Overview

overview

10

Static

static

3

JaffaCakes...a0.exe

windows7-x64

10

JaffaCakes...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe

  • Size

    657KB

  • MD5

    6a578b50b62fa21da49e9368b1de3fa0

  • SHA1

    dbbf4a09afb8fd6effe5791b4fd1774f31135768

  • SHA256

    f2acdba3b1e8794ceb3923de7ca8d192f68894e49b37f84fa6723aeb97366d88

  • SHA512

    7cd8a9ef4f346be5d7564863299c43ba1e5abf74ac0547c8e94b98d7ea2ee9996e32c62db3acd1e3d800599089484ea2b65efa547d4c31b0fb26eb0ef8aba803

  • SSDEEP

    12288:d4huhKnDCVjOBi4LGqk2YugOpgxA2jkswofn1aKHjl:dguoDoOInL2Vgogh/ww1

Score
10/10
isrstealercollectiondiscoverypersistencestealertrojanupx

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 9 IoCs
  • Isrstealer family
    isrstealer
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • Accesses Microsoft Outlook accounts 1 TTPs 26 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 64 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a578b50b62fa21da49e9368b1de3fa0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\X4NAJHRHQv.ini"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3068
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\ksMEoySygC.ini"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:4168
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        /scomma "C:\Users\Admin\AppData\Local\Temp\gGw8Z8zEhj.ini"
        3⤵
          PID:4492
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\Dbl8jK2N64.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:4108
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\XgfvBITm3e.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3196
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\oWlu9oIK15.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:4316
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3820
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\NBCMtAsaet.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2480
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\qSyH37O4nl.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:1868
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1940
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\U6fAh1ajRj.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2916
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\8CrDKu9Nyr.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2144
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1820
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\V1tXaKfTDP.ini"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2284
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\mNx3RhQiZA.ini"
          3⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2364
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1936
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\3GYQI4mz3l.ini"
          3⤵
            PID:1412
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\xNUxFmeXdU.ini"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:3164
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:1104
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\CR8JnDTWYu.ini"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:404
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\jnxJxPWfxF.ini"
            3⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:2688
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4356
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            /scomma "C:\Users\Admin\AppData\Local\Temp\kBoec7fL0v.ini"
            3⤵
              PID:4232
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\iT4c9Qb13d.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4708
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4048
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\m611WPk5mc.ini"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:2684
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\3y45FeR2Wh.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              PID:1708
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:1356
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\dXko8aFc8X.ini"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4300
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\X8ioBRATKv.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:2508
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:760
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\T1HFqSdQim.ini"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3756
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\34PDT6gQzR.ini"
              3⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:4044
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2052
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              /scomma "C:\Users\Admin\AppData\Local\Temp\ptoE9jBdcX.ini"
              3⤵
                PID:2720
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\clAK0rH06S.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:3824
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2300
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\xAxoFpd3yf.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:948
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\tC7i6qaLJ3.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                PID:4952
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:2064
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\tekhrFeGa3.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:5024
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\XF036rZOAX.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:1080
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5056
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\XpqXy2ubCM.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4916
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\rYKKVsl2Up.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                PID:1480
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:348
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\aZ0vBHXcXE.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:404
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\Q6wkUB4OgT.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:5048
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4312
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\dQQfzth65a.ini"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:1120
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\fDyWXtKUl6.ini"
                3⤵
                • Accesses Microsoft Outlook accounts
                • System Location Discovery: System Language Discovery
                PID:4964
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of SetWindowsHookEx
              PID:1144
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                /scomma "C:\Users\Admin\AppData\Local\Temp\xQSaCGbPAK.ini"
                3⤵
                  PID:4068
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\zlpTDOLwuB.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:1048
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4704
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\pqBOoQ5xWF.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:860
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\dYB8xuVBvs.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:2508
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3916
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\fLioWIUl6U.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4328
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\bI44GcWnEZ.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:2916
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3032
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\Xgey1m33F5.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3768
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\LTRMGxOXs2.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  PID:2380
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1980
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\NBBPjdSrpK.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3824
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\A9rdoEobmz.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:2600
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1424
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\ThFOGazB6p.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3676
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\Pebe0u1DDu.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:2944
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:396
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\CXizUvxGof.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1984
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\9o1mVoA8I2.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  • System Location Discovery: System Language Discovery
                  PID:3160
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3012
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\DTvMOE20aL.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:700
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\Pw2dJEIe9L.ini"
                  3⤵
                  • Accesses Microsoft Outlook accounts
                  PID:4796
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
                2⤵
                • Suspicious use of SetWindowsHookEx
                PID:836
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
                  /scomma "C:\Users\Admin\AppData\Local\Temp\KOOAB5kAOB.ini"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3912

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\X4NAJHRHQv.ini
              Filesize

              5B

              MD5

              d1ea279fb5559c020a1b4137dc4de237

              SHA1

              db6f8988af46b56216a6f0daf95ab8c9bdb57400

              SHA256

              fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

              SHA512

              720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

              Download Submit

            • memory/704-68-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/704-41-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3068-12-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3068-18-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3068-15-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3068-14-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3196-62-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3196-63-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/3728-56-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3728-7-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3728-54-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3728-5-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/3728-20-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

              Download

            • memory/4168-47-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/4168-46-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/4168-45-0x0000000000400000-0x000000000041F000-memory.dmp

              Filesize

              124KB

              Download

            • memory/4492-39-0x0000000000400000-0x0000000000453000-memory.dmp

              Filesize

              332KB

              Download

            • memory/4528-21-0x0000000006DD0000-0x0000000006E27000-memory.dmp

              Filesize

              348KB

              Download

            • memory/4528-67-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-0-0x0000000075232000-0x0000000075233000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4528-33-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-26-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-40-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-29-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-42-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-43-0x0000000075232000-0x0000000075233000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4528-27-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-1-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-36-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-53-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-52-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-37-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-17-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-55-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-11-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-8-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-2-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-65-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-19-0x0000000075230000-0x00000000757E1000-memory.dmp

              Filesize

              5.7MB

              Download

            • memory/4528-66-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4528-25-0x0000000006F20000-0x0000000007020000-memory.dmp

              Filesize

              1024KB

              Download