ea1b3fdd68a2b5827e7c4b8548a553cc9df1f5d8dba3335b2c84b1679027722f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe
Size

1.1MB
MD5

186b2a80e5c20d2c0fd77b24ba36dde7
SHA1

d261c944359f842c34bf0b72697d580ea6a4a372
SHA256

ea1b3fdd68a2b5827e7c4b8548a553cc9df1f5d8dba3335b2c84b1679027722f
SHA512

5177cc41c32f3c731feca63fab78125370f9a09ab3e04ac51d9facca3883f9ae94e365a75f6e89576408336476c23d8b35c262886b9fd0e442f5ec1f0edada1c
SSDEEP

24576:U2tRI9/1APmu085qJYb0BmBJ1UIEqLM7rwM+vW0FMteag8tU0vimIA+sIG+rL/u+:nI8wNBm1as+ib6gagSUk3zxori+

Score

7^/10

persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000233d4-28.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe

Executes dropped EXE 2 IoCs

pid	Process
4404	p05.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe

Loads dropped DLL 3 IoCs

pid	Process
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000233d4-28.dat	upx
behavioral2/memory/4924-32-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/4924-34-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RunmeAtStartup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\p05.exe"	p05.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\x.dll	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
File created	C:\Windows\SysWOW64\Cao.ime	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
File created	C:\WINDOWS\SysWOW64\xvhost.sb	p05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3309307861"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3306651669"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115520"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02cb7c500c9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F0B0564B-34F3-11EF-92F1-56103091DE06} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426305753"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115520"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3306651669"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c071b2c500c9da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115520"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000127de79d02576ab293c03a5ad428b9cd2a2c2e8516b8176ccc4135b32bc83fc1000000000e80000000020000200000008d2fbde674e1b810523b741447a42efabdcf00f55237d6b9ec06381f4dd9c30720000000b189a1cf432410d44fa3bdab35e21281a203d3aa5b98e88b44c9290ad0ea092940000000420530fd739a917078d67af31bc41ca4d388b8ef44b7b813c81e66c8ed428e71e646bcf559dd6038c87721adabb53a05f27a05f988d32683d53ee5054d1532bc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009e387b9b7780e241bd4d2d5013251a2f00000000020000000000106600000001000020000000cdb29d416115d6a915b17092ce138df70794eda828273faebe723c537d6e31fd000000000e800000000200002000000049e3a56cce69a7aa1e4e9231436d81195b76a18af828a02e2cab7fca038127a420000000e2572758c805d924578cf85b7eb1633fe450d8887f625cfe2816cbbc3dc3ce0340000000318d4a39e7cbc58250a2b6a076156aa2563a03b98cc96b4e45d8513c2a0d69032193b74fbe8bf9a490a1208bf879da2a5c2aa7cb79d34acf7fa052a694b64118	iexplore.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4404	p05.exe
4404	p05.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1076	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4404	p05.exe
4404	p05.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
1076	iexplore.exe
1076	iexplore.exe
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE
1216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4404	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	81
PID 2740 wrote to memory of 4404	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	81
PID 2740 wrote to memory of 4404	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	81
PID 2740 wrote to memory of 4924	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	82
PID 2740 wrote to memory of 4924	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	82
PID 2740 wrote to memory of 4924	2740	186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe	82
PID 4924 wrote to memory of 1076	4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe	83
PID 4924 wrote to memory of 1076	4924	CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe	83
PID 1076 wrote to memory of 1216	1076	iexplore.exe	84
PID 1076 wrote to memory of 1216	1076	iexplore.exe	84
PID 1076 wrote to memory of 1216	1076	iexplore.exe	84

C:\Users\Admin\AppData\Local\Temp\186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\186b2a80e5c20d2c0fd77b24ba36dde7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\p05.exe
  "C:\Users\Admin\AppData\Local\Temp\p05.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe
  "C:\Users\Admin\AppData\Local\Temp\CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" www.288wg.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fa34ecb8815a2d98849888cb1cdbf38b

SHA1
84fd0e04586009efb3683c98da8d9aa41487cd42

SHA256
5077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be

SHA512
ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
964c5d8ffa8987fea87acc246847e31a

SHA1
75ac6da094f19a6ae5cfd4ad3c556731765362de

SHA256
a4bff002e7dd9b78ba8c711cb07c18f50a8d4779b83fc0653528d3c11c652ba8

SHA512
443c3eb4ec0f8b45048957bfc0a6c8fb3606dac0e50f957c5a45a689bf842a104234c49eb75ffd4954cac7db29eec5ca67c1a62ef47d9c8183a6aab6d6005af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6TQEXKX3\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFÓÄÁéÍ¸ÊÓ¸¨ÖúÍø°É¼ÒÍ¥Í¨ÓÃÍ¸ÊÓ°æ0801-1.exe

Filesize
2.3MB

MD5
dda546e1af9d06be22f297f9002c3ddf

SHA1
b579543d54b3b896e9b36304303b837e4ebe52d7

SHA256
186425e746ce8dc73aab12ff95db64ff5842eca4f7b1ec4ed18008a5c626d860

SHA512
0ba778bc4d1d94c58672fa15820abf8e1d86aae3683aefcee4ff07e72913010c8722e99ba37acb4cfc2c67ac4e191e082db47e04da493b0157e21eadbd14ddee

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\p05.exe

Filesize
20KB

MD5
2fdf86b42ec2ca655aa5b94392d40856

SHA1
66bb7a6591ffca75ec19df000d4ff36f60066a3a

SHA256
489be3a7e03abe4741b12eebf1c3175fdd4cf3ec726a55aaaa74b86cd3eeb4e5

SHA512
9d538b29b8ac16064d4b1d25e7e60a9870a655cd1bcc18846fd90b5b348462cfd04610cc9dd68cba8a6a05b3e44cbe7f2ca350408b789a7cb7ce624a89940dfd

Download Submit
C:\Windows\SysWOW64\Cao.ime

Filesize
52KB

MD5
b60da4e2e5aceba3ce3d87ee2cd872ee

SHA1
9bbdbf1f3ce2c000a86e0473da756a4b1031db41

SHA256
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453

SHA512
664d6f893484252b339ff8f413a4cf9da9b0ef82ed74b097ba86a5f00b4d9740eef6e8a5b81e8be7e82ae4009928097baf15e65a03f31c4b92e44f593ce39874

Download Submit
memory/2740-25-0x0000000000400000-0x0000000000517111-memory.dmp

Filesize
1.1MB

Download
memory/2740-0-0x0000000000400000-0x0000000000517111-memory.dmp

Filesize
1.1MB

Download
memory/4404-12-0x0000000000400000-0x0000000000405AA0-memory.dmp

Filesize
22KB

Download
memory/4924-32-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4924-44-0x0000000005570000-0x000000000557E000-memory.dmp

Filesize
56KB

Download
memory/4924-33-0x0000000010009000-0x000000001000A000-memory.dmp

Filesize
4KB

Download
memory/4924-34-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download