17395112e7b84a07a75b97c07d2e9a81315027e21885d27954fecbd556cbc974

Analysis

max time kernel
140s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Size

610KB
MD5

75fed5e90912b254527a85583845ea22
SHA1

c0eb49598a8e605f0d10912844be27469710f249
SHA256

17395112e7b84a07a75b97c07d2e9a81315027e21885d27954fecbd556cbc974
SHA512

1ea74c18ef0dabc5696340476585426a0cc2c148641fcb45d868dcbfaf145e045e9d1bc9e59546f687bb044218f4d45a28459f2159bf2a7de5ab37b37a5f050d
SSDEEP

12288:biXZntNhcYxRfv2Q6wJczwqv+ojdllZfxXanv4QgWAu1ihaaE3cWlVj7S:+XZnt7fv2QpabVlXxi4QTAu1i5E7S

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2844	Updater.exe
1956	Updater.exe
2732	Updater.exe
3056	Updater.exe
2184	Updater.exe
1808	Updater.exe
556	Updater.exe
2364	Updater.exe
564	Updater.exe
1476	Updater.exe
1788	Updater.exe
1036	Updater.exe

Loads dropped DLL 18 IoCs

pid	Process
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WidgetUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\MemoThis\\Updater.exe\""	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\NoExplorer = "1"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA0C4531-4C36-11EF-A205-6AA0EDE5A32F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000076fc955edf4293ed16c2f5fb1f28ca3ca2ae45f387d597f0fbbd8b4fb375de3e000000000e8000000002000020000000afbc090fdcac65f1c93dd66a757ee703c1e65da43fd206185baf3f76bb25a1d5900000007befa21a87b4b305e1fb1647bdd18ea3df173723a167e7edd35ba9bbe90a08ce44ba279f56cd0a17f1f67a5e5b23673430844ab8e7281c83e8c45fb104a5d1f1e1c32b80b0bbe09006a5aa90c3b8b51d2396af342371b00ff5217751af02d7423d47534ee5eed9217ca17dffc8086aa82522c17a0723eea18ebe7368f1924491b7c1e3b5363561085afe92032fda19174000000009a0f0ab8bd121c0df663f8bdea250e7cd135f3ab7b83ac3efcbf3c1c97889eaf41de0642cea36c557d180d1f9d5a7d56424ad6b5585d5097ad569f7b2bc7d3d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000031efdacab29e1aa5bc2cf5afd77bc285bf362d78821d3525232dede35f8fc0c5000000000e800000000200002000000028a9c450339ceda41aa31bda73d0204cbf17a981578052c39086eccc38dddf2120000000fd63e1c89d3afc486673624dafede0177fbdcdbd8079e120a8233434dc149e9340000000acb30ba50ee31bc533f101577fa60c092174defcd8eb96ca82c8480709e2b4778f76eb6e35275a0c3ccc5958f4734672ea2cddff4f0023e9bb541d9814d77a8f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10640b8f43e0da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428260209"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}\TypeLib	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\InprocServer32\ThreadingModel = "Apartment"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Hiverion.DLL\AppID = "{44EB2515-AFC4-4FA8-BAF0-E0FFBD5D0A6D}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\800\ = "Safe for initializing"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MemoThis\\MemoThis.dll"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1992DB43-042F-4C15-B0FC-7D933E56F116}\1.0	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{44EB2515-AFC4-4FA8-BAF0-E0FFBD5D0A6D}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MemoThis.MemoThisBand\ = "MemoThis"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1992DB43-042F-4C15-B0FC-7D933E56F116}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\MemoThis"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\800\ = "Safe for scripting"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D1F78F84-6486-4532-AD30-C44235B13A63}\ = "MemoThis"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}\1.0\ = "Hiverion 1.0 Çü½Ä ¶óÀÌºê·¯¸®"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\AppID = "{D1F78F84-6486-4532-AD30-C44235B13A63}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}\1.0\FLAGS	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}\TypeLib\ = "{DAB2991F-2E31-42D1-AFBF-74CC688E1466}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hiverion.ActionInfo.1\ = "ActionInfo Class"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hiverion.ActionInfo\CurVer\ = "Hiverion.ActionInfo.1"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\Programmable	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{44EB2515-AFC4-4FA8-BAF0-E0FFBD5D0A6D}\ = "Hiverion"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hiverion.ActionInfo\CLSID\ = "{A595CAC1-D102-495A-9301-84483913E1E6}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MemoThis.DLL\AppID = "{D1F78F84-6486-4532-AD30-C44235B13A63}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MemoThis.MemoThisBand	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\ProgID	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hiverion.ActionInfo.1\CLSID	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}\1.0\0\win32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}\1.0	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}\ = "IActionInfo"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}\ = "0"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D1F78F84-6486-4532-AD30-C44235B13A63}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MemoThis.MemoThisBand\CurVer\ = "MemoThis.MemoThisBand.1"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hiverion.ActionInfo\CLSID	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}\1.0\HELPDIR	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\Implemented Categories	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}\ = "IMemoThisBand"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}\ProxyStubClsid32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\ = "ActionInfo Class"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ = "0"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}\ProxyStubClsid32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MemoThis.MemoThisBand.1\CLSID\ = "{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\ = "MemoThis"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\800	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAB2991F-2E31-42D1-AFBF-74CC688E1466}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MemoThis.MemoThisBand\CLSID\ = "{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\VersionIndependentProgID\ = "MemoThis.MemoThisBand"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\Programmable	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\VersionIndependentProgID	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F74E245-9A0B-410A-8D70-CB77FFF863A1}\ = "IMemoThisBand"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MemoThis\\Hiverion.dll"	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1992DB43-042F-4C15-B0FC-7D933E56F116}\1.0\0\win32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\VersionIndependentProgID	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A595CAC1-D102-495A-9301-84483913E1E6}\InprocServer32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8163BA4-A2CF-4668-A320-41513A414994}\TypeLib	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9F82DA9-F2FC-4AC0-86C2-A34A5C4E9073}\InprocServer32	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Hiverion.DLL	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2132	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2132	iexplore.exe
2132	iexplore.exe
352	IEXPLORE.EXE
352	IEXPLORE.EXE
352	IEXPLORE.EXE
352	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 2844	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	31
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 1956	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 2732	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	33
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 3056	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	34
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 2184	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	35
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 1808	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	36
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 556	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	37
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 2364	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	38
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 564	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	39
PID 3016 wrote to memory of 1476	3016	75fed5e90912b254527a85583845ea22_JaffaCakes118.exe	40

C:\Users\Admin\AppData\Local\Temp\75fed5e90912b254527a85583845ea22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75fed5e90912b254527a85583845ea22_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s distributor IWED
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aUserID
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2732
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aDomain
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aCookies
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2184
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aUserHost
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aDisable 2FA33051
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s aBlogMode
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s updateUrl
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s onloads
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1476
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s ads-timeout
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe
  C:\Users\Admin\AppData\Roaming\MemoThis\Updater.exe /s data-timeout
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2132
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecbb472cfdcb6da006abdc836b41c604

SHA1
5855cd8907a1d6bfed4b09c2d3ada277106ed775

SHA256
3aa023f1af944d062341063a69d82a8f528c23069fedc27e3201eb34a632f6cf

SHA512
11d2d701cc7f7095c5dab17f5229a4534b05c9990de1e1ba18e3ca551090482f41dddbf1c6b45371556e365e7df6da274fcdb7e2f178037100951698c5a580aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6fcf588e9752efdc4fa5fb7636bdbf7

SHA1
6d9536dcd543a2be7f14232492d8923ff0046dc5

SHA256
f9398987d61562272f753bdffe0ea11e9ab0e53cf4f2b0e16b41f15b075444d2

SHA512
f07102820acb66bfe942e86f20d5cc64e48b5cc981e1a5e3919444dce81435e18fae22e92ebb4938b167f5ce49b414b9e21f96cfcf6084a783ba3a862a5a67c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6510c641b1d570961caa01c703f4b1ff

SHA1
4a792134192c980160694b8064018c964b25f099

SHA256
22a6869ac80005635d223e8030e6bb42911d910116f290932adfb14fdf1f417e

SHA512
8a1c57806b3b4eaa4e1ccd4d927acfe17cd55d567693456b77779bf3ca55546a3f6cec77c2f8217140af063bc4ec0d58ab1cc812d71985dcbd89004e9ad40a04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db5f2f979fa6d9698c4a70a8fbdfdc07

SHA1
f4c486107e02c34b0ed323d95cca385f2dc9138b

SHA256
9c23d75f06bf2e7389fe8ef81a6509ec272a2716d298485ea90a69a6f57fadcc

SHA512
e29ed7ec6cdcc7169cf2bb50d25458acd00febf09cf0cae557f96c18d385d9c70a6973f1e63b2f581e5d7f6860158e16a5421863d1165a9af2f4b1990f544273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff0d632486c034f416d8779674f022a1

SHA1
efc259302fd88d5debc54801cc4bf7b95bb47ff2

SHA256
8441dd091ec45217910c758b1bcada99a052b7df6906e079e3ad6830b9a5d9db

SHA512
d1fb6efd0de232de88fd682f0b186f1e936cebb1f120380f729a427f635f9eb6f5cd235d5d697e531ef0196be5b8e247cceafc625d8c796fe8e62963b84d75c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
117d37152b8b6bea163f49672bd4eed7

SHA1
f3c0761f7e6ebc208b1fb0a3a113c35c3825fe6c

SHA256
58e51cfa523c887962b8c7695219700942ed076e68543d8a22b4706996146a53

SHA512
344b0c92f56de79584bb2ef7d7c3f34032a5bbad2772bd65a53dd4f30373879b5e0f92249d90c736aac85d08fe3a75a0afb5fe187190a42bb80ef9d1c377bea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d07441bb99ea7bc81b5d304f1de67ed

SHA1
37b29d3ffaede802101aa66ebb43d4a41fc6856b

SHA256
6fa15cc53db005c22c853ce2210125475f37d41d6a762480527a05a5e7c5c718

SHA512
cc68dae05ae7440e745137196d28416a89eb4fdca01b05eab49ad4a62256bed970955159fe247661b926a2e3241c995e297c806e1caab08b820aa1b33755c02c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
489362b918a3547d5e6b92e3a83197ea

SHA1
93213c20ecaa3a6ca9f726059d566e4734c0b2aa

SHA256
2fba8d44a074034394b2f07d9ff5c61f808da013263aeaa08462d0db571d7b60

SHA512
dd7dd47ae5bd94968bc8ba030c0ea50f7796188f24c6eb646d07ced41949ce9857a6cda489813aa00a32dc9513e69de5e4b9c4d360c95b2227aa46e67e6065a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b10f1d4d6c8a13c6ecf6f8017aab7470

SHA1
c73424ba3b0bb745984528b3aca4ec05059d6efb

SHA256
31d052a0f268669dd06268885b3f7a6ee55b1baaae5d078b9e7510984d8660ac

SHA512
fe1f11b5e1beafd16aed1a4e02362d8c2d1b778608c22f07430f628e60a9b72061e31a025ed4e62bfe69fdb7a5cc7852af2011114eed81c5491c63e84ba0977d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60914a35a0b37a2e80245ab116ae65ab

SHA1
e695dfe8ec6d703bcf662ad1e9c64f07d239d344

SHA256
990507a003616711df94bcad85a9f85497ad1dd1dcfc0126b29f16e4ab8ee434

SHA512
187564351d1e09cdddc3e50c1e1b0810de7c62141892d54db285ed3fa12c585201de7c541f3c2b75669d73728418e42f0637acba04774be948991504ec5b2796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01d49dfcd735cae1c22933f4d7df1242

SHA1
144962de7f66cb8b0096cf17dc51f4075aae454c

SHA256
5cb51e33e822cd4dcee6aabc638a12becd530ca3f8344f3238bb5a111836451c

SHA512
78601ad6bc232ef2e2692ce6799d89e3b7569391700a0202af9e66e322b0c71adab7baaadf9d49bb5af6e807f3f68efce9d70aee5c3fb2dce5ee9f92951052af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ffa580b2cbaef0348428bc51b2937ea

SHA1
2373fa75898fcbb75ba919b9923287cbb433ae7c

SHA256
621859a424f6a1bd6b0d41577b8dbe0f9d947f07909f0102e72e0924da4a0bab

SHA512
faa75b784c16c7431d92c481e6ecb6c532f565df2daca15d5829ff990ded51cc2b549e00b29c8abb7837d035670c39071df5dfc2f5648ebf027ee485fe91fd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d19b5e971d35546b05262ca37acec047

SHA1
8f74868a753f003ff5bddc2422a460ad5c965f1a

SHA256
1cb5d59f4c2ad65908cf9efd858932af72ec246bc0d9f04be8aee864713dd7b1

SHA512
8886ead90ccfb6ff82cb9963361aafc951e660c5d4647bbbc772616cf411b53eeda0ea2efad6689aa831d87b5bb67e5b949772da1be9e88232b4bbf203e5a9da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
277c41f9ad653230e824ebe827305697

SHA1
4cb4c8fdde0f7b399785126f000b033b08a20e1a

SHA256
8e5303b317de00182257cedb0571f2a4d3741bd86695e17f5b3298180fc92fb5

SHA512
9f0a0f32de75c68250f82bd50c9a677ec31c91926ce496d08ee29c062a66b2643c8cb4245b76ad96ea7bf7a6c7d8f69556e1e47c1f2991bebf62257d419c3ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c76b2857878ff475bc984863dc0e2fc6

SHA1
ec889a94fec6af26725405c87ed4e08c12fee5e9

SHA256
ad437d3b8d42b06dd0a71ce42c6f9897f6408e11dec6e98efd1d87be9dcdfe20

SHA512
cf462fe601972bb6bb9a8b92ff28beb6de2a5f99996875357ae94e4e510d1d61a94024d1fd4fe2320d9d757319d46430a87fe62e5ae886ee793139ec30347593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f3cfecdd001ae4609a68d511a103a71

SHA1
5777ae80dd8f55b1939227bc7f6593249740f069

SHA256
4e0539acdee31d725aaea61064ceb8e784b877ed81ca450293336d407f77c031

SHA512
5e95a056fc89e712b4acbaaf22f561cad66253e7ac05a10480d237bc841d2ba01397916e30c0ada2299d91a2c09906023dd3facd243c2a7b9f398b8d87bb881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
494e826b66b90f47e684f8ae40b9a9c0

SHA1
6fb12b268de1fadefd4b20a1ac094ae60eddcf12

SHA256
870397bfc1652e1b23308f216c172b8a88ed6a9b8b010c17037a0ad6c68f4a49

SHA512
f9013b5e6e5901ab587955a3664aaac1d8852e0327b77339893100fe8f83f3c7a474243cbb91349ff604b1590a2602ab5d1abe2317a45cf2544b887ba271a2f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f56b373a96fc76442f146b85b2d2e80

SHA1
0165e5f5e2f697162f1d63384cff9acb67eae7ec

SHA256
2c26886c39544989c6624887775a3acbbeac7b4533936355df30467df2f6bd3d

SHA512
b8d39f90d60235b5ee151f0a1c193435b7a477e14450136c2b7d1bd6adb32840af443ac8005787df43ae0cd139aa27412ced4190de1055971cb26cdc6e8f8f7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ffdf7745210bb804f0009797187dd73

SHA1
ecda302f714f10e5595dd39527698103ac883a3f

SHA256
19d7ee0401c0e3049d223ff6817a7211ec5d1f6e08d013c2f8440a46a33bb92d

SHA512
78e52a73c4be1dfa339f8d2f2ef02afeffc9a8ce8c0f64264fb18e9a59786ee1fa872c125a8f2a47a2ac968efb02f8f6f964f8ce61ad30b6757eeaa03a2dd6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB464.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB522.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\MemoThis\lang\memo-string.1033

Filesize
346B

MD5
59dbf833d2845f8035766b03cda18965

SHA1
6b5bb6788d29b7bd59c4fd6a4af62b00e7ae61eb

SHA256
c2d62d2c10f82834b502fbcab73b7fcf4758b21964851c907d9db03e075ea61b

SHA512
7585ec0862cc46283ccd68acb5ce72f04dd6cb306982235df07374b3e341dce9a85f05fbe3697eb8579b7c98f1cce37bc5544213aadd2a911a55d6fd9476cfd3

Download Submit
C:\Users\Admin\AppData\Roaming\MemoThis\memo-client.properties

Filesize
625B

MD5
1a47816f5c4ea9b3377a1884832bee9c

SHA1
7b6670c20bdae91d5d875988ab39d92f3fd350ff

SHA256
6f4a03a0e7e3b145bf6391f7de66309d4818433a69cdf8ceba366be60d365547

SHA512
82831fbff0a63d632b834902b64574227ef6f9d83f74ad4bcc0fb3a916dc35876c341dd4d6c2803dc3e7c87cdda27fd6cfa49aa8a29afce9482f2a545579e8db

Download Submit
\Users\Admin\AppData\Local\Temp\nsj87A9.tmp\IEFunctionsU.dll

Filesize
4KB

MD5
2315564b6c4382b642e23c3518489ed6

SHA1
3e8da90c307910c0b1dbc3a35060d279ab2c6d42

SHA256
8a37c6e9706b166d278abd468984f75e71f27596faa2fd67b90d2a1e28e8eaa2

SHA512
cfce9d1bdcfbce66d3afb6ecadc8815e1a4d3437571b64fe91fec311a71d17c38bb81423af1dfac2af539acef0835c602f141402a80d086a9e6c8cfef2dd317c

Download Submit
\Users\Admin\AppData\Local\Temp\nsj87A9.tmp\InetLoad.dll

Filesize
18KB

MD5
a86f2ab29f13812c0675a2d94bf18bdf

SHA1
0b34212b40612bad005585d5e4d9daf23805940b

SHA256
a865a90bd24840660bbd5b4af8f18051199af5c12608153130051b29064b963a

SHA512
9b229d3463a18aee83f6463409d60c64f56b78da0110e6a94890b24c765a7a6cc347a70f891f72cf9ac395018dfc712d8915c1698b8c35789bd276945c480fcc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj87A9.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Roaming\MemoThis\Hiverion.dll

Filesize
900KB

MD5
0446d1d4b7e3cb6b6178e4ec50520de7

SHA1
c339c5ecfaf5398192e9bfdedd2980bead1d22f0

SHA256
9f9fc3e0f5d48ea5e80ca34641cacfa3c431cdb0f9e2816e0fbbbecddadaf6a4

SHA512
3a34d15677bfb1147f37ed2196fd801d4505a509aa37f5e3b5543c6f8cba93416a16317ee2cc11dc8b2308aac9cd3b11fe08839151200ab4728e218f9ff6616b

Download Submit
\Users\Admin\AppData\Roaming\MemoThis\MemoThis.dll

Filesize
218KB

MD5
9cfb500faeaa156e79eb8c5bb2c5cc68

SHA1
0b2a895da8ef6a1d9e73270df2436916672ab6e1

SHA256
577f79f928fd27eabd8033bf4cb3154422037e960df66cf6296d1c6fd2c08ae4

SHA512
2c10ac73dd3ba0c09eb3a2b241b090f64c4dde9e7adad50aedbb8489c8baf29ad81cba1284b957cefe21253fc712fdd7369784712fc9473202568347552f6283

Download Submit
\Users\Admin\AppData\Roaming\MemoThis\Updater.exe

Filesize
140KB

MD5
78b515df5a8b1c3c813e7f5c0fb6f6ea

SHA1
a01e9ee70888a6e8c29f67d054a0df2894715da1

SHA256
794dbf1af2f3914ebd8f62263798efe5c20377919d770b27e8005af34898eecc

SHA512
7e06df98e964a482954eb1ddc1d383aec4224536bb9bf48137bc8971aae219800993181ffed59c25995d8548e4e0e3ab9e0711229c1f6d80c5201ca57d813ebb

Download Submit
memory/3016-17-0x0000000002A90000-0x0000000002B74000-memory.dmp

Filesize
912KB

Download
memory/3016-29-0x00000000003C0000-0x00000000003F9000-memory.dmp

Filesize
228KB

Download
memory/3016-89-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads