Overview

overview

10

Static

static

3

JaffaCakes...a0.exe

windows7-x64

10

JaffaCakes...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    03-01-2025 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe

  • Size

    657KB

  • MD5

    6a578b50b62fa21da49e9368b1de3fa0

  • SHA1

    dbbf4a09afb8fd6effe5791b4fd1774f31135768

  • SHA256

    f2acdba3b1e8794ceb3923de7ca8d192f68894e49b37f84fa6723aeb97366d88

  • SHA512

    7cd8a9ef4f346be5d7564863299c43ba1e5abf74ac0547c8e94b98d7ea2ee9996e32c62db3acd1e3d800599089484ea2b65efa547d4c31b0fb26eb0ef8aba803

  • SSDEEP

    12288:d4huhKnDCVjOBi4LGqk2YugOpgxA2jkswofn1aKHjl:dguoDoOInL2Vgogh/ww1

Score
10/10
isrstealercollectiondiscoverypersistencestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 8 IoCs
  • Isrstealer family
    isrstealer
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Accesses Microsoft Outlook accounts 1 TTPs 26 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 64 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\TTaE4C50Br.ini"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2528
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\VH1al3LuAy.ini"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:2868
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\8Y8HnKj49V.ini"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2532
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\Rbd1fk6Aqa.ini"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:1864
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\V8JyCq58MZ.ini"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1040
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\1NlGyYNC4w.ini"
        3⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:2336
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1904
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\IjgR4Qk1DS.ini"
        3⤵
          PID:1848
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\RoPWdGCwG2.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2152
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2396
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\24zZTl46oE.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1708
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\M1uaiEgKeK.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:600
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1448
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\vX9LLYWHi9.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1712
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\TEacQffPDC.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2452
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2232
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\MeWB2uAHt2.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:284
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\jUkF8pOcO9.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:3060
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2568
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\JkNDCcPMAg.ini"
          3⤵
            PID:2524
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\tqFFnvruQP.ini"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:2832
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:264
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\oZwKQGWpKY.ini"
            3⤵
              PID:1396
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\GQRqPkNZqo.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:2052
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1940
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\XXcX0vMpoh.ini"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3024
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\ailE4IApBa.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:1452
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1956
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\DBZ1YEakJQ.ini"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2132
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\L0Dyf3Brt2.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:1724
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1120
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\3UDNZyw0bM.ini"
              3⤵
                PID:1676
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\naaQZZ42sV.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:2064
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2444
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\2mfzn2ZYYj.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:2340
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\1Oop8atuIC.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:2980
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2892
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\0RzETnoH0R.ini"
                3⤵
                  PID:872
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\zblF71PrrA.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  PID:2984
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2384
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\tl19h8nLo3.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1840
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\HqfeVxETdw.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:2860
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2592
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\BXlfsU3Z4P.ini"
                  3⤵
                    PID:2952
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\xvArlVbLAv.ini"
                    3⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:2824
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                  2⤵
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1868
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\Qghkz2mJFi.ini"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2740
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\TLrvAYebEF.ini"
                    3⤵
                    • Accesses Microsoft Outlook accounts
                    • System Location Discovery: System Language Discovery
                    PID:2216
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                  2⤵
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2504
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    /scomma "C:\Users\Admin\AppData\Local\Temp\alivrFhytr.ini"
                    3⤵
                      PID:1452
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                      /scomma "C:\Users\Admin\AppData\Local\Temp\s2BorNYkBJ.ini"
                      3⤵
                      • Accesses Microsoft Outlook accounts
                      • System Location Discovery: System Language Discovery
                      PID:1764
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1600
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                      /scomma "C:\Users\Admin\AppData\Local\Temp\lGEMYBrULV.ini"
                      3⤵
                        PID:1292
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                        /scomma "C:\Users\Admin\AppData\Local\Temp\JQvwTUNs3t.ini"
                        3⤵
                        • Accesses Microsoft Outlook accounts
                        PID:1276
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                      2⤵
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1540
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                        /scomma "C:\Users\Admin\AppData\Local\Temp\Mj2JVoQSWl.ini"
                        3⤵
                          PID:2372
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\8DpK0rJvLk.ini"
                          3⤵
                          • Accesses Microsoft Outlook accounts
                          • System Location Discovery: System Language Discovery
                          PID:1516
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                        2⤵
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:532
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\tVa49HvIr7.ini"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2580
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\dpb7GEmcrJ.ini"
                          3⤵
                          • Accesses Microsoft Outlook accounts
                          • System Location Discovery: System Language Discovery
                          PID:1828
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                        2⤵
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1844
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\2N3JMgZo4I.ini"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2560
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\mxVbBHAvc7.ini"
                          3⤵
                          • Accesses Microsoft Outlook accounts
                          • System Location Discovery: System Language Discovery
                          PID:1556
                      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                        2⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2124
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          /scomma "C:\Users\Admin\AppData\Local\Temp\qeAAGeaw7p.ini"
                          3⤵
                            PID:2312
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\eE09WOPTBo.ini"
                            3⤵
                            • Accesses Microsoft Outlook accounts
                            PID:1640
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:572
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\raNXAxfgtV.ini"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:2824
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\Fq57uMB9Ai.ini"
                            3⤵
                            • Accesses Microsoft Outlook accounts
                            • System Location Discovery: System Language Discovery
                            PID:2412
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:1300
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\8vreBqHAWH.ini"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1992
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\VDRcjn6ghn.ini"
                            3⤵
                            • Accesses Microsoft Outlook accounts
                            • System Location Discovery: System Language Discovery
                            PID:2624
                        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                          2⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2064
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            /scomma "C:\Users\Admin\AppData\Local\Temp\DZKyz0vhWf.ini"
                            3⤵
                              PID:692
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                              /scomma "C:\Users\Admin\AppData\Local\Temp\UVsP2su6q5.ini"
                              3⤵
                              • Accesses Microsoft Outlook accounts
                              • System Location Discovery: System Language Discovery
                              PID:2856
                          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:2180
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                              /scomma "C:\Users\Admin\AppData\Local\Temp\uSfx1uDp7p.ini"
                              3⤵
                                PID:2036

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\TTaE4C50Br.ini
                            Filesize

                            5B

                            MD5

                            d1ea279fb5559c020a1b4137dc4de237

                            SHA1

                            db6f8988af46b56216a6f0daf95ab8c9bdb57400

                            SHA256

                            fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

                            SHA512

                            720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

                            Download Submit

                          • memory/1040-75-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/1040-74-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/1040-73-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/1848-108-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/1864-87-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/1864-86-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/1864-88-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/2528-25-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2528-27-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2528-22-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2528-24-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2528-60-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2528-20-0x0000000000400000-0x0000000000453000-memory.dmp

                            Filesize

                            332KB

                            Download

                          • memory/2712-52-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-84-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-39-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-41-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-47-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-44-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-0-0x0000000074311000-0x0000000074312000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2712-55-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-54-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-53-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-92-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-51-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-50-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-49-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-58-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-91-0x0000000004E90000-0x0000000004F90000-memory.dmp

                            Filesize

                            1024KB

                            Download

                          • memory/2712-89-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-1-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-2-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-16-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-78-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2712-14-0x0000000074310000-0x00000000748BB000-memory.dmp

                            Filesize

                            5.7MB

                            Download

                          • memory/2756-13-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-90-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-26-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2756-5-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-93-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-7-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2756-9-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2788-56-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2788-94-0x0000000000400000-0x0000000000442000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2868-80-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/2868-81-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/2868-82-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download

                          • memory/2868-83-0x0000000000400000-0x000000000041F000-memory.dmp

                            Filesize

                            124KB

                            Download