ardamax | e4d95be483d87f25db57da7bf5f280583803140f7419ba6692564e685926d1d3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
Size

756KB
MD5

d1b6223c9444283f76758dee7bcd907d
SHA1

73648b62774211b9c8b0cf66f3919a01df4b5dea
SHA256

e4d95be483d87f25db57da7bf5f280583803140f7419ba6692564e685926d1d3
SHA512

e20e24d272b3bd68a39f8a790fa1f38e417814d651fb35efeeec2c330acaa8877cd94b75b850b6bdc8c1dcda2fe52b8473fb8c16a741685cdeefde31845fdc5a
SSDEEP

12288:WGe6ASVjW+ewWqhIJ0JiUBxq4h6gX4+J68w+j/xucLX9R9otMtrhg3Indzc6Mq:86ASVC+oMIJaDBlh6gIfaDxumtXeeFd7

Score

10^/10

ardamax adware discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019581-57.dat	family_ardamax

Loads dropped DLL 42 IoCs

pid	Process
2044	regsvr32.exe
2044	regsvr32.exe
2044	regsvr32.exe
2044	regsvr32.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
1984	WerFault.exe
1984	WerFault.exe
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
2580	IEXPLORE.EXE
2188	WerFault.exe
2188	WerFault.exe
2580	IEXPLORE.EXE

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\ = "XBTP03704"	regsvr32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1984	2880	WerFault.exe	32
2188	1512	WerFault.exe	36

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\snipetoolfull.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\basis.xml	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\autofill.cfg	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_menulist.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\msvcrt.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\MMIP.bmp	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\descdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\autofill.cfg	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_list.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\regdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\version.txt	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\autofill_plugin.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_list.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_imageviewer.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\msvcrt.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_imageviewer.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\msvcp60.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\fdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\spyrem.exe	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\basis.xml	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\version.txt	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\autofill_plugin.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\tracert.exe	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\MMIP.bmp	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\snipetoolfull.crc	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\tracert.exe	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_additem.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\regdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\descdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\snipetoolfull.crc	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\tracertsettings.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\tracertsettings.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\msvcp60.dll	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\icons.bmp	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\icons.bmp	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\fdb.bin	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Snipeomatic Toolbar\spyrem.exe	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_menulist.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Snipeomatic Toolbar\custombuttons_additem.html	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e0100000600000009030000e803000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021ec28e8a9eab3448021ee89101c6acd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000003d6440e66fd4d40ebc0ec212f52c5dd4a10be80b806a661368d7e8f352d45b7d000000000e8000000002000020000000d819cb1784b51d83df7219b171c485820bf5d0c51dab33982e004b0ba8b82112200000000b7b059e6d3dc314aecd1a75056513e997dbc25a569ed6b9b6dff612941b74b840000000894c28c26e85fd20698dc126f5dc01feb34633c233e14d7c1bda03141f4d3c31a27d06071561c09d188009dfd63bf754a63073f630a1a1dcc7489a7d5a780acd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000010700005e0100000600000001030000e803000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021ec28e8a9eab3448021ee89101c6acd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 50758cc28948db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{E828EC21-EAA9-44B3-8021-EE89101C6ACD} = 21ec28e8a9eab3448021ee89101c6acd7b34453042343837382d443136432d346536322d423146342d4231384242454138323542337d00	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e0100000600000009030000e803000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021ec28e8a9eab3448021ee89101c6acd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{E828EC21-EAA9-44B3-8021-EE89101C6ACD} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000010700005e0100000600000001030000e803000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000021ec28e8a9eab3448021ee89101c6acd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FDDA0191-B47C-11EF-A5B7-F2BD923EC178} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{E828EC21-EAA9-44B3-8021-EE89101C6ACD} = 21ec28e8a9eab3448021ee89101c6acd7b34453042343837382d443136432d346536322d423146342d4231384242454138323542337d00	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MAO Settings\SuppressPerfBarUntil = 3044eff55249db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{05BC8F91-B47D-11EF-A5B7-F2BD923EC178}.dat = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\InprocServer32\ = "C:\\PROGRA~2\\SNIPEO~1\\SNIPET~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704.1\CLSID\ = "{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704\CurVer\ = "XBTB03704.XBTB03704.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Snipeomatic Toolbar\\snipetoolfull.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar\CurVer\ = "XBTB03704.IEToolbar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704\ = "XBTP03704 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704\CurVer\ = "ToolBand.XBTP03704.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\ProgID\ = "ToolBand.XBTP03704.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\VersionIndependentProgID\ = "ToolBand.XBTP03704"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\TypeLib\ = "{E4336E20-4428-47cd-A2EA-39CE7804549E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\TypeLib\ = "{E4336E20-4428-47cd-A2EA-39CE7804549E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\VersionIndependentProgID\ = "XBTB03704.IEToolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\InprocServer32\ = "C:\\PROGRA~2\\SNIPEO~1\\SNIPET~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\ = "Softomate 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704\CLSID\ = "{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704\ = "Snipeomatic Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704.1\ = "Snipeomatic Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\ProgID\ = "XBTB03704.IEToolbar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ToolBand.XBTP03704.1\ = "XBTP03704 Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar\CLSID\ = "{E828EC21-EAA9-44B3-8021-EE89101C6ACD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\InprocServer32\ = "C:\\Program Files (x86)\\Snipeomatic Toolbar\\snipetoolfull.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar.1\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704\CLSID\ = "{E828EC21-EAA9-44B3-8021-EE89101C6ACD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\ = "Snipeomatic Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar\ = "IE Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E828EC21-EAA9-44B3-8021-EE89101C6ACD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Snipeomatic Toolbar\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar.1\CLSID\ = "{E828EC21-EAA9-44B3-8021-EE89101C6ACD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D6C60F6-F97C-4d48-B442-ED2441AA2A66}\ = "XBTP03704 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E4336E20-4428-47CD-A2EA-39CE7804549E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.XBTB03704.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XBTB03704.IEToolbar	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2064	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2064	iexplore.exe
2064	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE
2580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2044	2676	d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2064	2044	regsvr32.exe	31
PID 2044 wrote to memory of 2064	2044	regsvr32.exe	31
PID 2044 wrote to memory of 2064	2044	regsvr32.exe	31
PID 2044 wrote to memory of 2064	2044	regsvr32.exe	31
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2064 wrote to memory of 2880	2064	iexplore.exe	32
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2880 wrote to memory of 1984	2880	IEXPLORE.EXE	35
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 1512	2064	iexplore.exe	36
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 2064 wrote to memory of 2580	2064	iexplore.exe	37
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38
PID 1512 wrote to memory of 2188	1512	IEXPLORE.EXE	38

C:\Users\Admin\AppData\Local\Temp\d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1b6223c9444283f76758dee7bcd907d_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Snipeomatic Toolbar\snipetoolfull.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.snipeomatic.com/installed.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 2176
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:340994 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 928
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2188
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2064 CREDAT:209954 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\SNIPEO~1\MMIP.bmp

Filesize
3KB

MD5
730d8fa88d8b06ff5a4e5b56489a306c

SHA1
5eb8ead4fa3b0d1ac70753c9b52e791a2990bdeb

SHA256
b7e0f69cefd9e6f5a49040bd8ed2552c73497bc828fc50d902384bfb115f6358

SHA512
54c07612b865492fb367888b42ce452d81ba270685ef7ed794966032ff1e75c5c17086c6b447cd2cd9e884246cb02a44cd259894ef81a725136c463dab0280a4

Download Submit
C:\PROGRA~2\SNIPEO~1\autofill.cfg

Filesize
17KB

MD5
130f14037780bc1853005b0753936395

SHA1
7e65e748252114402ea9ecd97247abe131de115d

SHA256
f2824521c88e4b1c08e3144cc192621476c339ced1ab8a321e42d5c795f2729a

SHA512
1617debf836d7fb01fb2f6853a4a763d967b6a30e918271a22afe1b5ac8247dce441ed1a7cc5c94ce81f3e779efb49ea36d8b4467d7e8c9f7d02cd4e09c60cc9

Download Submit
C:\PROGRA~2\SNIPEO~1\custombuttons_additem.html

Filesize
5KB

MD5
3753249e9cf870545aff904c351c62ad

SHA1
e08a78cb7903664c0776a1d5a07455485b2697f7

SHA256
78e02ba3d6d60f44ebd5d9fb6b8c26df8326b87c4cfe76c3334bf50511c397b3

SHA512
0c3a866f141c764dabed73c222416d919419ded396cb99b1bdaab77ec166fe09f8142dbb59727793109ab2ea1f752562752763390911e8677c81cd58492a4d2a

Download Submit
C:\PROGRA~2\SNIPEO~1\custombuttons_imageviewer.html

Filesize
1KB

MD5
4ce770a6e20bdd5b57fc406edb5e5c9d

SHA1
7a97843c871549281295c2f11a1888fd3628b515

SHA256
3a4bcea74e23b899ab3b7a99b2d046b2ad36959314e0c8d3d44e811340b2ec65

SHA512
b745a2a836b7cb16e7a4c8144030485f7a48da574c0fb0f004e9643cfdb6fcd1a8ff11e54d3fee70caca7c87495752f458873f9e52fda08f6470a95ab6ccc94d

Download Submit
C:\PROGRA~2\SNIPEO~1\custombuttons_list.html

Filesize
14KB

MD5
f31221ea317f96dccd0f80a714558a51

SHA1
b709a1ea654033b26681e00ba9d3380b5fc1c1f5

SHA256
0728809962454119fd73117905c66b3652b2fbe780b01721abb2ce57eb767342

SHA512
825116590d183b4cb1bb3bab8ee45e59c84d4d4b2bcf64d2cb33c1589e3d2b1175e14c84c22a99aac2a8b2f4d805290d2d4d8216339084b5c2f4b32235428b83

Download Submit
C:\PROGRA~2\SNIPEO~1\custombuttons_menulist.html

Filesize
17KB

MD5
d096c647f6a3d1f38af0cca88ea8f8ac

SHA1
eb1cfc986d02ea61148204c4e3e3e4d8528485e7

SHA256
9c0c46dcdd6a76c0c362f36734c6ae046a498f14dff3ae62064249ee5fd1029a

SHA512
46b9852889fa1a887f5b0c340ed66cf9f154252f8248076a67d34631ce67755171c0cdd42383166e929ac1a9e28a05a85398636afcd491b24e505449323fd1ed

Download Submit
C:\PROGRA~2\SNIPEO~1\descdb.bin

Filesize
115KB

MD5
7bb096d53d9ca88388254afae9068995

SHA1
f877bbc27707547db79bc2a1fb05489104b05168

SHA256
c171108e3d59968b9de54565a732c5a87e90f83e079156b3c92386c192768e17

SHA512
901a05a0ba94ade6d9b90836bebd01c4af131457630cfd059ce6a1eba40c7b654c7b9f83079df6d08160e21e8a1842571bef6d077328fae097ac88cd9a6c5b97

Download Submit
C:\PROGRA~2\SNIPEO~1\fdb.bin

Filesize
496KB

MD5
20a6062a938e56319ecc28fcbf71c191

SHA1
da5096492160899b52a5a3414ec0829a38764600

SHA256
8718d1d8154d0e4fcd0e2c84d02f580af677b96dac589426b0ed7e327f550a58

SHA512
14bcec751dae012d35f25aae59dcec9dbaf0b8674035328cfa3a586228e40ffb6d2bbd3d4b068cae587f47f4f233ccea452ca016ecc4fc92b48a7a1a0baf3da4

Download Submit
C:\PROGRA~2\SNIPEO~1\icons.bmp

Filesize
13KB

MD5
fde327cb58ee99a1672ca9752e7de95b

SHA1
5acdaf53d05595fd9508dc4406d3cc9ee484ef08

SHA256
feb4b3f4d9fdb93e893caee2603280bc7db1fa1dbcd7fe11d9b54e265e27061f

SHA512
4c0ea3450543fdf72de468566355c9c8053c6a4a03662b9362cae7d060d9f62d1ab51250ebb2fd95d1bfcadd8a66223c6715872f3de70ed3ed63e643ca073740

Download Submit
C:\PROGRA~2\SNIPEO~1\regdb.bin

Filesize
717KB

MD5
a9ea14a1fd7dbd79e7fc81c73b97a1b8

SHA1
46351d7552860351cd5cfb66a5056de3eb616157

SHA256
9c2ab69190aeb45e65faf317cbb752beb43895a29eac69dba12b7d6fa035a582

SHA512
1d0a15b2d128679c8275dea4a371e7b669a80d4d3e2d8a4c2f52d9987a2c589a7179f2885dc330cb58962bdbebb454513fab532405234a418b65b46e01dc4949

Download Submit
C:\PROGRA~2\SNIPEO~1\snipetoolfull.crc

Filesize
351B

MD5
11a71d1605719e4d22536924af2739c3

SHA1
03cef4b3b57a07fe1bbcede567cb1ae1274c6b2a

SHA256
faf8da0be449f2f77179acb5d7c5947f933e23e03398ed8b74e8f242ef1fdef8

SHA512
f7bf080ccd48138424f653a301aebdc678b36bfbc4f249b6dda8a1bc6adf4495fc589bedaf1bdac04fc40ab4e908e088b61523bebaa67850097d58f6e531fba4

Download Submit
C:\PROGRA~2\SNIPEO~1\spyrem.exe

Filesize
280KB

MD5
d464b9ca5f771d88c6b2a2b7ba359aac

SHA1
c401a9e54bac45cd87aa70c83abd0e193fc47d0e

SHA256
d7fdb53aec3090b81881ee63c47c3f766a25245afd892026b96dc82eea5d21e3

SHA512
9de2566e953eca760d86978feda5e51a9a1ca0f75b0347b8483ffe3bd80e96ba2ba52570476df0550b23851991360b631b6f3cdc8c4ab8ee1ca565ae4afc4a54

Download Submit
C:\PROGRA~2\SNIPEO~1\tracert.exe

Filesize
10KB

MD5
9b4976f23d26be71ead311dc13184a73

SHA1
fac39f5597afaf4a0c60e0618847bcb64a6a5f74

SHA256
5c9a1a4b1d3877762aaefa806c67b1b7382bb8dc0619ba1954af9d1056151e6c

SHA512
f2afb8461a2afb68ac7e9143611dea71561e26af3243f2af7c153be43a176d6a6f39f68d13c3f8057075e2ffb29a64cfe51605d83fd3a7506e8b5d4f623420c2

Download Submit
C:\PROGRA~2\SNIPEO~1\tracertsettings.html

Filesize
3KB

MD5
86a6a5fd8128a2cf8401d7cd84525581

SHA1
ff02ab29b6ba344ace4c62b807b5b87167fd876d

SHA256
63da9d985a598aaa5c5d4e5e5e7569bd64b3877f73aba371b8ec72565900b7d5

SHA512
df9a951f25610a29a48da3625206afd9fc03cb4fbcf1b9ef65a9dfc78442e062e3250e3451d9163addce7a385ecd544d26065153e20b400970ca873944ac59d8

Download Submit
C:\Program Files (x86)\Snipeomatic Toolbar\autofill_plugin.dll

Filesize
148KB

MD5
b7713a243e845d4a94e660609cb38184

SHA1
ed0fe02af87bf34fc42772a64810dfcf358be1c8

SHA256
64a5d90a5acdba9cda5ffe1ea4065b120b7a137300efcf12a0b2a9a3e6861ee8

SHA512
fc984fce63387c164273e8be57eb8005e92b9246e061bd298e9297fb16559851ef1abac180f7e11c3d7ccdefd2b1a67ded39aaaedd689b87731b8cc7cc8c6ab6

Download Submit
C:\Program Files (x86)\Snipeomatic Toolbar\basis.xml

Filesize
9KB

MD5
e5afc0d6c61d50b92f85ea549d251737

SHA1
0fec11351de4028b312e23f2fc974624127e2fde

SHA256
2d1354e210573d2e4ae30899606978ce946c970ae8a99026565aa98d9366c23b

SHA512
01da484816937a0a1e686934506c76c3afbf72bda2c9817db6c2c92668eb6212e37d46da034a5f74539a6cda919e7bae08852005773a34106324ec204822c1de

Download Submit
C:\Program Files (x86)\Snipeomatic Toolbar\version.txt

Filesize
53B

MD5
69baf51b16b1bc0e7de892d0698ec59a

SHA1
0910a119c9e6f773e021d1b51142e8b6d65e48f1

SHA256
eeaeeb1bdfeca6493d71b29f8f4449a24998f1c7f8e520c4008e8bb75c85c94f

SHA512
d093c4e860827ee5d3e44a917fbafbc1b72f3afd6e56dfb4df38fcf89c80673c79399bed785df63960dced50bb41f813d65aba4d75984fec9b0ca6050dd76c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2461aebf2179034606d0bbb976d2900c

SHA1
1a928faaceb4c92a5a1c4d5078d2b26af658df0d

SHA256
a902dd1535e57239e75e0887ac382b41a840eaae62dacd7d1f8deaba48d44434

SHA512
9daaa9c2853caf0ad1c16d4da80ee89fb5adf9b08df0c1f1c69b126ecfeccaadc97ede0f4ac3ba84912d8c2eaee7b889f5244fd3358829603f0d195f02dc4a1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2042a6d4624d44df70599a933ff03faa

SHA1
284e01f44db90e8ad978b8da758148b340c006a1

SHA256
fe652fbcc07ab850ff7966b3a6a71792a951d6e8920ef7836f6661b1677b5f08

SHA512
4c8befbed1235f849a48bbc4971d2834fca2ab2b9ce4697a18e2ba0b6bca8e4adffb5c414d63a20005e7a672da55bfbf6d1835a651f6b9146fcab84542a52356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7a1f900f706523be14130d34311bb01

SHA1
b32e8c4c00d2086817551e847f3dc20ca34bdd1c

SHA256
0342a43238a543210d5f8a380bdbae2c20cef9525b277d9df287a631ddfc7109

SHA512
a8096bb8a095f183450134048e49bb6491f751be0a8279664db08ecc52bf3f813af2d75b1833549c27fa6334868592c6930f691b56ca92b264a91fab961bad9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b09d4a673f34a093072bbebde4868a

SHA1
4d388e443768062e2b0ad34f7a8f35bfeb3aff64

SHA256
3deb0d8cb730c3415121eb48eee20f6622cd99c96128893a7170f7bf35506bd1

SHA512
e33baecf2922bcc232202915072aa95d7b1342a02ba51dcf3a10b59eeab596abb8ed1d8d2199b56727b5bac7b4358f19aa5891f15e233d380cce6b1e45c7bb42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e81fdf59c594765f0729bf317e6e3238

SHA1
ed28ec1a85fb04ad2d1537fa8347b30e2ee6e02f

SHA256
bb49fc03182bc63e688016dc52462accf1b805deaadcb835f054e88634fb15af

SHA512
fd83f69a5a476560499f20cde791572e4410d0810e48b4152071490d47cd672a5ded176976857c9ffa52fac677851a3ba8b287a4c290d7fdec6fe056b2a0fbbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09f54f2537c44a213d1cebbe590cca8

SHA1
bc5963058149af737de36b0be608812c6689b838

SHA256
fb957209e9b50ed06823b57e6dcfefb762cb0c6d3869ece9e095b2d3af616fd0

SHA512
b8fc22a652d1cf79f29aedeb7e3ac0af2029ba9e32f0d1f23885f4aaf8b1d8e82468fd2cebf8cba5d6d1303dfc752f99341b642386d286d074053da7abcde5b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a963db1b8581dcfc7c02b8da77ae9c0d

SHA1
704578b212c28994ffb2806e252adc325784a973

SHA256
08eea84eea61d64317fc394ad35d720c0d870592e617fa4fefa11d26f05cfc62

SHA512
f82f4f4dab650ca1f27f960488bbd500ea6a79ffcd53b319fd22df4c3c76db4bab84778f4687ea32fc9688ea437af36d9f688183fbef9f5087747640ad46c9ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43a1dc44ae971aa545fbd3442f601eb6

SHA1
ba2ebccd1b6f126db6bd64c0b6e8d7d45831590b

SHA256
1e33eaa1a9815e1e084917110eda04a132c02185aab4968fa2766889ec955b47

SHA512
a479698f2940dddf1e78faeed16d094dcf52e3d6c31c50bebb9a4ddbbfa7785e26f05f579ffae49f8f8f8cd66c8fb7c9b9981b4a58c40bb63e9699af7dc8cae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29882d018a24b5fa08ee1c1a7ca6bd14

SHA1
9b083287fe5ef8430c7eacdd16b3411a9e492b39

SHA256
da40f53634a929dff3d1ac7096b18c5b2fa6f5f53ec6dc9b078d94badca72dca

SHA512
81d095d849ba666d9e8d5d4bfb72592dfea844a13721dff069f185654467e8cded0663f3085bd9b1c152356bb429f483bab1031428583fc83da9cfb477a2f039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ea495881324e2db5950597955e9cf71

SHA1
fd29477bc0412568ba782d9766c010151b87b1f7

SHA256
199c251662fea4f112cb9184d6a4d7b7bb7a7de4e71789eb70dcf480956076de

SHA512
7ea2e96ca8b6ca5731f9525657fd7b48dbee4af5de6a6aeb3b787347cbed46a80d67edf00675dfa5dd15431cbffaad08fec6ba5ae40291ced6730de8e971f1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e3a334b55e4141dced7629782379822

SHA1
acde48283b275ea57afe7264ac04ad84c01a4051

SHA256
1cb80c2c0b1dbffeb39d599f832acb98fa780917612b2ed9ac3668aaee5d99cd

SHA512
2682ea273a8ef53db3017e8d1e5580f7cdb4ff7679caac1fb726ec1e022003bf3132a34a876d9b3978a6e381fabcd0b91b9079143a0850a56d15dc80b8d6deed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8BD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC91E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF890103EEBB95488E.TMP

Filesize
16KB

MD5
eadfbe4aef97806a4e71530a1158d143

SHA1
6e9667e8553d18ffc3a4766a7911d9a3d6de3694

SHA256
08540db368fb1a609ef7b5fa8795b0e364485fde0270e8570c747b744a421839

SHA512
533281281788a6cdfd8743988996aeee742a035a9e51240b6f8b190fd4f5ac6cdb264b1ffd656e5b8a08fe8eda99b35849decf8a59c2b83920707b58391b2803

Download Submit
\Program Files (x86)\Snipeomatic Toolbar\msvcp60.dll

Filesize
392KB

MD5
cb21d826d9c39aed19dd431c1880f5de

SHA1
6eafcc2fdfdf73abea334ac7afb903829f6ff2a6

SHA256
f1fd0f1a54f196b19a6f21044092c89c02353dad173c236d80f6474cb8a7ea7f

SHA512
d4223a0ad6118b1dae8505ad4675f6e87e4fa9ebca6fdbe2ee3f0ea868ced15f07fb5ae2d9a41d8992a9d41a9bbe4b16f7ac6eeb1c99324ed8fa3a8fc47af150

Download Submit
\Program Files (x86)\Snipeomatic Toolbar\msvcrt.dll

Filesize
284KB

MD5
e054edafdb3997d84201275a743488ad

SHA1
2df120342d1befe0329d4941a60a3205fee5e597

SHA256
11b2e109ba8012d8ddcee1dd8b6ca060aedccbb60663f964d34d4ae50449d105

SHA512
f58549d4900e996637880685b4d6e69318ee7d1ff229a1e3931c226ffcf9f6d2375713ad5587a58dccf36257b13901231f523116ce54b4587d254a579301e713

Download Submit
\Program Files (x86)\Snipeomatic Toolbar\snipetoolfull.dll

Filesize
532KB

MD5
168160f56873fbd542d0f3870609fbe5

SHA1
c2f142a14b8f1c512f452e9ffc82a756985e2c01

SHA256
ff8c2c025efe03bec848bf614e752f44fbcc2ef6e3253ef4e45fa86da015bb89

SHA512
58edab6c072bc946fd807be66d22535352ffda54858659a350c4b03b0614cfd7776cd2b21c87b977a6a2df3ce1d2a89d191c649a8772b32550ca94e18c92f33c

Download Submit
memory/2044-29-0x0000000000830000-0x0000000000855000-memory.dmp

Filesize
148KB

Download