523b9b82283cc924f4fe827143292882148238dae3718bc70a2395b95aaa2d0c

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
Size

53KB
MD5

654778d148d767d258e0cd8379ffe26a
SHA1

52c32acc8735528a3ced3d55542a377959c412e8
SHA256

523b9b82283cc924f4fe827143292882148238dae3718bc70a2395b95aaa2d0c
SHA512

c32f25fb93a45b30332f18f8a1657dfa5e3a81445db9a2b0a6eb04990168dfe4523b1afe0bfc91ca23ec38afb6f151bb5ebe83e8e532753dc0c9075887cc66cc
SSDEEP

1536:ncNC8c0DqtjpIjNDJ5wuKK2UeByVeVa/lQogR7XmrU:co8c1eJaug0/lQ1RLgU

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2748-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2748-449-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe"	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\r:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\s:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\b:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\k:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\w:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\x:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\z:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\e:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\m:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\p:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\q:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\t:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\n:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\o:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\u:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\a:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\g:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\h:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\j:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\l:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\v:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened (read-only)	\??\y:	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\urlmor.dll	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\urlmor.dll	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BaDaoQQ.ini	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
File opened for modification	C:\Windows\qq.wav	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427856533"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7417261-488A-11EF-A3B5-DAEE53C76889} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2536	iexplore.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
2536	iexplore.exe
2536	iexplore.exe
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2536	2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2536	2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2536	2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2536	2748	654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe	31
PID 2536 wrote to memory of 3016	2536	iexplore.exe	32
PID 2536 wrote to memory of 3016	2536	iexplore.exe	32
PID 2536 wrote to memory of 3016	2536	iexplore.exe	32
PID 2536 wrote to memory of 3016	2536	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\654778d148d767d258e0cd8379ffe26a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2536 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc84ed99b51c136e8feb8434b116ef7

SHA1
2b860dd1adc7340196a96f51521a016e8ea0d170

SHA256
a7fcb14571a65172cacf4d3e950a9694c5305eeed00139578a265fab2f33c57a

SHA512
8e1a1b887474428d6ffb3b5065deead938bfbe4a60b954847fa60a570cd14916d0ad5aa8af80917f2e1f0e6e139f3da8d4b12db9edc5f3af4f1e8e3c72cada78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09308d603c756334872f0e221c50412e

SHA1
dd46f34bbb98635d1a5cb1a0227c9ba794951859

SHA256
0f66ef497c9432a601fed274391f98e2edad6383942fe80f7c5db36bb18ffbef

SHA512
6b5a5a9f0c454fa451f50bc779eb6fbfcc2f27ead0bc4bbfd9624b546fb46da17d2eab22a16138cc1688fe98c2df02f8e326114433e3cddc1303fb9b6b49ee17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6f16367d76168d7f77fdbbb47c5a010

SHA1
e58c00dd18aad7638e47d78494bd7fbc95c33713

SHA256
fe050156e18a47d2b10f75429fae77321834c9a62e15c872e567206d67724c92

SHA512
84a1edba3e22a2f484fa8e2403fb3a6b9ac35104b9be62e420a4578db5a55462348ea965f183e1ec72636f7a379ecb770ba2dbc3f6c843c93136508106b777a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4482452dcf81083fe5a4c00fa424eeeb

SHA1
3f6da03d819e740bee9599fabe8baef5012c44df

SHA256
2655f3a6b5a6ce752af15874b9832e6a9129c0e902f67688926ec5322865c45b

SHA512
c7ffdb4a2a80a183d283859cb386a75a3ed9fd5c69c8f9a4cc7d51d9f3718c8afe6edc020ec4b020e38f36a8be53882eb62abdbd99a47b08253abe29379043c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f8049fa05c3467fd0b8bd6304a8a1ee

SHA1
9b2aabe5efd57a0c87b3558284a06163339b5cd1

SHA256
c0c72fb58dd5e2247eae351872ee45443768faff4349fecdcd9db28eecbe0e50

SHA512
ac3a451bd05a7660533b8fd5ecf322ef62b7bbc3eafbdbb1f74dbf984af067804c18aadbe5e80c63db7ef73c5391b715653b40f1d36c91a9fe3e9273165f6309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99bd9ff3c733c9f4c0da6beba10d58ca

SHA1
3fd4ac7b3d90ba3fbaca5396ae261ad9f1d0dbf5

SHA256
781e89274986cc9d7cdd106b9917b75ac7e2dd1a92deea4126d4c47887597f1d

SHA512
344c37bc3f66222b94e7e36337d11c237ea3d8d10e18a2e77f74c0b150f8e063e3c69b9edd8179d8ac6239205c8a5af273ee987cf6092780c8439c85e720597e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
004b51acaaaba6fd02d80a953060a4d7

SHA1
918f8b118af8d94f6570a4d94d8f19c75445ba24

SHA256
4c7bc5712390ad4e61651ceedb8096bdd78243dec06ad529ec3506a88aae7c47

SHA512
f38d1bdd4745b718b79737ddbe9faaa0e9eb33a178fca155d394fd6377fed3cd00185c3153690e267785686fa7b305b51b4ce6d8b122fc101db9a85bf0e5f41d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fe5930a4a3631cd305b6c470b03a926

SHA1
384d6318868f0197eeca62c1d1dea39bf53f0138

SHA256
ee1627e512cc51b329518facf2fb24164fdf45af02e6979db989b935707e8a38

SHA512
8fa447935e36e1be03a4d8fcb6dde956289d7d874e9910c193f1b7a2acace634660c2bd727695df465e597cf2cff8e6368a5fa2e95ed2d139ae890aae07a6f05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
619954d3fa741ee431d981de7cc0af58

SHA1
b5952f042e94262dcfd04c86e2d3b0a47845e45f

SHA256
4533b996d6c72f31d2699407e685984c00f44c6faf174c5a03bbf5fd32d4417a

SHA512
b9cbf5130d3edbddaab36eaf73d1db60826724db1441e461fddf5a251d7f2c2005bbc307a245ccfad05bfb4a14f547f2f5cdbc4a3247a49e74b9fe2c92a3aee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc7a3547edf6c4de70d855584be661e

SHA1
026afc6e8094464e758232499ffcf84e8139d88c

SHA256
78c5e73ae5aa696adfdced99084bb284d31d7c87906826103d64f2b2cd3d0678

SHA512
930ef78275f6693e23448a592bdbc83e8ee40de1a8ce4c86b17bfb9b364a7553cbd60fd815b75882d63d83420f732cf18a02b9e8e2e76398921b04f6e2bab34d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d428c27950d88fc4a9a1f456a8cc6ed

SHA1
fc9776a68a6672ab1af63d1a61929213baff07be

SHA256
28b2880e9988149c7d76d3a4a72479fe8fc62b688525d234d04e27accd0fd0af

SHA512
5c3e6843c20d9801fb696b068fc5d75d83329311d93c224a523e7b24d66d09b0a032343ac82cc3703013bf09ff1709f3b55310c0192649cb611003417bf10874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbde1e91329fdef3f90fe04460a8304f

SHA1
abf80ce542ed8f322a5bbe72958093989d1b3455

SHA256
13f1c674fdd305b72dd9fddc503960f0aab8adce7a11434d2f8d99950af21b99

SHA512
64b32f3608323e82bdb8de3d5fa8da6d2b48f51c85774f44897f71047351440fc669b5b08096527f34794426ab0e61405b30ece591d9500017cb230f968254b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c67825adafb08804c479e2e90f3b956

SHA1
ea529212f1013641553bbc8da9f7d6f7df146e1a

SHA256
42809b17061d73758668ce3ebb73cd52b48d4b925b709b72d24f8988e7c6c3ee

SHA512
909aaae9511fefef5447967211e7b8eb6cc86cb38d57df084393a8471db1d89dc69f3a2e904ad999121fc891e430d8cc8f001b83017d39c0bef458ce0a14a33b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfce9cbe09a34490c71ab8871e8904c2

SHA1
847a73d1b543b3ab108cfe5ef95fdb30ea0e4156

SHA256
b4bebd77d199aad2bed1cc57b0df5191c3b9d97e5c34ab17cc84ab730b9e3c53

SHA512
e2810b1b554698bdbba9a81d8ff63eee172610c73bd750e11aaa6c9b4363e428dccc27c05239675dd5c60219102ef74bcb26b920e9ec015cddb2eb06663e0e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42975d49d2027b039d66fe66b7d12f3e

SHA1
b9097e54a6590b300ddfe11c409fb183e050b96c

SHA256
2524260712dfe5067c9163e7de95bd2c6eeccaa3c30214db0c70597dd908dc4d

SHA512
8f6f49dfb1eaaf7abe0e471f084a51c2d8f97cdccb463d058297436fda463953233f8f520659f7ce9b975961a62da7650ee1d5a4bcc0ecd08e664160fc232335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c194dc3139f8fb694593ad77523faba

SHA1
bdcd6355b58e35e6f5421ff799bcb669f7d4bb30

SHA256
6c4ad95bb590e85c5e2025f2191d5bfedd0c5c9a1598c9a52f5f1a85ba8a0ba8

SHA512
436a2c8274be1ec3a8a34c90326f63084d4c949ea546a4b305232e360ad15ade5c01215235bdf7e98c443518612df36a094be2fa837181a28a5337eb7438354f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4222.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4292.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2748-449-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2748-8-0x0000000005350000-0x00000000063B2000-memory.dmp

Filesize
16.4MB

Download
memory/2748-16-0x0000000006B80000-0x0000000006EC7000-memory.dmp

Filesize
3.3MB

Download
memory/2748-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download