b83d78f0b6c573666ff50dfb070dacedb6db927ccbe2917de9ef494e26a37ecef5aaaeec27ab1bc16fc2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
503243a98b76fb9e4f6bf56c4359e2bb

SHA1
6b1bc7ba4b802160277522a435eb8c103caa8dbc

SHA256
49d7178d06c6760c89224f2105847d115554a5f6dde84cc9570e4ef2eb863c81

SHA512
ca188f17903e7a7c6e57ebdc89088832fba1c1264cc9f1c1d86e369768c05d591086d602fe996536ee14f12d30a9376ac7b093adf6fb8022634ef4cfb80c51d8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94bfb6557b95c04be64cc393977ba13a

SHA1
51c9b438768acc643ae948b74a6604d85efbeae1

SHA256
78f347d1f056baaf8530c61e9664025ad221206671ffc538fc707c514ff33817

SHA512
51209a2e40f6afbb58f00e3fc380c09037ed16df19324710c7b0346965680b08ab0ec3c7f3795c1617b640c2d8b17f9a96812090b99e56bea73ce7bb14be5005

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed0f49f47e40001dfc91c29e811ca1b

SHA1
e0d34adccd5be49ff209d2eef0b18e56448258f6

SHA256
c0760150a3de0159b55fe299b5628c057a740977fe6fbb9e152b0eed8660cfb9

SHA512
fd08b4bcbf168a7033764c10db17c1200b66772f94e059f0791be5c3c9f29e19d3d6759e1a419f3226a6138668d5fe3fed6ff4a96c58a87ac7e1f25c1bbac5eb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d730bd7bd033aa7740547c68a8e3916

SHA1
7f66f22a272ecc2248039c7e014fb42281c7fe17

SHA256
d97280289b575c3b346197166ebb4ff32b58a1f46d604c83d6b40730110feb44

SHA512
95eb6d4bab289765a09a24c42802883832e36d412d1e26a87d090317a9a46960b9806c1f3f6709bcc6142449b743d9eca3e573240371142476b7d24f51d5ad4b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0f31da9d50849fe4c23b14a2a50fa54

SHA1
c48f2769a007bfc82db52e5dc8c0409518e95bac

SHA256
22d1e4f0f47873f1a64b53e9ddbbe97353c0264d5154349485f326c2a1d4d0e6

SHA512
71dbcd1ba19c5f8da80b6971ffebe1595c83c5654cd29f3ea7ebe9c4dc013c53982c4eae132ddddc9f385ad74dbdc2170c92b23785f5119aca5f64cde3e4b11d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07717725531058006bb3a4d57422b8de

SHA1
1d75ef01902be8be04a40f9cfd63dbaa59e077d6

SHA256
46d17b0ed5904f818278708f2e62fe0aa6aadb391123908180d90826478f86c4

SHA512
3f94075432b259d7680198c15d5b01b00fcea8bd5a88ab464b980b67b814a99f45c8aef7bb27107e2f5f4e20c732b4f7013b20aba301ef2d190b27758faf250c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa96f798395ba55432023bdba5825403

SHA1
86fe2af92fc0d134f439327204c6c772db830d3f

SHA256
6bafd57d9db37ee1d5300aa76837d1f3a7274c493fd948d99f13dce5448d9b7c

SHA512
69f073206149654cbf3298845f6aba084d6972b92c3f2c6e9c91e0446c70738067e9e345d9329cf3e0fd42f5420727fda1ea427a0b37d6254ba5f09c2faf7fb0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bf8ff052d571f6f22ade31303198e26

SHA1
878d18239985353da1f4e48e939daabd88a9974b

SHA256
38602ad2eac76c27a53182be1b798a8944624cafe84c6546a963740267994d90

SHA512
6bc25260cc5673921c0378c0cf46e39667b6ac7301cf0110b6b3b46612979c78a9eb9d68d607e940b0b8d17cd7dc3f2d8b66a1c7b9dbca6c2336dcc0b0c50fc9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b997629cf9e4b00ac4fcebe57c59e0a7

SHA1
1d21d73e35cb3a0bd62704cb1d108a9e02fec092

SHA256
793ade35b15fc29af7463a20a8dbfd2f43f612342a8094e80d4018c9cdf96e63

SHA512
47d565725f5e1cbe7ac2d8d5fc4c5ca61c60a4ed685577b133563575b7bd90cd240988683878249cda9fe9f9c594b24c4d0548da3d68a79f02786e0c6dfb64cd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
561bb2529ed9c26dd001f6de1e54f04a

SHA1
c5039dd727260f04ab677821b657c903108142d8

SHA256
022ddd2a4a3b7c4af4494e01794a664c996a8c53ade3765551ec2bd6f6b0100e

SHA512
9d4e0f752ac8277eec81c78e4ba5cbd673edfa64ca23938e5291b67ad0022ccfb6ab02f97c289d4449e7cff5d402911883d03ca56ed20ab1f8edca707fb36865

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04163358fac463f4791a77a35842b2c9

SHA1
feb3ba24275da1e78a514a354d25488ccd012568

SHA256
9fd9c1f725c2d41a40ced05b949c5afebdd0965610d14c354cf7c825466716a3

SHA512
b3c40e5c2e7193306c1af62072309b5098265a0f902cabaf0dc5a0f3c81025af5a047d993b8b290ea84a8ada13515243d208b72f5450c52773424d8f297560e2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
722cd9a9ce3c6e595cbb37926e931c3f

SHA1
630419d88f347585dee807800d2f909bb384898a

SHA256
de2a93be293d92b70302b3d71c53971b36bf8e757f864d9368ef1ec299590601

SHA512
4627111e52870d8cc9ee4d79060bf9e35c1b3164e82cdac60d1c22068dd1980682a0a94b39ea0db1cb2d3d90bbb26fb8ae8fb04d60e87688f1d7c2520fad7f50

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54925eafcbda56ed3e4771e1f248daf4

SHA1
2d0522e1fd6712295307b9a72c7c2058c9c787ac

SHA256
d01e781c9e030bcc6e03c23c346da734b4277978a155c9ca4375c66aa3b67ef7

SHA512
b103f41eef2c3f3f4b251ee96c3087700abb5acc0a75f4c45af7226b4ceb8e5c14eb29f4ab0c38bd99c32ec96fe0a96aa6250d6abd12f71580e23bbe9307a533

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
534f7a3d53531541a30151fb9be87b7f

SHA1
1138046bcc9cf1794c5e1bdb03c42c6ad81c5d50

SHA256
ba0bc262a243fb4f3393194e2712b31d861bf223b025f51c86e6668fcce58dd2

SHA512
e4acdcce5f22605c4ab077f901e349aa4874216ae73866999ff294a69c37e68f6d6ea4a29376936e991071c9079ab1c3fdd0a593445c17129f1c0673b2ac49af

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
591304e55656ecbcc2469561938ab9ee

SHA1
94de477758ce7629a7fcae70d5c572e9fbf6ec53

SHA256
294f45b72d3174639cfbae485df035a4bb8e390ae9d132b85ef7be38dbfe02bf

SHA512
b6fef3e25e8091a043f73030b25022544c54cb4d2122f7187386dd598c9dbe7a0b3258258fb8a30ca31d4f8f3b32a50182a8265b82098c7e51df6fadf7a311b4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03cf0fa2b7fd764413cc1850fde25b4f

SHA1
71ea051ff183ecc33e55bb7c0c1be6f2e3aaf825

SHA256
77f389e4a3b70758c1904653fc89ef8951abf4946d407e952b33b19e66b48a63

SHA512
b8cc4387637416aaf1fe0166ea434be715a9fcaf2ed76e5432c93d9b12aef4f296a80432dd2b464ca272e63baef07e734d9bd8de0e7715233223f94525891ff9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
710702bf3953fd11aadcad12151ac345

SHA1
d1c933c9e94e89a72d2060552c58a9c8472f0fc2

SHA256
e3353502a0d8bcd3bf2719ffdeaddd2793f81a02e8b8bbc0173b9ecdc88bbd1a

SHA512
fad6c86be9c1c4b604d1c6db77fc12ee37be8d6a782f5844488e6776608795af51eec3d1d4c8d1e1296c28b69bba0ace5773428491e4b7024a2d8d9b5e2e3fc2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3df1bdec2a35551d440c3a429d8dc50

SHA1
d1fcbf48a8e84c63eeb04a214965dad339852c05

SHA256
23815e08c0cbed86dc73aef7d542e22caa0f0be5da7c1c2c6dd97e4d938e23f0

SHA512
0117148a63da1728d09f89c32cafa365436a671aa3fa4a999b648bba9e1d829c5a3145809901a83a40d5ed4e895d9aa8c2bfe11afe660fddfacc6c0ceea681a1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34b4134a642f3b2345f9f5e0b046b719

SHA1
6b36e6245a14df8cf8397a8a861ce13769aa4f68

SHA256
b9a8f5711980b5136176a1446c01bef2342a9ca3fb821209a0fefc092a5f1e00

SHA512
e31c23142d2b8fb920c7c058e4127ed168ce0218ff236b8a6132e599be20609e7dd8e8e5b607c4b2f751fd462d8d8835b580b543efda831955a95d4d6edebbc4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e21b9bdbae76b2ff7fb3303c498fc09d

SHA1
03dc2ad56d952102dc62a324684c345dd8a81a0d

SHA256
a297e8db24721a93696ac6fe701904249bc255d05bca8be46cd417a833620490

SHA512
6b6e026eb019c82c4cccefcff024b6e5e92316cf6b1dc67f7fbe486a9dc95af72c968c040678c03cdb2aef9d0fdde336536a1aeb3c315fa1fab8d52ea08cc045

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab2071.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar2307.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www147B.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
92B

MD5
cb9f71ed6347920d9d54de433ac8b51f

SHA1
1900d39d3bfee682acce91d71efd8fc1ef22f48c

SHA256
b946663364cb8068df25d6b8c349208f534817503d4d68d5faabc5896e1a4970

SHA512
6ceb649d961039f5b426dc92059837f6c76c1b98f9ceb4ae751e1746ba97ffd27b31bdf073a3494e50d7fc3c12e241e531bf848eaee1c497eea20570a532d9cf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\3.exe

Filesize
340KB

MD5
e860f2c1c383b29df93336cef2e7a661

SHA1
22d83ee05689d50cd69713fa8f3abd0dc34f41bc

SHA256
0dd5d75041c4475490f6f4c6dc8cb5d04f1e22842460937ca3efa8e6ec863e88

SHA512
e22bd759ef1a1a33b274d395998c4a5615103623574c43a01b731246b553577d699a7ea44db8dcd961956a26535f7077202ed76b67692a47bd6141cbdf45292b

Download Submit
memory/2476-60-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2476-59-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2476-408-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2584-43-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2584-50-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2584-51-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2836-53-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2836-70-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2836-52-0x0000000013140000-0x000000001324D000-memory.dmp

Filesize
1.1MB

Download
memory/2888-18-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2888-23-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2888-11-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2888-12-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2888-13-0x0000000003130000-0x0000000003133000-memory.dmp

Filesize
12KB

Download
memory/2888-153-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2888-14-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2888-15-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2888-16-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2888-17-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2888-29-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2888-30-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2888-42-0x0000000003870000-0x00000000038C5000-memory.dmp

Filesize
340KB

Download
memory/2888-19-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/2888-21-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2888-0-0x0000000001000000-0x00000000010C1000-memory.dmp

Filesize
772KB

Download
memory/2888-22-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2888-35-0x0000000003870000-0x00000000038C5000-memory.dmp

Filesize
340KB

Download
memory/2888-24-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2888-25-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2888-26-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2888-27-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2888-28-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2888-20-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2888-761-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/2888-10-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2888-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2888-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2888-5-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2888-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2888-7-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2888-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2888-9-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads