1bc8659958762a59361560208c31dafce0a3c370cf2d5071b745fa2cb641b7b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe
Size

104KB
MD5

a7df73fe928fbb26f29aeeb7a8b0a82b
SHA1

3795602954da5dae4a58745752416bfd323ab73c
SHA256

1bc8659958762a59361560208c31dafce0a3c370cf2d5071b745fa2cb641b7b6
SHA512

afef8400ac82a207e3fe4ea58173a3dd198ddc1042dbb9d8152c6a343aa894d34f00076979aad1ffe15e70fee18ecb9e0a2b33e0dceac9b56e50c459bad0d80a
SSDEEP

3072:4gXdZt9P6D3XJcM5tSGagNxOTSZWki3VJWk1BSqeJq7DxKP13LvP:4e34f7l9xYSZPe6sBSqeEPxI1rP

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3120	rjjmanpw.exe
2344	rjjmanpw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3120 set thread context of 2344	3120	rjjmanpw.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjjmanpw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjjmanpw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125922"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{07034DAC-5D96-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000ea863195ec61bf123165051d9be215804d771bcd4872daa6d982aa70d9de8124000000000e8000000002000020000000d8c5708845b86ee781589cdfce6b9be9c248e87022173242c0fea29bac2c748c2000000009ced413a0cae507b07fff6b492939ec754489f17d58ce46623ca42edf7235a0400000002e828af1d5c66387d600f7a4c7d385c56594dc99039dcda25a86f8eeebac94075db8d3e61ef6d538bf411687d29d9b797489bdae800106d409c93138ab664dc2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8061fddca2f1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{24AA8D3F-5D96-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc73570000000000200000000001066000000010000200000007a2a24fb92d53593f5506927a87408366c988baf7dae94ab1b65cf24c05bcac1000000000e8000000002000020000000807cd3dad1c15d1be84cbd6b4e5812f05bf64b9f4bd776bc386d4af82e8de29b20000000513bf21f9217dd7f68262d44d2a4b078893b24a7cecc5853d63d5d772e07e88d40000000ef9796bfc80cbe4578ccc4fd499da555b9c5be30027cff82bc3154240a0a0384086fc3b6d32d1f8635e0cfd0ab7d6c82c6b0e6c012d35f4ec8b836bf6a9dde68	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D0830C61-5D95-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 205708cea2f1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125922"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30144abfa2f1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15DE16F0-5D96-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F84522E5-5D95-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2766500181"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000b9ec04c42c0e21252fbc469ed32a349d6a71ed43cb4eebe6996044de4880f9a5000000000e80000000020000200000006c0c7477d73355aad5514ccaebbea1c04b13d661b5037855d483fc39fbaf127c20000000a891ae3f5fcaf086dab22135e2f986ac9145209129c4acd2e3bd5032f2a8e3f540000000e02bd6b6152513118c04a18cfcfa43a0d8fc4e515a14b9ac49d8153ed25e7f74e75e9c866808c039e45e26834048edf5f64d364887887d35052fc2e86a6d61e4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708dbfa9a2f1da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E97648A0-5D95-11EF-8D5B-D20DFB866B4D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc73570000000000200000000001066000000010000200000004049851ecfb736e016dc104c7206cc461b18f5135e2132616918e7d930047a9b000000000e80000000020000200000008a1be59296da43e1a947792db5fde1170ea2399a9e4883e3895d2920df57e9ad20000000bc5d433a3d3a46790227bd0a12ed07140e9fadd4a12c344f8eb21ec73015833240000000696ec20f404609b3e92f85675a3cdc155326cafba882ef180716c3006aec511c4c81a490b55200411f598e11f9a52b8627ce405d1ecf2bb7a4a6f55d73b02ecd	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000e2315543b9ab9a1afbfb478c21474758a05a3a748ead7defb6578f15d14a9c63000000000e8000000002000020000000a63fcedb8290b885fd9a5f60ddaced19a8eefdd16eac48395ada6a057cd3beaf20000000752e30070175e442be95c58aa377ace57d9196102451285c0744360767cc376e400000009337461e34c3d006e2a9c40089082062c520fbac90ccec68fba3882ae91adb79aad70bceed0758d12b16fe4561b54618508f29dd5545654fd3126b2b97fabb11	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	rjjmanpw.exe
2344	rjjmanpw.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
436	iexplore.exe
1372	iexplore.exe
1472	iexplore.exe
2500	iexplore.exe
2004	iexplore.exe
1936	iexplore.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
3120	rjjmanpw.exe
436	iexplore.exe
436	iexplore.exe
1724	IEXPLORE.EXE
1724	IEXPLORE.EXE
1372	iexplore.exe
1372	iexplore.exe
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
1472	iexplore.exe
1472	iexplore.exe
4528	IEXPLORE.EXE
4528	IEXPLORE.EXE
2500	iexplore.exe
2500	iexplore.exe
4220	IEXPLORE.EXE
4220	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
5004	IEXPLORE.EXE
5004	IEXPLORE.EXE
1936	iexplore.exe
1936	iexplore.exe
4360	IEXPLORE.EXE
4360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 3120	4172	a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe	86
PID 4172 wrote to memory of 3120	4172	a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe	86
PID 4172 wrote to memory of 3120	4172	a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe	86
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 3120 wrote to memory of 2344	3120	rjjmanpw.exe	94
PID 436 wrote to memory of 1724	436	iexplore.exe	97
PID 436 wrote to memory of 1724	436	iexplore.exe	97
PID 436 wrote to memory of 1724	436	iexplore.exe	97
PID 1372 wrote to memory of 3672	1372	iexplore.exe	105
PID 1372 wrote to memory of 3672	1372	iexplore.exe	105
PID 1372 wrote to memory of 3672	1372	iexplore.exe	105
PID 1472 wrote to memory of 4528	1472	iexplore.exe	108
PID 1472 wrote to memory of 4528	1472	iexplore.exe	108
PID 1472 wrote to memory of 4528	1472	iexplore.exe	108
PID 2500 wrote to memory of 4220	2500	iexplore.exe	110
PID 2500 wrote to memory of 4220	2500	iexplore.exe	110
PID 2500 wrote to memory of 4220	2500	iexplore.exe	110
PID 2004 wrote to memory of 5004	2004	iexplore.exe	119
PID 2004 wrote to memory of 5004	2004	iexplore.exe	119
PID 2004 wrote to memory of 5004	2004	iexplore.exe	119
PID 1936 wrote to memory of 4360	1936	iexplore.exe	124
PID 1936 wrote to memory of 4360	1936	iexplore.exe	124
PID 1936 wrote to memory of 4360	1936	iexplore.exe	124

C:\Users\Admin\AppData\Local\Temp\a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7df73fe928fbb26f29aeeb7a8b0a82b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\rjjmanpw.exe
  C:\Users\Admin\AppData\Local\Temp\rjjmanpw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Local\Temp\rjjmanpw.exe
    C:\Users\Admin\AppData\Local\Temp\rjjmanpw.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2344

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:436 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5004

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B9AWTLKS\dnserror[1]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H9MX5QVK\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KQ3665LB\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T369AOZZ\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjjmanpw.exe

Filesize
128KB

MD5
c8ad9f49632247cf36173e5c6f225882

SHA1
1bda98f1c454db6bb27ea50d6731a9034f588758

SHA256
f0e1a2a2c83d352691c0b5b2ce9c53920d3a0457ddf20e3648b0f01ed2d24215

SHA512
aad1232869c55e09fda2567ff979631102d217ba7245b35f627d805250b0497fc3c74fc8e2d3938c452abe4e7a2311effa0316fce9f7c8c0a030d44b0a99f6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.dat

Filesize
29KB

MD5
a3910dabffcf1940d442f936b1715fcb

SHA1
af38ae5ff3f4428264e8ff83905b4b4ffb1ea230

SHA256
8ce6d97e44ed38d8475194903e5f84a30aa83844b8c39862c6287597f3a72fb5

SHA512
9406fb768b3be06727c0b0d411a20d3a2bd0ac1c77986846feb25e5e7ebb16ce2aa895d1eec58314c1d981fc4b8033bc1069bfbaba792937ccbe529cf68cc303

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF0DFBED7A611B0E50.TMP

Filesize
16KB

MD5
b11b656c5d925c67474a13655f771c03

SHA1
2648179064ca34f7580045af045a4009b38c94bd

SHA256
8dada45d38f095beaf5b3524a0fc0c7626809da970c0b0325a016e40be5ec929

SHA512
7dffaeb399188d24b84890ee68048cf7f609f0b075880fd1fb24fa2fcb80db7a818b5ef168d7b0d1125952d6b9757e3a3699e8a03f1ff5fc9da04e89a2e8788d

Download Submit
memory/2344-8-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2344-11-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/2344-13-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download