1dc6def7e8fad8ba50b5ee2f9d562365c191669dae21d074df78379a84591774

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe
Size

50KB
MD5

45c5e6b1e676bde67767bbcd73733f36
SHA1

9588d40a0f5c37f750b86769fbebbfc24c059488
SHA256

1dc6def7e8fad8ba50b5ee2f9d562365c191669dae21d074df78379a84591774
SHA512

acd54282f421b4a760c4bf5687aea86f0a990d9c2d52c9d5cc31e11ce55dd4ef6c8ced71bd3954e8a25a64265e1a0e3f143946a3ff782d20d093d807da442bb4
SSDEEP

768:/cVJYDePPUXb5CKvjmAbDC/OhRjMss59QLfN2ssvVEyewqHB+ohL3quOlsCk:wqDQPUXb5zjmAK/ImmZ1s+yewqwtlLk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1868	insF067.tmp

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winRarExt64.dat	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000003d78370e233725c42589238075dd8665cb00a96b4deaeca9010295351f4100b8000000000e80000000020000200000006cfabd512c34b5af5774e6339eef25cf9e4ba5616d5c7b8956f38b4beed22ec7900000002e758c26e3ccb4f6e76f65b31b0afac13057c254bbf9ec87ccf47e0a82e383e61ccc6df4eb4cd284ea07c6b73406deb51a58ac1779acd906386ac02347a26a5e62c1ac728078f8129c01a47c6ee04f661e87d5a7593898e67d3d051583114b3b9f102ae4e6547ef5c3c795a87a9aa0c88834ebe0a6f71b03b17d082ed56dfc4647837f5ab74bea32c57a719734ade45e400000003545ecda92b8f636a08a537de61ca9ce5e23f593c79a75d770390a0a558e11e8fe449baa7b9d608272f9cfec597f6beddac45f30d551c05d4cdaf120828c5fbf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427121205"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C79EE511-41DA-11EF-A2BA-566676D6F1CF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04f129fe7d5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C79EBE01-41DA-11EF-A2BA-566676D6F1CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C79F0C21-41DA-11EF-A2BA-566676D6F1CF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000bb5516b0328ffad5fbf1fd6e2677d85f46a8be703f656513bcc0f9ea127b1769000000000e80000000020000200000008b560539b4759a870feaf4d53cda061192e7ad24106d92ee132313c6de101323200000006ea0bcf62ef34a9b2d8e0d668136e9e060e6baa410db0b5af409cf5f22a779d9400000001aee2a80364ef82222ef5e4b259c8bcaa41144158f7c07aff2d862524cf96a5c434a8ea5743c0e312aca3a77e9581cdb06bb730d4e54133bbfde525ddcc50c45	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1868	insF067.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2584	iexplore.exe
2528	iexplore.exe
2576	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2528	iexplore.exe
2528	iexplore.exe
2584	iexplore.exe
2584	iexplore.exe
2576	iexplore.exe
2576	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2772	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2772	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2772	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2772	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	30
PID 1832 wrote to memory of 2556	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2556	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2556	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	32
PID 1832 wrote to memory of 2556	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	32
PID 1832 wrote to memory of 1648	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	33
PID 1832 wrote to memory of 1648	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	33
PID 1832 wrote to memory of 1648	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	33
PID 1832 wrote to memory of 1648	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	33
PID 1832 wrote to memory of 2528	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	34
PID 1832 wrote to memory of 2528	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	34
PID 1832 wrote to memory of 2528	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	34
PID 1832 wrote to memory of 2528	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	34
PID 1832 wrote to memory of 2576	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	36
PID 1832 wrote to memory of 2576	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	36
PID 1832 wrote to memory of 2576	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	36
PID 1832 wrote to memory of 2576	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	36
PID 1832 wrote to memory of 2584	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	37
PID 1832 wrote to memory of 2584	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	37
PID 1832 wrote to memory of 2584	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	37
PID 1832 wrote to memory of 2584	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	37
PID 1832 wrote to memory of 1628	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	39
PID 1832 wrote to memory of 1628	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	39
PID 1832 wrote to memory of 1628	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	39
PID 1832 wrote to memory of 1628	1832	45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe	39
PID 2772 wrote to memory of 1868	2772	cmd.exe	40
PID 2772 wrote to memory of 1868	2772	cmd.exe	40
PID 2772 wrote to memory of 1868	2772	cmd.exe	40
PID 2772 wrote to memory of 1868	2772	cmd.exe	40
PID 1648 wrote to memory of 2936	1648	cmd.exe	42
PID 1648 wrote to memory of 2936	1648	cmd.exe	42
PID 1648 wrote to memory of 2936	1648	cmd.exe	42
PID 1648 wrote to memory of 2936	1648	cmd.exe	42
PID 2556 wrote to memory of 3052	2556	cmd.exe	43
PID 2556 wrote to memory of 3052	2556	cmd.exe	43
PID 2556 wrote to memory of 3052	2556	cmd.exe	43
PID 2556 wrote to memory of 3052	2556	cmd.exe	43
PID 2528 wrote to memory of 2344	2528	iexplore.exe	44
PID 2528 wrote to memory of 2344	2528	iexplore.exe	44
PID 2528 wrote to memory of 2344	2528	iexplore.exe	44
PID 2528 wrote to memory of 2344	2528	iexplore.exe	44
PID 2584 wrote to memory of 1944	2584	iexplore.exe	45
PID 2584 wrote to memory of 1944	2584	iexplore.exe	45
PID 2584 wrote to memory of 1944	2584	iexplore.exe	45
PID 2584 wrote to memory of 1944	2584	iexplore.exe	45
PID 2576 wrote to memory of 1920	2576	iexplore.exe	46
PID 2576 wrote to memory of 1920	2576	iexplore.exe	46
PID 2576 wrote to memory of 1920	2576	iexplore.exe	46
PID 2576 wrote to memory of 1920	2576	iexplore.exe	46
PID 1868 wrote to memory of 1936	1868	insF067.tmp	48
PID 1868 wrote to memory of 1936	1868	insF067.tmp	48
PID 1868 wrote to memory of 1936	1868	insF067.tmp	48
PID 1868 wrote to memory of 1936	1868	insF067.tmp	48

C:\Users\Admin\AppData\Local\Temp\45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45c5e6b1e676bde67767bbcd73733f36_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\insF067.tmp
    C:\Users\Admin\AppData\Local\Temp\insF067.tmp inlink-verycm.tmp
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\insF067.tmp > nul
      4⤵
      PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    PID:2936
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://jump2.35638.com:27889/report3.ashx?m=56-66-76-D6-F1-CF&mid=21663&tid=1&d=c82e5462a3d5ffaede2726dec6839f81&uid=13729&t=
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2344
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1920
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\45C5E6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
472de0d9bd90caefed50116da59e3da6

SHA1
28985835c1276f8d878fcc270607c3738191c590

SHA256
280a673808a80a565a4ba46572a9ba4ee3b9865cfcd5652d076a103b3d4d423f

SHA512
eadeba7658202749788a2400ffe6e9f3d146b402687d7273eb60146e269e99335ed4bc580ad6f474e36976a2028fc845806fe83375915e7694faa308e941f9fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c68264428c34bedf754ed12c4eb780

SHA1
f6c248e8bc38653a113c66becb1884e16292314c

SHA256
1291f291cceb97b4e31be8ffacac505ed06f1504c98bc0f0e5f065011bbf5ad8

SHA512
30b3c61c9a353d1b15305b163dd902440d492fc00acf8fc6cd812512bca852b0010b90d275a11fa5f08c748f1376c29246e6a6ce2db786f08dd67d9e3e5ee016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4005c63cdbc3c19621484db9f8b762b

SHA1
20d6c08726792086f43bd2001d3afae1fe5bc817

SHA256
d0b20149d5ba1a880670bb14a8f9c6897d73f3b7efc8c9713109e89d2dedd1e0

SHA512
fc6bbc8f69be49f2d5a0a0e19302f0a9011a228752809089870e74c801267d104981546a72551b3ee93551025cbfe2ef596cdf58241607bf00511c3f61c215db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65f63fee8ea9c27fbf25b4d84ee803e7

SHA1
e5c5983247c3147b7ddfcfaec0581d04fb7c4917

SHA256
879318e8caed42b083a0d1d4f65cb94372fa00cb128896391c242416f4573daa

SHA512
97c3c4d8d404c14f795deee1892b990d52d09c512d0745f7546a2fb86b2cb340b701b6b0e9d41092872020f6b215b0a85abbd4f0371e64fd280b1e0310679212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
187b06fbb863806ea43ceb7dba2624b1

SHA1
8df776c425d62a028297fd6a07750065f13634f2

SHA256
fcd58dfc74153d265bfb4464b64cad32447f2f0e71395955a7209189159dedfc

SHA512
22df0331b40a0f8b7195e7d80a014705956c6f8e08e90f2e235172ad79a2b4318235539103cdb48e7a6729074dbee53b23eafbd1b3bd83da7f403d4758a70c1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6f7147a4982825a6a126d090db0c911

SHA1
2b9e9a9beaca2d31b346f74ecd51229825d77a21

SHA256
a00bcda742216a6fa04f56165273c0ad8aac3c425c9a84baacbd663e53daebb0

SHA512
9793c3d118ea264ea13df15b67bd401c70f5993a4f80ed6b065cd6605ec80d32cd7515aed3360cd897abab819cfc38a0e773ec429f81e633d6e791b84dec591e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e8fd577a2dbff05d7cc817d51a3dc51

SHA1
8f20c5fa17b698e28b09d5160a3936266d73e2b2

SHA256
ad496aa6bed2d231172d419e712285a2d461878ed098b48f15acbf4b4b9372bc

SHA512
ec264d2e49c2f7154bb4d3e7298bb81aa37a201bfe4fc3061ddbe74b9727ef291c339418e0b33fa9cb165890f0d44fcf30151b7479b6787f72d4346377b4f3da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d0e17a3d75f1d02bcda289300ca0af2

SHA1
77df6ea98889dcc8c4a05e86a2ec448058688f12

SHA256
1005300b60e18c1a7f4413b8212f5e10e4aaa5acb2bfdf3c2b8f143a12e0a083

SHA512
1a4b1d8f63560ce815924ff540e191fce2d021028198280eaa1784ae670eb84e616d67902c74df3eb272994befd809642e4de40fed2cc69737405672baf95d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31b9086a5bbab382561e8f283aa17d8

SHA1
d8fd472829200be01cf5cc3ad3e85feaf69e6a2b

SHA256
667de2613709e6fbe404e65a6f22e162590a2a8095ec5e2cfae074aa053dc574

SHA512
73ebf46a9e9d1e4ee2d4a8a5b8b945952d3ef12f812b4cbde908d7a6e5d66d3106fc19c448c279ed3d968b9c3bc20781d0045e1a9651bccdc8e7393f57f4c467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34787e26d122ed5dfa8b908afa54a067

SHA1
9c13fd0a8fb02346552f8a9c2cc84050ec9d7835

SHA256
b45fcccc8aef2b6f18749b9f5a57164f568fe37996762aa879e1c8ffa8fb1e6a

SHA512
199a7d4d2ceaa7ad6679c12082c03bbe72c9cc065bc95c0fd73f40880f924d6bb7513c41d40965b0845279e9311b39b39132e2b700687205531a743c4a34739a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48da1bd66f7bc6d07fb629720e53e6b6

SHA1
b86652e9fdf8c3e9a235b5e5f284eac95601c774

SHA256
e62b3fffc160bd12f82c4dca24b1db653f21a6a2f27536b85a6e85186c33b1d8

SHA512
5c95923dda0b3aed9ec700b0046c99d8243c62fad0f837cec6ed7f960f9eea81b9389055c1d5bc885297df37d7a4438b53ae4ef7f10d1b8651d7545a95f8d8eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38f71e5d1dde16616ea048f9ab3fc9a8

SHA1
7482778ee3c2375a312f66e4acff9c3dc2b86a76

SHA256
90265d132373ba5566e3edf0719be80a9be24293de8cc701626b65b10e47c61a

SHA512
5cefbe12511f396653cba0fcc5bcdcf5412212892048bf5a63bba6a1847c7422ec1db7bf5ce75377ba695d7c2fa5d077ebd64daf76fd747d89f879bd494cd91a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c730c711a037f321bfcebcf70a0991

SHA1
fc0d3b86a1eb173a0fdc27fb41c7095a6fc921cd

SHA256
bfb53b82043b45472fa1e7122680c626ec456bd872774cd7e458f59bb295008f

SHA512
b5608eb59775c99cbfc015a82ff0072ba0ebb955a349aef3b2bc8e7021e50db030c03b67e79984f5a3b77558367cf6826dbaf38a3ccae57d3c7c68ac9931367d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac48b8a14cf794ee91d11476e7632def

SHA1
6fb8b6b93f5ada1be6a781bafa1e7a7d98ee83f5

SHA256
2b615e05409c1dfb83276f7e19515a040681571f1fcfdfb70520a63e6cbfdb6b

SHA512
37bed60bc37fa9432e7aea6ce6855d996bfa53344b4f65e0ce8c6e1d312ebbc3cffcd781db79a75065d56ebe62e6a0578f6d4be6248e31820c1c63f841df2415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96216b06f33c2440c97bd642fee07b72

SHA1
a276956b33896f6436ce312c75e409de4a98e877

SHA256
a2e717cf2ffc22e9fa3fbefbdfff2b98443a3b90383958f8a154fa74a4725dd9

SHA512
ea9a1735625fc2c81323d5db870ce6fe389ce8b441494efc8a1e5cb1af2f5cf6f9f829450e6363c4a196c8991e4d1534bb9bce54d1a7a8ab9a33af20f8cd14e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d34174e483ef6fbd938c5e3a0646b6

SHA1
14cffaa4fbe139cad511adc489ee0c54773a6a97

SHA256
4ee8c9085147da819c677a21eb46e747a068a1ac74faeeedcc248906f683296a

SHA512
82c7be72f04268d652f095382851ef46f7154f370c1284b03de15fe93b85734d06982f2c5db3bfa5430669dabe1c358053780453cc8a6e8d9a53eaaaaafbf4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
611bbf1f948e5363ecf066fb8b6b8815

SHA1
4fe474ddb3e25dec0c00c61f6320689050a48084

SHA256
61dba0c3edbff54fd83d88192ee98efae64fa35a53c1074e3fdc6f69d14bc72a

SHA512
4430ad1eca3eac9bfb5aca69c9dffa665b9cd5790b6fd06e2e947418ef4c3c1abd2f076ab75bed50b497f1b2afc9c3eb44e59a7f64a5f4f2413e12d24cb81aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54225d1c724e1c5d6a1ddc394483916f

SHA1
594492d37237d97cb2e31cd2e02ba40455927c36

SHA256
419f9c5b1a8684d7c6716c6ccb70b9bfa293802b9c28181c8bd1524ae71f9ca5

SHA512
19b44849e3cd508f0883391ee7b4f9f6b49f783dc36735957ea72227157e3da74a21201186df5817013f2212f9352c7acf206bf88b7aa7203f3daea6d42a38e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff1b73b0cd34dfc50cc27e1bf5086f3e

SHA1
0041dd38ef4aab52d0556b65cfd94ae4e486d015

SHA256
a2d87da0c47340cb439c0ac94c4129dd5e233a038574ea6c83bb6f8bf53c58ea

SHA512
a3f4e0f0025f3a90ad5914820deeba4c7437c392bb3df0d63876de7435041844d56cadb47b9338d6629935e83477f865f8d446b26545f3d68112f3e745de98c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0a6153795e1bf3c0e3e7382f06a7db7

SHA1
eeaac0d57432243da1c6cf5e88e602232d247472

SHA256
d55eac64e34686fd958529859d342fdae886285fbd6a2305bcd47cf4b3dc2b6d

SHA512
0072a26ac27f284222d7aa87d9112b4c938569d21778e966289c4be08c77ada2b326d8e8c4f8bb6bf03ad713296d5d675d9bd3c41ff3786f156f9002127dc5c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C79EBE01-41DA-11EF-A2BA-566676D6F1CF}.dat

Filesize
5KB

MD5
36de1e80fc37a48f627028f5de282fd7

SHA1
196ac252e4585332492261281946c3c5cf08b394

SHA256
d5af6c55f7ff3aa47eb5b1a6229aa2fe3e965eaf9503afde91540fab63d52f48

SHA512
fe58681d984a5ab80a760e1e8477aa9d53865069391cd5128bdfc703b80f614c37038b7543710dbe1faa965efec9ce507c4e854d7b979cb82024376984629980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C79EE511-41DA-11EF-A2BA-566676D6F1CF}.dat

Filesize
4KB

MD5
a1a645ebfbf0058faa6c6f2c80470be7

SHA1
eb1f3de2eb0acd0c864438bd44d38dd0634b0c32

SHA256
0c0f026939ffa2ad1d8b6e78966000645f93f1f50bccc284f4f7c71b8dbf4d9c

SHA512
10f847f5979a838b5b0c67726f67b255824aa7b371e67b29c5adb906b5481f23af6b0afb8369bb665efa71897e70e03a8ad8ab9a0f2a64637583d044399cd160

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D34.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D95.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlink-verycm.tmp

Filesize
787B

MD5
88d79051808669d1845ac506320a8d78

SHA1
af00ed3159d14806b0609206b4d7fe798fe5e491

SHA256
9af3766adea2bd753e28a307e5aae317a295aa6ada98c477b62cf043689845fe

SHA512
e9d620390ecad13e87aa4e4e415444575560fac06b2e00ae17b5c25253607aeb8d974c3a9ae7435c61eb5d01fdb52f8bcd96946882360023e1a5215cfdb530fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
63B

MD5
f76c46e1cbbb4fc349276bfe47e73310

SHA1
8ae858adf98fbc48bedd4521b7a81b0cb884960f

SHA256
4fe976a0235f47b8080881b6a6203b9acd8dd72c63071a8752262349bdbf0fb9

SHA512
87ba808eff15d877a7adcee4b2340dd98012e6823c86e696af2866fe336a9d723e4af4ff696ae583438a3f4ebe370c783d1c730066020a4f926642bbed81ad5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
524B

MD5
62a2126d86b4aa489e696d593a3579d7

SHA1
1925bad55c4ab7d6b7e7f3118f31c2ebac9ded5a

SHA256
d62cef36cbd98e7a37d716ffda5ca0da77144625a5c43b1322e980020884fbf5

SHA512
a53e4e8b74dae3e6ab367cba50ed4cac925727a40c8962277ecea5604d9ae76cd1e42c78c04235bd80e82755de3f374f89c6885eec60620881c246379ff067f6

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1832-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1868-56-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2772-51-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download