73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2

Analysis

max time kernel
137s
max time network
132s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
Size

162KB
MD5

81aa05ab45e06efb51d79d4f83e43b80
SHA1

949645fb5252cab46004dfa1f8a27c7b439f0c04
SHA256

73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2
SHA512

0721f4691b2a6b0336e01f8f2ae0ddc8b2e245db56b4fb04d83bf16f4f3f8df561d1306d06ff8fa1a9bdf83839205b592d7026a5cac66ca9db77064e9cd7c5cf
SSDEEP

3072:REyXoN1VwNS1Jorf5qAHi6M0Lu/OIoZUlqhkZfsAS8dmFJ/geIOXBdFr8qq0Zv8:rXoN1SR3FLcNlu0Ef8ODIKB410C

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Oetrtf.exeOetrtf.exeOetrtf.exe

pid process

2624 Oetrtf.exe
2596 Oetrtf.exe
3000 Oetrtf.exe

pid	process
2624	Oetrtf.exe
2596	Oetrtf.exe
3000	Oetrtf.exe

Loads dropped DLL 6 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exeOetrtf.exeOetrtf.exe

pid	process
2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
2624	Oetrtf.exe
2624	Oetrtf.exe
2596	Oetrtf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Oetrtf = "C:\\Users\\Admin\\AppData\\Roaming\\Oetrtf.exe"	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exeOetrtf.exeOetrtf.exe

description	pid	process	target process
PID 2092 set thread context of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 set thread context of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2624 set thread context of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2596 set thread context of 3000	2596	Oetrtf.exe	Oetrtf.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXE81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exeOetrtf.exeOetrtf.exeOetrtf.exeiexplore.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oetrtf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oetrtf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oetrtf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8EA37F1-503A-11EF-B161-F296DB73ED53} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428701702"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe

pid process

2912 81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Oetrtf.exeIEXPLORE.EXE

description pid process

Token: SeDebugPrivilege 3000 Oetrtf.exe
Token: SeDebugPrivilege 592 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

788 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

788 IEXPLORE.EXE
788 IEXPLORE.EXE
592 IEXPLORE.EXE
592 IEXPLORE.EXE
592 IEXPLORE.EXE
592 IEXPLORE.EXE

pid	process
2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3000	Oetrtf.exe
Token: SeDebugPrivilege	592	IEXPLORE.EXE

pid	process
788	IEXPLORE.EXE

pid	process
788	IEXPLORE.EXE
788	IEXPLORE.EXE
592	IEXPLORE.EXE
592	IEXPLORE.EXE
592	IEXPLORE.EXE
592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exeOetrtf.exeOetrtf.exeOetrtf.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2092 wrote to memory of 2744	2092	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2744 wrote to memory of 2912	2744	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
PID 2912 wrote to memory of 2624	2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	Oetrtf.exe
PID 2912 wrote to memory of 2624	2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	Oetrtf.exe
PID 2912 wrote to memory of 2624	2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	Oetrtf.exe
PID 2912 wrote to memory of 2624	2912	81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2624 wrote to memory of 2596	2624	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 2596 wrote to memory of 3000	2596	Oetrtf.exe	Oetrtf.exe
PID 3000 wrote to memory of 264	3000	Oetrtf.exe	iexplore.exe
PID 3000 wrote to memory of 264	3000	Oetrtf.exe	iexplore.exe
PID 3000 wrote to memory of 264	3000	Oetrtf.exe	iexplore.exe
PID 3000 wrote to memory of 264	3000	Oetrtf.exe	iexplore.exe
PID 264 wrote to memory of 788	264	iexplore.exe	IEXPLORE.EXE
PID 264 wrote to memory of 788	264	iexplore.exe	IEXPLORE.EXE
PID 264 wrote to memory of 788	264	iexplore.exe	IEXPLORE.EXE
PID 264 wrote to memory of 788	264	iexplore.exe	IEXPLORE.EXE
PID 788 wrote to memory of 592	788	IEXPLORE.EXE	IEXPLORE.EXE
PID 788 wrote to memory of 592	788	IEXPLORE.EXE	IEXPLORE.EXE
PID 788 wrote to memory of 592	788	IEXPLORE.EXE	IEXPLORE.EXE
PID 788 wrote to memory of 592	788	IEXPLORE.EXE	IEXPLORE.EXE
PID 3000 wrote to memory of 592	3000	Oetrtf.exe	IEXPLORE.EXE
PID 3000 wrote to memory of 592	3000	Oetrtf.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\81aa05ab45e06efb51d79d4f83e43b80_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Roaming\Oetrtf.exe
      "C:\Users\Admin\AppData\Roaming\Oetrtf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Roaming\Oetrtf.exe
        
        "C:\Users\Admin\AppData\Roaming\Oetrtf.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Users\Admin\AppData\Roaming\Oetrtf.exe
        
        "C:\Users\Admin\AppData\Roaming\Oetrtf.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
22519ebe9b0543758e2226f54909d753

SHA1
acbca97a9fe9004bc61e00c37b400dcdcdfab6b1

SHA256
3a3647ffd3fd1871d8a03e153dfd5903e447bbbb12842cfe2f7412af1602b0b8

SHA512
50f056fe9f4c2e1c8df74e028fab377ea4c8e25cfb65bdaca6ec42af1f73dae29a51543a1575f405e737af580979ccf4f04c1ada97ca5f41901207f36649f8bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
037b840313a1f6a92d92b1898336a91b

SHA1
6baa474a7e1cee5f01ca83047532e675c9282497

SHA256
efa8d988d18bbd590c9735c75c3309d89a3f388f9a6e03c9362d16ad34f597a4

SHA512
3b47ac57e4c97faa3dff94d2b0bcc605df784b1d8d97141eb79c9ae19bd3bec080340f6eccdd2ab9d385545c3fb78714344c7c0fc77e212b77670489c9285fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b7a7e5810fba87960bb725ebe0925ede

SHA1
622b08f8d272cbac7a79b70c44394e676e98337a

SHA256
d85b6be482e821a8dd777ca5d04a1be1ba772fb017b90ff03289364cc663b569

SHA512
3ada79e14123f16110cc78438e9385dd64349b3cdabc3ddf654a314ce833ae84e36e7beaed2b706b7eb28034401c5ec11fab4d8a7eeee91970e717ae7e0c5ab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
60c64d9f08b5a12b92f05e360484779b

SHA1
09cb414117a96d164df0bc2f54179b02d7d9af85

SHA256
fddd0b576f22a67561da4b4c8f855428f6a7d2085b334b90933be292a70856b0

SHA512
2f9cdc6523f9105178d561f00c0732e1dd0ccf1a61cbf637446b866a903c63e0fb8e465147879af7d5e41a61e2564c485a18cedde0fad6a27a8ddbd224585b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cd24ec8d7dac33c5bdc8b496f263e84f

SHA1
6a7657a4eefe506ce03a97b1fe38aed5aeced270

SHA256
7e9f1239d0a7366085719cfef3bee09496d0f0ef7084f9a1c916c6c53d0ce16a

SHA512
2056f84b7fbad27dfcc3ce9d53980409ba446892244e35f7e985a6c375e5c5675c01549693fd34ded67a47ce48ce1e84e18190beb3c8f377cc6a92230858ddd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e53650321972d397308702030394b89e

SHA1
94d1c63e50a97f4782633df374789c1996470c60

SHA256
b21e3a6a0f1d1df260c26db8dce0c9932cba5bc462dd3a4b34346535e5ace2a4

SHA512
1a7183adc4af4e656fa13027ab68b4cb325767d441dbfadc714517a5cce68e29581b4114d404c8a50171e0be3b84200264797afa0c26ff534546fc012fba9a05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3c38dcf89affd4ac96967ed38a9c3cfe

SHA1
2bd68e16c03f93bb10197ef08543f8c024cf38d6

SHA256
ca03ec2951b15bebce11bd96743c08b80192b339ca0ba68abddfbe68212c83cd

SHA512
900dffa267ca8b0d12777b679b5933345c28ee39a1c27f97283e8257d5fa27545bcb52cf5795f80d4746f3e1b48bb04cae28f64ede46dca197fd306368712916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6bfd0070871766e67f7ba1a5965a97ae

SHA1
f510b1ed00138b00770e397057b09c1c0d7a2514

SHA256
6d984519ceea7cd42e0e0cf064ba1e9d66a81f3b56817aea376d30512741114d

SHA512
cf36248ad247cd5b8d3f7aceee4e9b509c2dcaf5fea27aa1ad707f2add9a248e8475d10577c5be8bf545f78040be3df18cf4561e2562753fd478c4393d700bbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
830e51e539dedf893a84c09ad3059178

SHA1
455759d4f01492fa676c975df43df51014d75ae5

SHA256
5c10b45f8d53e55b2777a1483ef0897c716748477ef001042ead0a82164aceb7

SHA512
509e18b147dabaf76d5fa857f08754f67b5537bfe3fd0633d81962f4427a5dcf4ea5322b5f6f0053840cc24365d49586f93911211848f5049cf6f29d45d77035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
af6fbcc5b608923c4a2774aa98c0c978

SHA1
9dc7be4dfdd0fc832b966084ca3d30466470e3f4

SHA256
e5d4f5a20640d8f8931f3e2970b6ad005bf1984bb138e545a557cfab749b0f7c

SHA512
2d1d358c42142bd287e9dacf0349d0428e171570f83c1889cac7492d2717e371082d859b50e8084606e0381f7b0c6df77099d9d2321e8cb0c746c49fdd2781f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9c818adb675cd9b81181b0af43c0658f

SHA1
c725e1cfb2a38b3ab0c4e2350a5de79429bbd965

SHA256
ab69dafa19887c27e8104db064b4cd1d1d6eebd7ac5ccffd7667fee6767dd931

SHA512
39eb74fb0edc76c6ea56d1eb6ec2586bc33fe09cec7010888307347903ffa67a8c2d5cf3761791780c1618b710cb874d312a6fa87709729365ce7d2650faee1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3723df756e81f6116821e0c97a57a5fe

SHA1
81acd9b73e3d6de7d25049776c1fc1c8390bc1d8

SHA256
0c3fbbe84b94dbb041d4b2cc74621bb55b4889e904c1889d01d058dd695a8ee0

SHA512
12c48773526ae74a35b51ff50a22c4e128ac43947a0ac75d326206ae0b91ecf5ba52ea561f66d24ee2b5b9d13302d5142f2dc3c6c6687424e9502f32386378bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
56c76bcfd16185bd6f22ec57792576ec

SHA1
8f0bca34f029dc40e43c5bde99a6043fcd2ad335

SHA256
39914dd23dc000ad0f1ac8ee7723d42c9cb4cc590d7d621d58261878b100bda3

SHA512
5f30447ecdeac0b4a1c03aa4b187bf3d02720e2cf81448fc30df4a808e576779b91e1917d0c9ace4544afeadbab09dc04d9b48e325511f0aa1ffcc686186ddb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7ea73326d40d6db8fb2afb6f064acd18

SHA1
77e2503876886af62572eaa59277b186e1d2cb2b

SHA256
f3c371d042c36816150174afd2a40b6158230887d237bfdbc8c2e1cfbe9396c5

SHA512
832cfa9abac576f4f167dfe2a54fe0d650641f77d75fccd96c068d65a980d92e57186cb83c8d1368ef35c585d26e4860d856fbde9ad5db282c0e373bf2f3d744

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c487c0e48d5d59ba59fd43224ea1f15a

SHA1
3474a02744fe3dbfe7b9dbd7c6e53869fa3c9ae5

SHA256
18355a6c48917efe5ef43063eb18c023a77d4a974924c83ac432963f83597d11

SHA512
55de3a80bc896b18b481b8ac0db8943880e3871284d04aef1e34d7dcdd199c2e5401f110c3d5c59b9ed62f26e7c9dbff3e20869cf1d53d6806b9e9606c7be167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4e402f270d5d8a88e61fda2d49a71a44

SHA1
c34e401609bc7679951d09f6ec07eda7e2817ea0

SHA256
527d5e038f5a645dd94cec6bdf55598535c22acaf71b284290c282f193be8435

SHA512
8ddf44cb31986e27efdf189aed489a320d8b8edf1801dd530c85a3c0e03cebe68e846b85d2f3fa60031c2e2e46b04790589f5e7645c9d18f742a631c5fb37620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5382beaa518f7c36b7a091656d977d1f

SHA1
85fc76a01f63c0708108b377cfaf5d69e69b31f8

SHA256
69d03d255d29a9f6a2d545b94eaece16e357d9eb6a9a6f3dc670abd993c89706

SHA512
da88d4ba61e91291d5728b7e0fe68e4ad547cdbadfcf67b84108a60d1fb98ca51ccd77897db0630869d7f78286b6a43704b8e7f7af099cc2307c11515d88874b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
725735b82250adc5d1f6ce6860c5bb72

SHA1
e349b7f6ee91660eec4cffcd695655b8df046c46

SHA256
074352417394e3d21e08f81b74fe9e234a381b2378216bd9daeac4ebf8a1aaa3

SHA512
0a0eddec76100f94fb630bdbf9b36a8776d4c4e56a7a5cc3e44bce12d2fe5d8cdfe6fac83eb3cbaa74cf49e853125ead2442b9872f618a5819dfd95d77b65aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9fb8a10d2fb76d0756524ca6d3542fbf

SHA1
3d227888a7035943ad5bf5786ad61c9da6f18981

SHA256
e03bb59f3a29bbfc2ba40c0b132e310a6151e6177b5abb83eb8a81d5e11c2141

SHA512
31a765859b4a0af661608f3a78d7b05b0c73c9570076f84c1915cf8515caaedc42e44e5f00bbc2259b9805f9ce9bbee33f6bada2bc9255bd47b7c57cc433a51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F32.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\Ekg7afHe415gIxsl6af.tmp

Filesize
3KB

MD5
10a714b195635d9dea52883188903080

SHA1
488b06541880da79a4594bd1535cb2319dcdf262

SHA256
f49075fc33b842978a08a923dd2411f7dfbac0169e732b3fe44a2a1e07e22a00

SHA512
877945f6e2e43c3663ebd7abb534becd70af2b7ff84e3ea93cce14db90edaed1e7dd50b5f8f59c855285cb8add27aa791a8ea2299544599e2d8b922badb2a047

Download Submit
\Users\Admin\AppData\Roaming\Oetrtf.exe

Filesize
162KB

MD5
81aa05ab45e06efb51d79d4f83e43b80

SHA1
949645fb5252cab46004dfa1f8a27c7b439f0c04

SHA256
73718442f7fb1a5c241aa2573194fdc51bf514aa1758dc35b550a3fa71cfd0b2

SHA512
0721f4691b2a6b0336e01f8f2ae0ddc8b2e245db56b4fb04d83bf16f4f3f8df561d1306d06ff8fa1a9bdf83839205b592d7026a5cac66ca9db77064e9cd7c5cf

Download Submit
memory/2744-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-7-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-9-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-17-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-18-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2744-11-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2912-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3000-93-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3000-87-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download