9a3b156a6d13803c1df8c3d19d8e092f13806495725e865dcb425ef8928cd01d

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe
Size

547KB
MD5

3a61ecc7451fc6b89a990e0d6eb37fe1
SHA1

4b9ab7d2d5bbe43fcad52fd8725fb1d561e1df29
SHA256

9a3b156a6d13803c1df8c3d19d8e092f13806495725e865dcb425ef8928cd01d
SHA512

107225f37da1c98453e3ffeee904d5f35c0a7fa599e80b67fbb55e97c29b59e3b6c6951929328fa9b747952b6b55e0b605b810f93a2cfe3cfde16a55c732558a
SSDEEP

12288:WSIR5XjSPMsB5+Imt1tiZZF3Z4mxxN9A3fxBeJfk1E:WNDzSPL+Imt3iZZQmXNm5EtyE

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2248	Hmily.exe
2804	IEXPLORR.exe

Loads dropped DLL 2 IoCs

pid	Process
3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe
3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C8551432-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPLORR.exe	Hmily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86BDF0F1-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B372C3F2-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\IEXPLORR.dll	IEXPLORR.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86BDF0F1-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9E953672-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9E953671-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B372C3F1-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C8551431-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86BDF0F3-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D1EE030-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\IEXPLORR.dll	IEXPLORR.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\IEXPLORR.exe	Hmily.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{86BDF0FD-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD350311-3FB8-11EF-9168-6ED7993C8D5B}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\IEXPLORR.exe	IEXPLORR.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2248	Hmily.exe
2804	IEXPLORR.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "aeima9q"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0a000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070004000b00130006000a00b302	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070004000b00130006002d004d02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-4c-49-24-bd-5a\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070004000b00130007000e00e303	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070004000b00130006000a00b302	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070004000b00130006000a00b302	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "9"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 70dd3949c5d3da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7E54066F-71B5-424F-9407-693949C44011}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-4c-49-24-bd-5a\WpadDecisionTime = 3092e14ac5d3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005dd77e3c8c27d14b91d373d4eaab90ec00000000020000000000106600000001000020000000d37847523a34ea3fe57e1444ad5a309c674dfca8f9da7dfbe364749b7981ff89000000000e800000000200002000000014874f72a8cb04b2f58f1cb20300a98ce9bf7f2abded00fab891d4cee993456250000000fe15be051cdfa6bc45b0355148594878463758507934aa30fa2b9d6ba537e37889c645578fe74a27a2799a7523948f2449011abd0d87bb18c452b34c5d70569dba8a6355f8a23b04bb3d44b7f7d9d8c1400000000d5d5ca4ce5d329ef75381210ed03d7d7e8aa28bd2c5d5462b1c716997fa196cc312f90302aba25e151ad2252b87fe8618dec745753552c628abf70e24bd6b7a	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 000000000000000001000000000000000c000000000000000a000000ffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	IEXPLORR.exe
Token: SeDebugPrivilege	2804	IEXPLORR.exe
Token: SeDebugPrivilege	2804	IEXPLORR.exe
Token: SeDebugPrivilege	2804	IEXPLORR.exe
Token: SeDebugPrivilege	2804	IEXPLORR.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2416	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2248	3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2248	3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2248	3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe	30
PID 3040 wrote to memory of 2248	3040	3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2984	2248	Hmily.exe	33
PID 2248 wrote to memory of 2984	2248	Hmily.exe	33
PID 2248 wrote to memory of 2984	2248	Hmily.exe	33
PID 2248 wrote to memory of 2984	2248	Hmily.exe	33
PID 2804 wrote to memory of 2084	2804	IEXPLORR.exe	32
PID 2804 wrote to memory of 2084	2804	IEXPLORR.exe	32
PID 2804 wrote to memory of 2084	2804	IEXPLORR.exe	32
PID 2804 wrote to memory of 2084	2804	IEXPLORR.exe	32
PID 2084 wrote to memory of 2856	2084	IEXPLORE.EXE	35
PID 2084 wrote to memory of 2856	2084	IEXPLORE.EXE	35
PID 2084 wrote to memory of 2856	2084	IEXPLORE.EXE	35
PID 2084 wrote to memory of 2856	2084	IEXPLORE.EXE	35
PID 2856 wrote to memory of 2860	2856	IEXPLORE.EXE	36
PID 2856 wrote to memory of 2860	2856	IEXPLORE.EXE	36
PID 2856 wrote to memory of 2860	2856	IEXPLORE.EXE	36
PID 2856 wrote to memory of 2772	2856	IEXPLORE.EXE	37
PID 2856 wrote to memory of 2772	2856	IEXPLORE.EXE	37
PID 2856 wrote to memory of 2772	2856	IEXPLORE.EXE	37
PID 2856 wrote to memory of 2772	2856	IEXPLORE.EXE	37
PID 2804 wrote to memory of 548	2804	IEXPLORR.exe	38
PID 2804 wrote to memory of 548	2804	IEXPLORR.exe	38
PID 2804 wrote to memory of 548	2804	IEXPLORR.exe	38
PID 2804 wrote to memory of 548	2804	IEXPLORR.exe	38
PID 548 wrote to memory of 784	548	IEXPLORE.EXE	39
PID 548 wrote to memory of 784	548	IEXPLORE.EXE	39
PID 548 wrote to memory of 784	548	IEXPLORE.EXE	39
PID 548 wrote to memory of 784	548	IEXPLORE.EXE	39
PID 2856 wrote to memory of 2672	2856	IEXPLORE.EXE	40
PID 2856 wrote to memory of 2672	2856	IEXPLORE.EXE	40
PID 2856 wrote to memory of 2672	2856	IEXPLORE.EXE	40
PID 2856 wrote to memory of 2672	2856	IEXPLORE.EXE	40
PID 2804 wrote to memory of 1308	2804	IEXPLORR.exe	42
PID 2804 wrote to memory of 1308	2804	IEXPLORR.exe	42
PID 2804 wrote to memory of 1308	2804	IEXPLORR.exe	42
PID 2804 wrote to memory of 1308	2804	IEXPLORR.exe	42
PID 1308 wrote to memory of 1336	1308	IEXPLORE.EXE	43
PID 1308 wrote to memory of 1336	1308	IEXPLORE.EXE	43
PID 1308 wrote to memory of 1336	1308	IEXPLORE.EXE	43
PID 1308 wrote to memory of 1336	1308	IEXPLORE.EXE	43
PID 2856 wrote to memory of 1800	2856	IEXPLORE.EXE	44
PID 2856 wrote to memory of 1800	2856	IEXPLORE.EXE	44
PID 2856 wrote to memory of 1800	2856	IEXPLORE.EXE	44
PID 2856 wrote to memory of 1800	2856	IEXPLORE.EXE	44
PID 2804 wrote to memory of 2180	2804	IEXPLORR.exe	45
PID 2804 wrote to memory of 2180	2804	IEXPLORR.exe	45
PID 2804 wrote to memory of 2180	2804	IEXPLORR.exe	45
PID 2804 wrote to memory of 2180	2804	IEXPLORR.exe	45
PID 2180 wrote to memory of 1296	2180	IEXPLORE.EXE	46
PID 2180 wrote to memory of 1296	2180	IEXPLORE.EXE	46
PID 2180 wrote to memory of 1296	2180	IEXPLORE.EXE	46
PID 2180 wrote to memory of 1296	2180	IEXPLORE.EXE	46
PID 2856 wrote to memory of 2416	2856	IEXPLORE.EXE	47
PID 2856 wrote to memory of 2416	2856	IEXPLORE.EXE	47
PID 2856 wrote to memory of 2416	2856	IEXPLORE.EXE	47
PID 2856 wrote to memory of 2416	2856	IEXPLORE.EXE	47
PID 2804 wrote to memory of 2768	2804	IEXPLORR.exe	48
PID 2804 wrote to memory of 2768	2804	IEXPLORR.exe	48
PID 2804 wrote to memory of 2768	2804	IEXPLORR.exe	48
PID 2804 wrote to memory of 2768	2804	IEXPLORR.exe	48
PID 2768 wrote to memory of 2132	2768	IEXPLORE.EXE	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a61ecc7451fc6b89a990e0d6eb37fe1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hmily.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hmily.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
    3⤵
    PID:2984

C:\Windows\SysWOW64\IEXPLORR.exe
C:\Windows\SysWOW64\IEXPLORR.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2860
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2672
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:209952 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1800
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:668689 /prefetch:2
      4⤵
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:2416
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:734245 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1336
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2132
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
201B

MD5
725595be191e3081109f41536e25bca8

SHA1
af141a6f5e12d261921bd52ae2e9460b1bcff46f

SHA256
edeeee0fb5e51d3f0e405ba2634111697409f05a8264cb7a400529f628833e71

SHA512
27444fc15e2554391e99278a183e23c57d076fced917615f4b6314cb8f948ce34a0a0ba8bc0b7e0b90d5190114e3dc626a850824af1e625f08c75857bccaa94f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b270d77b06678f15f9e7aafb31954a5f

SHA1
0365ba80a0fc2df73cad328e1dce03695b4c5841

SHA256
abfc71b7c688353bddb459a558703fed3cf172b1d09cc7c338afa924a9ed9fc0

SHA512
4e2683b918eaff664e585de3fa1da838b103087cb2d3175f0b285907c806e483d61b8068627fbc6223523398f36dff9197a9f9d713b4d5009545ca141395418c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d7fa35a89fe03885f8f5038df60d941

SHA1
0d7846079d327a6f4bce0a345dea9b2f8f6718d5

SHA256
7ed2182cbfb9905178e792da74a6e074f7014986f5edb374b4a6e0be02aedffd

SHA512
8599e06322f44191590c00b60763f52d2dcbfafac1e7056ceb48e3622f93f0aa23355066eb7dce1281583a59267640467905572feee4442891c67930335e1974

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c0081a91135a3637af438c5622e921b

SHA1
bd97f9f7164b7c6f1d6c4cf1f296f07c89cda261

SHA256
7f97680e89f06ddea18fd88020ea890e436bd639e99671f1dd6daa182654a4b6

SHA512
685031b067b3cd6739c4c71c3fbf3296d2d062e537ba0fff55be3cb986f53bea1bec907a7665d16be53f052f32be8b55b1c474cc22433a223c8732c3ffd36799

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb58bb6b979c08af718ea5d55d3a1efb

SHA1
c0c6f60aeb54023211d0ad71d04dd6af6ce6f0fc

SHA256
953b9cbfd1d77e3cefafd367e482b563b49e2e3b0d8cb8cdf44e2019e9ca835c

SHA512
4030903c1a2de36bae9370a6db5f672495046a3ad2fde2fcbcbbc7f49d7eb30e0c3911c131f8701ce8af332b102b7e2c0d9c347ec701f7996aa51f2106c50078

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
238e6c752b578385ad85bcfa1843760d

SHA1
1290f5a1895e00d27eaa94b1c56c2ed6dbb317ee

SHA256
48de038f7773a3f3887d47b0c8c2d8ed611f2ead2202ae205265e301e4adb67d

SHA512
0b34ed99fbd195cc2d39b85bdad77ed2152d5f1eb62fdd95e0593c32bf44a6a5a4bd15c2e8d2fc7f4acc2d85f72406578444ecb074408ac577e6787089729194

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
962ffa3e61f3134e667444b6367349ba

SHA1
37d5480312287808922ce215ad37a7d0ce43d085

SHA256
8057e5a54255e4fe3107271bec7195815f1884615261160e00badfb05101a01a

SHA512
916cefcfcb2df082e5a467506dcdaecab3de55095fb886deef9f6fb09ca563b04f0dfc6d62c8877536157b5bff3366e4650570816894f7526a27a30a36373198

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abb51c9f5a4f567e860635aea494c49b

SHA1
37f060aa993fce08c42db2036dc02af1beb6b1f8

SHA256
bc3721e90c7a2f06b6d790bdbe3e0cd0e7c0492f071cf808b675e6ecfac72ff3

SHA512
95e644f47c3990b95c4c9616969f38be811236a9a1da3cb4d46ecbea24eb64b4d0c3980a488fc37fa483ae4abc6a379cffe349dc00345adf3181cacf91c2023d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2abc5c55d5e97dee9377026f3321e11c

SHA1
2e2a0b3837a9779b06c3bfc8f6af842284c05f16

SHA256
6d0e1154b6948c78d4ac320e2ded05629564f9378c8e53f44473680892e77a6c

SHA512
80f3a004fa2687027f16e215c2594ed8fbca19843db7fc7f556cd9f9a99c7ce2230b52c968d11102f2f22dcefd6bf9fa68fb2984f780c366bb9697641f643b53

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d61e3ce167777ad54f7912a8c064151

SHA1
160c644a03603ac4c4399ca1947e4f4062e1859a

SHA256
87aac26bf032186bddadf22d8d10e0b3e61d57b80b38b18f14d02c804a03347e

SHA512
f3df38bd071f4b6f02f9d85604743493c5742ddfd82de3f3695881b0ed9b4f8f39c896c267b1f6ed63d1d20613c09eec696650fbf6c551eb86a8aa53415c264b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7efff492adf7fd0684cdba0eb836a39a

SHA1
d83b8e63c77bb68f1473eebcae414c6e973a6ce8

SHA256
11e2e6d83cb7b0c73dc8539b4dbe51fe0bcf254c1cab207b52d6f052e0f3fdef

SHA512
db6eae626591dc04ac66c0571f318d9d95e226c9df6d794351ab61947bf1c849e343797107776c981df9e1f861db58caa1d55323da61319e7f8ddedbaec356f4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75fdf66fa8ba1b9edc73ee065ee1a49

SHA1
b473d2f6d2c3844cb17ac4e02128fefc2795cb99

SHA256
500cfd0cebb740cb3f8d8840ff01734e5a034a552a0f289c8210fbbbb87ace8c

SHA512
40b113752737119059c60cf5c7f7536fa671351a12ca0723fe4e51c54dcef655f01b82af7be526da9ab3e53c72759821768b9fa96d25f20d16d9b0f2da19d859

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b85cf2c541b06df6ec2b0d9bc756ccb

SHA1
55187f836be14a30cfb0a2d4cbd9cdcc11bf578c

SHA256
ac91feb280959e883864b39c0b35bc317bb7fb06c0979c5b87a969af1dbe1569

SHA512
bff75c4b461be892f8ab25837eff48950dfeeb34528c532fc34926b1382650fbb628080f57ff5494f0e2a4738c35170679969cdd62940d6ea7f88e77e3f3132c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
85c016f55f103376bcd62c909f170a8e

SHA1
f9223d228f05d98552bcbde3ce793a5337116786

SHA256
97eca1a6ce88fcc81a819ad9963a1b1d94ea446d362370cd2efdc83e9d4d8c95

SHA512
069233ebaef5cb1f7d816ee1e59bc96c56da9a17c3d62e4274b8ce6920d788ed7389a19c798ac8f77f2d29bc3ffe09d2f3a722c84cb95509ae4302fa242ad00f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabC4DA.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\CabC5DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\TarC4DD.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarC659.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hmily.exe

Filesize
176KB

MD5
f10ac3bee7fbad2c6fab776eb66f604f

SHA1
3ce3fecc8b5ebb2181f99248eb9e3f1553844891

SHA256
5fcf7bbb958e6ccd08f816413dc456cae08fa9027f2987fa7f638bd5cad58524

SHA512
d3b19e6ef2dba143f33db2f372e69a4065b537dea48a95982659167dae26b951e8deb6e1b66a0039e889be3e04e34c986bc97e224dcadd7b0342e6495d0a4980

Download Submit
memory/2248-61-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2248-44-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-49-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-757-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-1374-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-1364-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-765-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/2804-762-0x0000000000400000-0x000000000044FE22-memory.dmp

Filesize
319KB

Download
memory/3040-10-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3040-14-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-28-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/3040-27-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-64-0x00000000001E0000-0x0000000000234000-memory.dmp

Filesize
336KB

Download
memory/3040-63-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/3040-26-0x0000000003100000-0x0000000003103000-memory.dmp

Filesize
12KB

Download
memory/3040-2-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3040-3-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3040-4-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3040-5-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/3040-6-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/3040-7-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/3040-8-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3040-9-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3040-31-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/3040-11-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-12-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-13-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-0-0x0000000001000000-0x0000000001098000-memory.dmp

Filesize
608KB

Download
memory/3040-15-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-16-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-17-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-18-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/3040-19-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-21-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-22-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-23-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-24-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-25-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-33-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3040-38-0x0000000003880000-0x00000000038D0000-memory.dmp

Filesize
320KB

Download
memory/3040-32-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/3040-20-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x00000000001E0000-0x0000000000234000-memory.dmp

Filesize
336KB

Download
memory/3040-29-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/3040-30-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads