219423a32336987838bea44a471fe02700e2e74ba4c98ebb41512b7bc15e0c32

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
Size

148KB
MD5

def612ad0554006378f185d3b56efb57
SHA1

b27ea28e772fbc6b7f80b75b2ba6d32b39d6f256
SHA256

219423a32336987838bea44a471fe02700e2e74ba4c98ebb41512b7bc15e0c32
SHA512

5ebc664726aad811d6f91de8c7d355b312799e39e69af5218de0eda7d6696c5f1c025737c87c7bda0b22883425fd808770592c9bd7a3f39e759c5dbc46f14f9e
SSDEEP

1536:OjLzLxke+a6vLZqyMe6Gfo84U0taH3DfBTF7kK3RmkdumKlT4j0wEwVAcEDKgf:oxka6gGfoucaH3VBmkduXl8+wVAcw/

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk	netmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	netmgr.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	netmgr.exe

Loads dropped DLL 1 IoCs

pid	Process
4756	netmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131174"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3370028395"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433029095"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3306591180"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F0A37D4A-7219-11EF-BFD9-6ADB259EA846} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1C3718AA-721A-11EF-BFD9-6ADB259EA846} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{43F20856-721A-11EF-BFD9-6ADB259EA846} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3307528561"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3369091042"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131174"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3306591180"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4756	netmgr.exe
4756	netmgr.exe
4756	netmgr.exe
4756	netmgr.exe
4756	netmgr.exe
4756	netmgr.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3880	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
4748	IEXPLORE.EXE
220	IEXPLORE.EXE
4756	netmgr.exe
4704	IEXPLORE.EXE
4756	netmgr.exe
4852	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3880	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
4756	netmgr.exe
4756	netmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
5084	IEXPLORE.EXE
5084	IEXPLORE.EXE
220	IEXPLORE.EXE
220	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
4704	IEXPLORE.EXE
4704	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 4756	3880	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe	85
PID 3880 wrote to memory of 4756	3880	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe	85
PID 3880 wrote to memory of 4756	3880	def612ad0554006378f185d3b56efb57_JaffaCakes118.exe	85
PID 4756 wrote to memory of 3692	4756	netmgr.exe	92
PID 4756 wrote to memory of 3692	4756	netmgr.exe	92
PID 4756 wrote to memory of 3692	4756	netmgr.exe	92
PID 3692 wrote to memory of 4748	3692	iexplore.exe	93
PID 3692 wrote to memory of 4748	3692	iexplore.exe	93
PID 4748 wrote to memory of 5084	4748	IEXPLORE.EXE	94
PID 4748 wrote to memory of 5084	4748	IEXPLORE.EXE	94
PID 4748 wrote to memory of 5084	4748	IEXPLORE.EXE	94
PID 4756 wrote to memory of 2344	4756	netmgr.exe	98
PID 4756 wrote to memory of 2344	4756	netmgr.exe	98
PID 4756 wrote to memory of 2344	4756	netmgr.exe	98
PID 2344 wrote to memory of 220	2344	iexplore.exe	99
PID 2344 wrote to memory of 220	2344	iexplore.exe	99
PID 220 wrote to memory of 1812	220	IEXPLORE.EXE	100
PID 220 wrote to memory of 1812	220	IEXPLORE.EXE	100
PID 220 wrote to memory of 1812	220	IEXPLORE.EXE	100
PID 4756 wrote to memory of 4548	4756	netmgr.exe	103
PID 4756 wrote to memory of 4548	4756	netmgr.exe	103
PID 4756 wrote to memory of 4548	4756	netmgr.exe	103
PID 4548 wrote to memory of 4704	4548	iexplore.exe	104
PID 4548 wrote to memory of 4704	4548	iexplore.exe	104
PID 4704 wrote to memory of 2832	4704	IEXPLORE.EXE	105
PID 4704 wrote to memory of 2832	4704	IEXPLORE.EXE	105
PID 4704 wrote to memory of 2832	4704	IEXPLORE.EXE	105
PID 4756 wrote to memory of 3024	4756	netmgr.exe	106
PID 4756 wrote to memory of 3024	4756	netmgr.exe	106
PID 4756 wrote to memory of 3024	4756	netmgr.exe	106
PID 3024 wrote to memory of 4852	3024	iexplore.exe	107
PID 3024 wrote to memory of 4852	3024	iexplore.exe	107
PID 4852 wrote to memory of 1576	4852	IEXPLORE.EXE	108
PID 4852 wrote to memory of 1576	4852	IEXPLORE.EXE	108
PID 4852 wrote to memory of 1576	4852	IEXPLORE.EXE	108

C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\netmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\netmgr.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4748
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5084
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1812
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2832
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    -nohome
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
84231e6b703a4b64fa601076af9e016a

SHA1
210e330be937e617085d28bf356c990a49dce0a5

SHA256
e10b7b5f4f3291d340cebafd2d87bbec8689ffb1750a813a2887b6cd31ce61b3

SHA512
e13fcb1e344dbd4cd9429faa51f61615ce602908e3eabb7ae9190e745f38747b62b563ca9c0c71abecff1fc398afd2652d32ec37511061d2dff2356aaad0b8d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
08fa9edcfc0d02fd7897650346fab066

SHA1
4ab043de647b92bdfdd862f3e313d5af83bd74ca

SHA256
56048545e1ac16480492ebe593762864579aba3482af998d0c8a324e190f54ad

SHA512
da912b03636cdd7d530a43ece67c12086698f0bbe0bc6c8f429c88d566e8297645fe4bd07707e7450b805369a08609927e2f0765eb6c450060cc70fbfefcef4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0A37D4A-7219-11EF-BFD9-6ADB259EA846}.dat

Filesize
5KB

MD5
9bbf6398eca4267c18a364a4194c3232

SHA1
d8ab28ac036a3f5b17ec3d79d092b7b01e49a3a4

SHA256
c4a4d18f3918b5ff11ac2ae9a5483a0f9dde77e59dc553f8a92208074e85e505

SHA512
9aab43fabeb31e24f9542e53b2fe19c9d17c6139cb984e04adab85dccc3c2c3fda632a22e8942aa5ec019c51957d3490e6778164e2e63fefb7cfd15e867124b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat

Filesize
5KB

MD5
4e5d5dae379a097ef82ede202a8dadc9

SHA1
65f2b9269db937f8f76fe3a228c75bb4b83ac86d

SHA256
c844ce46bfa61c6dea7dfbdad602a687c1693dffe2691bbd7dedb8b6118f00ae

SHA512
e24a01d401f084d5389f59693c06ef2e5a6f98711d17375003f8de9bc5adcc939854786211bd4eb76872ffc3e6137a6971716b301a62ea5f0c74164c0bdaca66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat

Filesize
4KB

MD5
c09fa684accf27ff7d9e359838b03cd2

SHA1
7e9fa32a00fde26fca34c99efff3c40f9d46f9d5

SHA256
0f2fbab8113fc1820f3c93201274f642cede29e6b23eccc5ec8b23b1122d73d9

SHA512
1c9c48a185975fede96c78b5219fc610710c489dabb6c464ab607e4c90b316ab80ca40123d89e297b49d0035f920e7909381c3052320cae822a90e46ff5eda5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver3EBA.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.dll

Filesize
96KB

MD5
c0c093987a55fe9ac61e6e2b5a362d51

SHA1
52126b81560e3319518c50058c86a8c5fce0d3d1

SHA256
5c7d07858c7d01156a7f624d86b16e948a4630a2388d0c3cc1be86bd95f4858e

SHA512
716e9dc694a1544be5730cc8b82a4a73d4f8763408c80fe38a61d66cc201d9cc440510b036dfb49d2b1353b827a7628c389e833678860e358c72951deea1c7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\netmgr.exe

Filesize
20KB

MD5
4968882f189236952fd38a11586b395a

SHA1
1e9838e98b25619d9680854a6bd2418e044e52e5

SHA256
e917d277ce6d27e9740fede690f7bd810e99c0757ae4226cb30f8227c6b30b43

SHA512
3164a7d5fdbf3abc67caa56f974ad74d87059620d42ce6a656ede0480cf5a8d2fb87dd2fd3ba247409376437267af8b6388a78f3fbd67b42517ac0f2b4d13ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\perf2012.ini

Filesize
138B

MD5
1b084b39bb267c7265f99bbf76c58b9d

SHA1
85abcded0afb763acaa24801236fa58bc2a2b740

SHA256
ceb3ff7139c7ab61399b932bb6a98746f367b6ae1304062cf8fa61dc66a1909e

SHA512
b986a1800fab0f9091ff174c318284097639bee155576976114820cdd7f8543dc0a3c3990be22f38d8d571d11adf6f8a0248e142b205bb5ac7077e481fc39406

Download Submit