04945ac63ae1a9e54bec7db2532c09d5e8354296f8b875b6ebb2b3e210a9a50c

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
Size

124KB
MD5

f623a222ff4ca68be361a4ca9ed975f4
SHA1

5cc294b5fc85a4a9919f38fd4e6c9af8fe103b2b
SHA256

04945ac63ae1a9e54bec7db2532c09d5e8354296f8b875b6ebb2b3e210a9a50c
SHA512

b9398ce4c67fb8f99b193bb4afebff0cfbb157dfd8963552a9d21a4d54026593ad28da61509fd15de899e250a742ed1cb2a59f3aa1a7bc56daf235bb1fd17195
SSDEEP

3072:z7dbGkiWPLAFqIHn7yXus+7Jlkz/GMexh89Mu:NqkivqOn8uT7e/GMuhEMu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1100	51b198.exe
3880	gggg27.exe

Loads dropped DLL 4 IoCs

pid	Process
1100	51b198.exe
1100	51b198.exe
1100	51b198.exe
1100	51b198.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\51b198.exe	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gggg27.exe	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51b198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gggg27.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	51b198.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSINET.OCX"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	51b198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	51b198.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	51b198.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
1100	51b198.exe
1100	51b198.exe
1100	51b198.exe
3880	gggg27.exe
3880	gggg27.exe
3880	gggg27.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1100	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	96
PID 1008 wrote to memory of 1100	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	96
PID 1008 wrote to memory of 1100	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	96
PID 1008 wrote to memory of 3880	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	97
PID 1008 wrote to memory of 3880	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	97
PID 1008 wrote to memory of 3880	1008	f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f623a222ff4ca68be361a4ca9ed975f4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\51b198.exe
  C:\Windows\system32\51b198.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1100
- C:\Windows\SysWOW64\gggg27.exe
  C:\Windows\system32\gggg27.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3956 /prefetch:8
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\51b198.exe

Filesize
28KB

MD5
b8cd4e2e545bf8a55375714b0479fcbc

SHA1
1dd7dd14aebe49f988515a1fc868c114f3e853af

SHA256
7b79f3ab2647f27b4e20a4a475b53ba4a40fbdedb772286b6578679ea8a73245

SHA512
1a24d90212f19e0ca55cc4f6b4d831deaff58c7600e3c9196a0b34c273b7ceced842725d50642d348df6787ec45251fbd807e5af96b61d84bc394caf0bc925cb

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\gggg27.exe

Filesize
11KB

MD5
3a8c12fbdc005004714b8ba7cb65eb8c

SHA1
724c49a2ad6760cb5f918b2bbfa2b041181cda00

SHA256
c3811f0663fda0242ec114f4979dc921ce7c5d8698a3502f0cddac39c98d0a83

SHA512
629c439358985735f59942806bd0eb220c4a957059df303229e2700eefce0a48ed1b971ae8b0f31b61cecb4415ac5e7d5caabc750d59af66855f039e262e97a3

Download Submit