91ba0b40a538b93fa0b959c98f21964c20f460d7b5dfbed8613442e6b84a4266

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
Size

512KB
MD5

16451a2b747c2c7f9715cba0044b830b
SHA1

7d29fe89dbed107b25cb4ba6116900ca10958bcb
SHA256

91ba0b40a538b93fa0b959c98f21964c20f460d7b5dfbed8613442e6b84a4266
SHA512

8085d4cfa0ac8d909fe1700e30b584eb92985915d69aa23feea2f184ff84ca8f19b3fd3ce7f28c33dab3ddf368faada3bfcb24c460d5200faffda0ddbb5831d3
SSDEEP

6144:AHsRRS2YjYfQCwRCpBf/PbPpORerE61yxcRMz+x0V6b:E2YjvCUOfnbh8enX8az

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2456-0-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-3-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-4-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-5-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-7-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-8-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-34-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-450-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-459-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/2456-473-0x0000000000400000-0x00000000004FF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Secure AntiVirus Pro = "C:\\Windows\\AV.EXE"	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\E:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\G:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\L:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\T:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\U:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\I:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\K:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\M:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\N:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\H:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\J:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\O:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\P:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\X:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\Q:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\R:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\S:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File opened (read-only)	\??\V:	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AV.EXE	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
File created	C:\Windows\AV.EXE	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b6101a9bc8da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000c3a313cc55ea9de71287600495c4356e74f873a25f5da8554925443decb11bac000000000e8000000002000020000000ca1122942ec540c1591595b696d7c38b8da55a58b71428a17e640232ead063d1900000000ddc8c6b0fef5a1a05ec4820f81b95b961bf328e323e263465d9b9cb11f41268a14d418e34b31befcf9e5b12b985de79cd545440a383ea4b2c6ffecb8811e6bdbe93a140867ef1a018b1d023ffe4b9d4b17701ffe97800fe0a7e794d23abd18bf6433f5c91db41e47b9fb8f2a31396634341470e284fde6a8ea23ed3715c7a19aada1a5d718aac68ae78af56d1bc9ffc400000007dcf9f75f92f0e483d45c91318b712db0fb4c1d95b31cdab031a71940003323c8fcc3103a7b0df247e90fcf485154e69480b8b7c2afc01ae6c2b58457687cdfd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{53908011-348E-11EF-BD87-DEB4B2C1951C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425659006"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000a3e515d8830c943828824da0c633d917a2ffc09d8124b118a0a711bd2eaa2da2000000000e800000000200002000000034819c4dce41e67dc4209e39fa636824060ef7e7c25dc3f05f347392634b67b9200000006583bc4c3d835572013b410269420b8596f0daf47b7347f2ddad42bf013b9212400000005ab280b5fa0c5412a913e0319789fc20fb59268447c59bb0ecd057751917d3727b31f131746bd496086149505f01e913d733c93a381b6c07e5bb3e28d1c99ad3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe
1156	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
1156	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
1156	iexplore.exe
1156	iexplore.exe
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
2864	IEXPLORE.EXE
2864	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
1720	IEXPLORE.EXE
1720	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
2728	IEXPLORE.EXE
2728	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE
2072	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1156	2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1156	2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1156	2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe	30
PID 2456 wrote to memory of 1156	2456	16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe	30
PID 1156 wrote to memory of 2772	1156	iexplore.exe	32
PID 1156 wrote to memory of 2772	1156	iexplore.exe	32
PID 1156 wrote to memory of 2772	1156	iexplore.exe	32
PID 1156 wrote to memory of 2772	1156	iexplore.exe	32
PID 1156 wrote to memory of 2864	1156	iexplore.exe	34
PID 1156 wrote to memory of 2864	1156	iexplore.exe	34
PID 1156 wrote to memory of 2864	1156	iexplore.exe	34
PID 1156 wrote to memory of 2864	1156	iexplore.exe	34
PID 1156 wrote to memory of 1932	1156	iexplore.exe	35
PID 1156 wrote to memory of 1932	1156	iexplore.exe	35
PID 1156 wrote to memory of 1932	1156	iexplore.exe	35
PID 1156 wrote to memory of 1932	1156	iexplore.exe	35
PID 1156 wrote to memory of 2996	1156	iexplore.exe	36
PID 1156 wrote to memory of 2996	1156	iexplore.exe	36
PID 1156 wrote to memory of 2996	1156	iexplore.exe	36
PID 1156 wrote to memory of 2996	1156	iexplore.exe	36
PID 1156 wrote to memory of 1720	1156	iexplore.exe	37
PID 1156 wrote to memory of 1720	1156	iexplore.exe	37
PID 1156 wrote to memory of 1720	1156	iexplore.exe	37
PID 1156 wrote to memory of 1720	1156	iexplore.exe	37
PID 1156 wrote to memory of 2728	1156	iexplore.exe	39
PID 1156 wrote to memory of 2728	1156	iexplore.exe	39
PID 1156 wrote to memory of 2728	1156	iexplore.exe	39
PID 1156 wrote to memory of 2728	1156	iexplore.exe	39
PID 1156 wrote to memory of 2072	1156	iexplore.exe	41
PID 1156 wrote to memory of 2072	1156	iexplore.exe	41
PID 1156 wrote to memory of 2072	1156	iexplore.exe	41
PID 1156 wrote to memory of 2072	1156	iexplore.exe	41
PID 1156 wrote to memory of 2140	1156	iexplore.exe	42
PID 1156 wrote to memory of 2140	1156	iexplore.exe	42
PID 1156 wrote to memory of 2140	1156	iexplore.exe	42
PID 1156 wrote to memory of 2140	1156	iexplore.exe	42
PID 1156 wrote to memory of 1628	1156	iexplore.exe	44
PID 1156 wrote to memory of 1628	1156	iexplore.exe	44
PID 1156 wrote to memory of 1628	1156	iexplore.exe	44
PID 1156 wrote to memory of 1628	1156	iexplore.exe	44
PID 1156 wrote to memory of 1676	1156	iexplore.exe	46
PID 1156 wrote to memory of 1676	1156	iexplore.exe	46
PID 1156 wrote to memory of 1676	1156	iexplore.exe	46
PID 1156 wrote to memory of 1676	1156	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16451a2b747c2c7f9715cba0044b830b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.guarddog2009.com/register.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:209936 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:406546 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:668692 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:668714 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:734238 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:1455138 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2072
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:1193003 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2140
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:3879988 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:1389640 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8fbd6783ed43748eb514077cd9e9791

SHA1
a10d0c452f697332e573179bb7b4abf3b82edeed

SHA256
fcd01c9df6f6f41c6f490b27eebd14762ab69b78bb133c867a724bc00f56c418

SHA512
11c384dbcdd999e84cc58842a998d50c447154bcf34aa54ddf8ea22a5bc39be9bd114fc91bd49510e6428b537f0c26f0e14eb8d13009fbd89b21443668dd112d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec838fcdddcd1d9667652d2e67ecafb3

SHA1
9188dddfeabe21f2ab3feee4067f9a029d14a54f

SHA256
5ae15c8a78ef9d1c2c208e46887d4faf5f6451668ecb96b22633cfb6e83a03b7

SHA512
149b916f4567f2068861374c1e86efe57059001bd0d4f2a4f6152f9f19c7f989183f73a4bc5079c02fcb4f57b42ef418c9a653042db38ad7fc73a4b336f7037b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10734e3424ee90ea0b800b0488107ea2

SHA1
8805c452021d14f769fa52a7b32e07d769ac752a

SHA256
776a1fa1136512ee758f7d40fb250c71a8520af17e9d48e670960a3468d27ac3

SHA512
c5803f04d65044b33cb6c06a647a0d171b2a4185e259f8890c2a6aa9e07aa21bcc2c189617663ec5062146d87e2368b3b2704118731730961141d0b77a0c50a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
624de6286b20dad2923164967667660d

SHA1
41fc953ec513175bcc7c16bda8d907dc19d8a522

SHA256
f474fbfd3783d71242363118d7742a5297c4e3d4e0031f3802814cb8309b212b

SHA512
5ccf97aacb04e50e63d099e67f27626fbe484ada05b7efdd3126a651dd6c65e178cab08025e247ec12ff40492f2093dc511b1f7ec92e43f361df336060ee847f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83ab11a974b4902c026cb6ff389316e

SHA1
c04e6949b47e6a16696e041c8482bc480f36632f

SHA256
8d635872956a69466349ac59a1ee5cd176fcb4eaf6e712fddc9bb3404ea8b8e0

SHA512
86ecfd53ff4bc50e3276321d232efc8e44fabc025df8f628f479afeecc549e1dfd3a0986dad630e8fbfc189afa759f2d0562f3ddc21135b52212d3166c4e3eb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02efa7390947ac84fb8c6933e81712fa

SHA1
80d029d2cb123c959d365160a54659415f69e45b

SHA256
724d0847ef73e8ad893f0d08da11c0167d92572bf7112c04cf04e87c673161c8

SHA512
789d7be86132b5e54b4c88e491b42ff5dbb45c0dc61ff2e0a92b5e0345cd9d00bf0fccb5ac786e6d8c32ff52887e1df89e26e2ffd6171d7df935e70b8cae53aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1baa56d2457d909f29519cd07752242a

SHA1
45bc55da33fcee74b19b3aff5e97a36576721faf

SHA256
ac28e0c66704b4938fe6a8174fb551129b490c78a84db9eb6a4b0531c73dd635

SHA512
a734d717a357fa0330d35d5cb7e868544d10a26efa64fb8f2315f7043d0808168c77d1f968562f080cd8921ed3fba7f648a44f0e6341d4997b70188629320d80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1251816b59f4b0ea4ada9c296c3ad38f

SHA1
49b2b8072cf33e6e6a23b25e0b653fbdfa322e0e

SHA256
79cb4a168a1b30fe86db6d2b4b864c01787cd3a7c50513e89775210e1a16b5dc

SHA512
9ddcbe25874090b4c7a2fce013d00c97bcdc07d79b85693487d890a5b67ccd54626f09ce8fcdf4c1d41ecc7d0410429e95b349923aecf1106b114ca971549767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73310584622ff43e2db5c1e8af7b34d6

SHA1
fd28d56ca5e9310c7f90f19cad54aba5a64137aa

SHA256
a734eb1544c75431d6416444935e34f9c6e1e56dbcfd2b9c9677291e16409602

SHA512
5ce464660d921dd8907668ec338ede02b231c14f36308359d98df937462485ea7054bb8bccc27d277a2e47a0dc52ee7ce673096d73f035caef9e6e8ecb500ce2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1454de914efa24a7b92584e7e0afc7be

SHA1
73e3538847acc9db648922faed08c6a1fc7db204

SHA256
59eb2486cfdc51cce1db675fbf760feff40bdc9c324f05d9ed989313bb1ae22f

SHA512
847e125bd97a724d26c97dfda47640b0125dcbc748aa1fa250edd2ebc79e7e3002bcadcb6f19011f1a16d59a881537defd5c6a372ddc5643530830961d63be09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d21f31c2175438a6584fb1802797e16

SHA1
faf5eef73fef8989f1b97ab05038a8311fb3069b

SHA256
bf0a87df2a7bd1862c23c2829a39a74dd71dba96edee8ac8de047ccdc934e484

SHA512
9e3c26c0a34a70f9463ca545037daef6a7c4c0abbe8b7749bde35f5d4181b7b2edfe0b593695b7a7c5f2aae0f5ef96064d21f791b7fcea995e617f3cfe875c4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11a06e8ac4160f6b8e3ce9ee3553d175

SHA1
a5b8ea8ff44dd092cfa38ff45147e76b65ef1ac4

SHA256
ccaca7855eddd92bbe0e42c8da66f4e54e427b564a2073ea9d1dd33069e54576

SHA512
c42de1961a6b03a87da06fb6472c3feb90402b25258e9a0339d2070373d3f5d26a6429ee3b9977efdfa4e0177e47864090d5c459f3e6ff8a9f3c7aabf620ac75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
306a6b6eb8c087910b0b69353c9d4fd6

SHA1
4c1ab33185e20fd7278853ffa9f55488bf08b624

SHA256
11b880b3150224f5e20d98509e950b95407190a1c8e26be728437b40604bdb77

SHA512
9e5ffee8adc9631176258aea04b665112f975dc2d76de487e1c90ac87527a374e1b8bbee52615aa7c414f083d08245021dbeed2448e485f86648d23900f5a3c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad3ba4becab0d309beb68fc0442a7955

SHA1
08e3f37456f038c4c6bfc286b8aedb838f290cbb

SHA256
a36531cbc6d6d6b74c0d2cd7a23056ad0ac99e4c68b67d6fe62aea2f5b866516

SHA512
96ac3a0a10510ad276baf04f4d72c0a27e97029241b3eac38506819e8c15f73c148adb9e4139c71ea746bbccd1637bdf1a1b573134cd067357e9953c09a89280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e34ecb3e1a813f79bd559092db6d4d3

SHA1
969a8c979ae6e3d344b4d6c0515f7c288a8cd7c1

SHA256
9dd161f1a9fcf372c38ebb8004466a9ebda6d72fbacb0954bfe0b53070bf8c1f

SHA512
9704daf28493fa149cd2af39cc2e1508791cf94f477d9c2c2ed6f758cefb23a7e5a60b59b351c7f79dd9a2a29ea36aafdc18e92bd2eb3e5e19d5353f654a5b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f72a9eef2ea5ba0caf4fd2f9f68edec6

SHA1
4aa895fb9da510f4d8a8f2d999efa4af6eb919f3

SHA256
9e36ebca327a96ba8c00f3fbb0bb897c2ad07c6967591294e5b5708dc98b1539

SHA512
df5f91a74f12d8f72e864cdca618b7ab90592adfdd73f958e67a03b6bb95037b2d109a6075a30d65c007ad117ace970e5203ed39244fc37221f590b52ab8b1c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1dfc6dd5c9130da2b533455438b3e17

SHA1
127d37ed7b41bdea0a0491703d91ff8994a35150

SHA256
8db67efe220abf0c690afc5b90c65d44315a25c9d9c5e8722fa84a686981d11a

SHA512
0cbc2021cdc767101e76b3c805afecc44c77d18ee5da2dcdd5c413ebde910f5cfe3872708808edf1d81ec35aec8e49568f4247cd37cafca4257dcac852f2bf68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5358c7ddb25d2bc6e07e20c4a27b8ae

SHA1
cbceed9d999c2974b18a33fb07acdf69fbc07bbe

SHA256
503144f7909388d184493a9bcf88e2f8c6919c2bca1f68fa511f66b20fdb395e

SHA512
4e2b7fd81b3be9d873ddf2018ae4d9d01fc250e685d442720f2ceaa1b4d5818119974757fa87130ae332913088e7ac13563603b669ef8a759da354baebc1e532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWTP8BNA\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R3JK00ZJ\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab36EB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar376B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2456-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2456-473-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2456-0-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-459-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-450-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-3-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-4-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-5-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-7-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-8-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2456-34-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download