96ad579f81fdf940299949663f52538fefc2bec2853acb1a60187ab01d498675

Analysis

max time kernel
147s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
Size

1.2MB
MD5

8a97890a209a611782bc523cd041daad
SHA1

0ad57150a7b863ab117510524ebbf78ac4ea2b4d
SHA256

96ad579f81fdf940299949663f52538fefc2bec2853acb1a60187ab01d498675
SHA512

7fd5b86d466f7d7ec015178ae9cc284e1b73c83910ec6c5fb538581d0892441b5707c8680f5c7adef9f14aa2d0fbf899b92cf9c952875c52fd1f08178d978346
SSDEEP

24576:8PatCg7EPqmZNBGdAzft4SvQaOjEobyo6INOAvTSCuJ6SWhAT:vtV7EPqmdGd8ft4SvSPntIg8J6Dhi

Score

7^/10

adware defense_evasion discovery stealer trojan upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2844	CMSetup.exe
2704	OfferBoxSetup.exe
1264	AcPro.exe
1268	AcPro.tmp
1356	InstTracker.exe
2592	msindex.exe
2632	indexsvc.exe

Loads dropped DLL 22 IoCs

pid	Process
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2704	OfferBoxSetup.exe
2704	OfferBoxSetup.exe
2704	OfferBoxSetup.exe
2704	OfferBoxSetup.exe
2704	OfferBoxSetup.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
1264	AcPro.exe
1268	AcPro.tmp
1268	AcPro.tmp
1268	AcPro.tmp
2780	regsvr32.exe
1268	AcPro.tmp
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2592	msindex.exe
2592	msindex.exe
2592	msindex.exe
2592	msindex.exe
2632	indexsvc.exe
2632	indexsvc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CMSetup.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "SuggestMeYesBHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2128-418-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2128-419-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral1/memory/2128-603-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2128-418-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2128-419-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/files/0x00330000000054a3-595.dat	upx
behavioral1/memory/2128-597-0x0000000000340000-0x000000000035F000-memory.dmp	upx
behavioral1/memory/2592-604-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2128-603-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral1/memory/2592-633-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2592-634-0x0000000000020000-0x000000000003F000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AutocompletePro\is-LV1O6.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-JMCR6.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\is-F7RI8.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-1TQK7.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-BONM5.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-U543H.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-28G05.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-3NU27.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\unins000.dat	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\is-B20RA.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\chrome\content\is-GUTAB.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\[email protected]\defaults\preferences\is-MLL1J.tmp	AcPro.tmp
File created	C:\Program Files (x86)\AutocompletePro\is-LCGQQ.tmp	AcPro.tmp
File opened for modification	C:\Program Files (x86)\AutocompletePro\unins000.dat	AcPro.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcPro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcPro.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferBoxSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msindex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	indexsvc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter	CMSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\Enabled = "0"	CMSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownVerifyBalloon = "0"	CMSetup.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c200000000020000000000106600000001000020000000dd01b89bcda97d452bc4e05ae7a2156fce70891ee2aa07e3700e5fc89c10d7a5000000000e80000000020000200000007b3d28ee9377dec8fb97a39795de91ac48e3271f533913a70ae9922d023ba62e3001000083acc4d873f2fd781fd956d3d56033934acca181aa54dd7c0f3a5bbba44554a19b138c4da0d9c124207314dae5b9a3f31654b3a8c24ac396b9fb7fb952abe8fdee2c4de24bae973869a42de1cda4979a68ecf01f7f59a0df4a24add03854b71cd125b7c0ede9b9a73b2900f3b6efae4f7c5a30a301de713766243bcb9d2c4fdf5d5d1f854a13408bd8cadbb8ee146440e45cb9b2e744047ab0ad9d6901848b4b80c26b1d647c3942699a50b61a6f0e1af03b51bfd9dfab04e5548bab737c2e185a363b8fffabcd9ba2f9b590817ad1cbe0e50ade4bdceecd9281c8b2f063554d364e62b95aa10338d0e7607748ce8e1572b764e0e9fa5fa8c6e68b038d6aba326e8b2a821e10f97c2fe7f36b30802bf465d250415d33c1f85e4df986b9b75e4e5fe3224d2d5ab72d8f8427afa1eab9e9400000006cb8267e1889b0aa1bb8a66317488ec9f97b6ed3dcaa06b1f7f07e7a03420fd715162ac304a631aa7d3cbdb93ae90603a9d025c578b099c6ca404101c663a799	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c200000000020000000000106600000001000020000000126df28a5ec2195034e6373d96e151d6c7a767155fcef08f6c6645c0d3422ec9000000000e8000000002000020000000e3197afefd685e6e2e7274ae0a8b859cef8b242bb48ce0671706ac6256d9034a20000000006e30edaac284dfa023e82c9ea134284bd534582d30be70a362ec7a11268db140000000c94145fc340e3883d74e394686ae449c7b40fd98a07716724c02c55e8e048ddc4545cb0588867fe5dbfeffb413bc0a64daed132105257302146d3686c25ade21	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InformationBar	CMSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c200000000020000000000106600000001000020000000a0faba169f7ca3efef17a50dca9ba27f12d92dc8aadc4ef8a45366d9e3dab359000000000e800000000200002000000054d75e7092b1bf40484853ead13d26bfff79fc1b941a2bf8e2e750929aee4f6e3001000063c3aaec987257f43843ccf6c3f608c5f5a5ee115cf7f25a5202194ff40357ec81774768a0ea36b8467d34a0130b98dbd3178e09a0f572509f2d71aa788a5534c3a099a292b6a26ae42f837c8ba5fda8a2192b2c1cef76df1a15dba1c85aad1aa68389c218a2d8749eb238cfcfaa0eeee660c620095b1e6784a031dd347b9f34656b727e7e1b81961d80ae190ddcb42ef1e966d106c529f6147e5d261052848b7d7030f131ecf5cccfba4d8dff6743d6bbcecd26f015004e2330d8943877f20b304db1a8a7bb4ca8d2cac7f5a260f42b9740584f4edb86f571669b41384b50482ca48f8359157abbc367fb9dbcad63cb0f94b8b6db4d51172f3b57abd4f1a26aa5a2ab5e49d8b688aa8564fb4037571ad05ce02ab6d7641ade14fc272886a573d9f2dbc1a9cf533596bc195e75f27f3e40000000e7e2b1994647813322ac0cd47ac8878ded2e87e4852a7a0b648ab2c1e735d288fd38af7f2f4b35189ac1caf38af91582bcd7c4467df58f507685f1f21e7443bf	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c20000000002000000000010660000000100002000000022815dd6ecb653054c6a425ea35902451ca1d2ac89c95875237b4e7afb5cd8ec000000000e80000000020000200000005fac5b7991296da0abcabc957fa460e6af4e708a864c4f3808e359ce29108f753001000052bde5d66376634774e8f269a53f85efd725a765b0c6cb716bb878f36f0cd06b4002dbfff52d1e6bceba80d2500fd88d8c23480bf5070ab93a474b297cadb5f5ab44bc25fb4ac7354df220172253870459ca6cf0d8c8f9fcdfcf2910e9ea3a9947b5239172591c0a542cb9bb76c5c63f2c1e690094957b45e07ea109fb543db75d418d9414a3bbac4e2d7bb0d3d0adf4045e8cb177cb4a4015eda3c3f61bb49fb4939b93a44fceb37f1a4094ea186ce909f6ec5dc1a63f6551434cc2f11b849d8faba058bc0f370c917428e4b17e4756afc6f3c6a6ef0c05a639edebca6091319b3ca995c1aae63c77be304095a20945086392e2452c7a00931e6ed77d9f644154096cb703b16efee0f314c5c5d50d9fb3d8410ba61104fe2f2b02ef91662af72531d808ec3d96cc0ba57249d26aad7e4000000077833accebcacfe3880e49ea392eae5314a7dbc4c07c3fed5acff0430e3476eaa663cd177b2d44ac2d9d90526c0891a42c29def4d492427b9f66306029e92942	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FB839101-0BBF-11F0-8318-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0df5ec7cc9fdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c2000000000200000000001066000000010000200000005b3068be93a4062e554f4d7881259e50fee045841e0a5e1eedbb041b051396ad000000000e8000000002000020000000846f2400e1723b3eb3af4694dc485c08c753f00076fdaef694a8e7b65d6cd7be30010000c12cc67d90b84a3c1708b0925e553dfb94450895d4def74a724b97bf0c495e0c88dc22b3c9b7b2bb057250199370e257ceac76043a403db8319b4b8a6b3a979cc7784b2d476a05e93ad7d14208077bbed4f81095183919c6177458a8ddedbf0684619d35d4ff2992ef1a5b3b86bce2d5e58687ea9f3b9d2fb004f7ea4a3f0563700363ad8032d07cb927944091658731c4f78cfc9f6d8230d4e9f24c1604c145576178fa30254d7d9ddc7b0939819f05147f1e5ac508bc3b91b68edb4ccbc4ba1ebea2c5f82db29b56dffd2286e2732b1c5cb743c550a67f251a0d3b5819960ca461155074f2a7d2f4f114a8446e06eebb02335741a8ef9541af8fb39f6cd966ee77370f4d3dd0cd4ec7abcbd328231f7bb283bdef320b43cd010e5d11969b6aa867ef314476c3d2f118596dac82a44c400000009a17d80a85bc982b55c915d4327dd977e3d66e8384bb1152aa083b75a467474d08b6d7aeae4aa7703b73e437eaeb58a328cc37518c382ff034c9683cec22046b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InformationBar\FirstTime = "0"	CMSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b249592205fa0c45adf9dd903aa219c200000000020000000000106600000001000020000000000791c40b72ce6f9f50bdb8dd67b10afaec60292f34b8c99d8b69c1268549c3000000000e800000000200002000000036f9f8606521fd49eb574595d70ed04f219d80f40d1a35195735c5d0f110a3e690000000f68950a865a0637740df75fbc8f28cf578db1ccc76617bddc91e595708c7847415e4690536a39be99ba764bba52830922bf58a21d8955f401582939612fc1ba608c68f79c33563471f2767539eba88c49aa211bdeccdee68a8b92b76ac718e66af30eef80412ef872b38fe7e9d34cc797bf0dbe56f3bf0b3aacdbc33a09000a04f2a8a8af331a7a23159b38e73d2ede440000000aa7b0c252f93cab102d3ecc53eddc037d38a007387ec9b4a6c2988d72a3e68fe7d78d1ed1f7a6e845a6f8498b402148d3ea259c21171620ec409768687c04584	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449319832"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ = "ISuggestMeYesBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\ = "AC-Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AutocompletePro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}\ = "AutocompletePro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\ = "AC-Pro 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32\ = "C:\\Program Files (x86)\\AutocompletePro\\AutocompletePro.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\ = "{01BCB858-2F62-4F06-A8F4-48F927C15333}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutocompletePro.DLL\AppID = "{442F13BC-2031-42D5-9520-437F65271153}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\ = "AC-Pro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ = "C:\\Program Files (x86)\\AutocompletePro\\AutocompletePro.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ = "ISuggestMeYesBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID\ = "{0FB6A909-6086-458F-BD92-1F8EE10042A0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CurVer\ = "SuggestMeYes.SuggestMeYesBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID\ = "SuggestMeYes.SuggestMeYesBHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\VersionIndependentProgID\ = "SuggestMeYes.SuggestMeYesBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuggestMeYes.SuggestMeYesBHO\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutocompletePro.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ = "AC-Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FB6A909-6086-458F-BD92-1F8EE10042A0}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{01BCB858-2F62-4F06-A8F4-48F927C15333}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2704	OfferBoxSetup.exe
Token: SeBackupPrivilege	2704	OfferBoxSetup.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2828	iexplore.exe
1268	AcPro.tmp
2828	iexplore.exe
2828	iexplore.exe
2828	iexplore.exe
2828	iexplore.exe
2828	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2828	iexplore.exe
2828	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2844	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	30
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2128 wrote to memory of 2704	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	31
PID 2828 wrote to memory of 2112	2828	iexplore.exe	33
PID 2828 wrote to memory of 2112	2828	iexplore.exe	33
PID 2828 wrote to memory of 2112	2828	iexplore.exe	33
PID 2828 wrote to memory of 2112	2828	iexplore.exe	33
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 2128 wrote to memory of 1264	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	35
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1264 wrote to memory of 1268	1264	AcPro.exe	36
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 2780	1268	AcPro.tmp	37
PID 1268 wrote to memory of 1356	1268	AcPro.tmp	38
PID 1268 wrote to memory of 1356	1268	AcPro.tmp	38
PID 1268 wrote to memory of 1356	1268	AcPro.tmp	38
PID 1268 wrote to memory of 1356	1268	AcPro.tmp	38
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2128 wrote to memory of 2592	2128	JaffaCakes118_8a97890a209a611782bc523cd041daad.exe	40
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41
PID 2592 wrote to memory of 2632	2592	msindex.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a97890a209a611782bc523cd041daad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a97890a209a611782bc523cd041daad.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\CMSetup.exe
  C:\Users\Admin\AppData\Local\Temp\CMSetup.exe -s "http://fbgdc.com/click/?c=11855&s=116447&subid=sub1517"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\OfferBoxSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OfferBoxSetup.exe /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\AcPro.exe
  C:\Users\Admin\AppData\Local\Temp\AcPro.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\is-5RJPR.tmp\AcPro.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5RJPR.tmp\AcPro.tmp" /SL5="$7022C,185455,54272,C:\Users\Admin\AppData\Local\Temp\AcPro.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\regsvr32.exe
      "regsvr32.exe" /s AutocompletePro.dll
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2780
  - - C:\Program Files (x86)\AutocompletePro\InstTracker.exe
      "C:\Program Files (x86)\AutocompletePro\InstTracker.exe" -install -cs:true -si:7999 -ver:1.1 -dir:"C:\Program Files (x86)\AutocompletePro"
      4⤵
      Executes dropped EXE
      PID:1356
- C:\Users\Admin\AppData\Local\Temp\msindex.exe
  C:\Users\Admin\AppData\Local\Temp\msindex.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\indexsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\indexsvc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AutocompletePro\AutocompletePro.dll

Filesize
95KB

MD5
4a509b7784d59ee10c4e912b532e7aab

SHA1
6e5649af31edaba52e65f885d2e1a4c28341582c

SHA256
9e38900e97a8937b5dbbdce26f338d443cc321d22fd28e2f5aeb7d9d369fceb7

SHA512
d7c3fcab788ea29cf8083873a4fb10508061c9edecab4523f8ee89476d630740aedbcc964f7c3b15ec0c01e34d17dd55e9a983a9b09ad1cfb45c51a1dfb2ef33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2d9b0119cb04837aa284521c7a0b4086

SHA1
15acd17b0288a422489a132be1c21fafd975eba5

SHA256
1fab0d2a0171f60569efd1d7f2516b12f83163a723932c8531221567c69ab600

SHA512
18854a6a2828599c9cba9f7d5c5103973251f41009214fe2d8be56636f18f630b36c011249efa6e0783cdced2d7e671d2f59cf92070fff34394c3f59fa0d93da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e00cd8e4866f1a8fe1edfc9d77563a4a

SHA1
539bad2c677da0e90f3324fc5489141508c98ea0

SHA256
66a6139b6e47acd018e484ffef4b79b6b9bc53b09f889f81dea8d4c5722ea244

SHA512
b7948cb8073da0252a734d94f34640f1a721cbe917c84b74347fa365f6ebe33cdfdb55dc3d757abd6e9c6630e75d11282f840fa1f20d3315629704c7702a1847

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62210a509ba8116675f21cfd1b6bacd7

SHA1
160cf21e5873270918212da441f7e0566a85bc84

SHA256
08ba6358aecec564f773dd01889232a2b2c219bbb8d991375da7740369316cb6

SHA512
e25d73f636c8e7639498cf0653dccc756636e4c40c23f88783953f08e02814c41afb544548b7d76373ee8c984c8600fdbfdcf56aa362292ff823b10cf509d4a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
531d64f93d58c979f874182e03fdc8be

SHA1
f731c55fe13ec23a78b766c4b1f63c5137ee917d

SHA256
97738f8be584c4b43b8a92c6b7eff3d5ffad6baf0b0a7c93090816e6e6eb3cb5

SHA512
1d4cf9f54810f3437ad9823c72c2ca16d2b5b56c78698409173193eb7c874450c00d4319a7828e7272a5dea83b234a3639736f8c682b7573dfee425d697e81bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d759bfb08782c4c673b9c541a8827e24

SHA1
bea363b51739197facccaa66ea8ece9cd77bfadf

SHA256
837c6bb276f5ee483e86b4f5f498d5049f3d27989d20b63f00feba90cdac9ec4

SHA512
c44104125d26205f7a19791dbd2c92bd35902fdad005b8260002b1664cccc241badabd5e1fcf8d025636e09edc6fd13c9dfde5eae33f154c4c485067d9a850c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f844d71a49b8c4db84e5c9d7bff49039

SHA1
f25916be9f27f79f826fd845d4f50798b753ec2f

SHA256
c7e5642dcfcefbe62a11ede7800ae383b36908f3482b1c2c926c2b68e79460bc

SHA512
ed92ec1c900a42a3df6a712d4b416838aacfa0eeaecf929ee4e4f690b8dc2c633dfe3f979ce8214042c6cd6f1ddd7edcfd027f2b798aac9ab7eff0d3431d986b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f9980babf9e7e0817e7c437dddaad390

SHA1
f5e39ff119144b714748b6fc09968599072745d7

SHA256
74e976d80120967f50c70772d360a88c7c2e89addc51bf23a9248ebd10ba1b77

SHA512
d3e8e61b0904f7c0af4157d18bda75f3f217183e13c551b1816dc511e2736139854605ef3e45c35cbeb6e535d11fd95a7beadc372ed3029387ddd4cf74044b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\click[1].htm

Filesize
1KB

MD5
06c45d76c7182c0862b0dfc8ec2eafad

SHA1
22e754ba0016310069a3daa6192a26ba16d46ef6

SHA256
745fac29e8ef417abc08036d42accfbf4cd528707ccba34738bfb498d4047c9e

SHA512
ca18ed6b85d94baef5f49b96fc150c3b35cbf3a02a70896ee12a05590b83851e8ca462ef0e1dd147cb8fa020af7fbc75d2fa96b0b6433f1ca24aa03aa2eca24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\iife.min[1].js

Filesize
33KB

MD5
63f9fd621d1fbd53b7c5856e58c11ccd

SHA1
a46973c2fbdbfeb159e0d717a90f88307e274012

SHA256
c6bc28686490aba34a53ab3b709afa1fd73c21e60feb25608b09f23efe170089

SHA512
d4df433c7368ec078fbc473398a4ab21e6da20950ac4db34338623296887db40320b05b9bde6130e43d2b55c82b81a56b60bab0d6a4c97df54a0cb7a8f09325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcPro.exe

Filesize
426KB

MD5
272ceed651946194801cb481ffc45390

SHA1
02c6711b070525bd895a576d020371fb6aadce21

SHA256
e85b7e5a0367e54456da30509646c529ee673681c3c5d894d37e03ba15c8e0d8

SHA512
d367acf8520139bf986ec3cb93b7a431b7a239d8d8a1791214149720a836aaca3455bcc536857bf8b1d20fa9eaaff4a6cacdeb8c308c23b3e03dc1194fd6f5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar92E7.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF48CFABB8687158C1.TMP

Filesize
16KB

MD5
31fbe53c362dcb3d7a4e01661c80a9d5

SHA1
7e2426f21b83c14222ab00f50d88aeefab6a1360

SHA256
5187e87b248aba572bcc84ca40f0b4148a4d8b117cd36fae2e6a6dafc3802935

SHA512
4083538f2e3c5e96c151870454b16c9616b6fb5aa8247d1f9bcde6e2b4afdbc4ee5289c7147eb3555807656d31b3b1423bfd7215e2741a25edee979203e86013

Download Submit
\Program Files (x86)\AutocompletePro\InstTracker.exe

Filesize
8KB

MD5
fdb8a7445724c2631a260d854f73b0e4

SHA1
5255d0fe074802f1376be76f2c67644274711854

SHA256
e52fcd3259b6ce4bb7d618a239789025c0c39582425870c39b1233a5ae4b50c2

SHA512
7e22d5186359cccb4e7ba2fae076473579ef90d89c91285c8f426a7ecaf041b0f5323fd88910324fc4d2258ad1f71a759651b3ce89394ff8943e112582ae2e47

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\indexsvc.exe

Filesize
837KB

MD5
64c036fb3e9f5ca7e315157fb3d3e6aa

SHA1
70b2780eff2cc7532078175da3bade14363cb6d8

SHA256
be68f81551486bde25a109f273486e79cac59d1f60579fc564895a1dd6171510

SHA512
5cd0bb5abd7a16869187c1d2c167f41a7be04a55b62c4e91f2178ed9065f72d87157f1b026ba2cb9ed5cab2403b8b9747f6e2816994a54987edaf0b7c2cffb48

Download Submit
\Users\Admin\AppData\Local\Temp\CMSetup.exe

Filesize
372KB

MD5
16f4bffd0725b944a8d140d1095044e5

SHA1
c7aad8597e288f751f6c8aa89bd6f49ff8aa4798

SHA256
117240378dc4fabd527634b7f1047c1ab3a19d3876aba34154d312ef25484d53

SHA512
51c0166c33e56b32d6e3b498c848601e108ead8d5a51425251a0040011874a335c98fccfa903ece9984c7acdaa67a4860313d21c46c64c1ce2fc4792de2836f9

Download Submit
\Users\Admin\AppData\Local\Temp\OfferBoxSetup.exe

Filesize
130KB

MD5
b315823b314421c0d62a0a7ea893a584

SHA1
ea6e03bcb6a8a10e668a318057e41d2f1d5d675b

SHA256
f9fad07e0581a1ffb58266f1313a3c43fa3a3af0e060c4cfb1d14d7f8d0ce1c5

SHA512
ab1d42fde4f70bfc2b688eacd1bfe31954923e13f229c3db4959bff4cb2ee3e364b99782f2e8a5cb1622bdb5de84b4bb7e04be0068c7dce1a494063845302190

Download Submit
\Users\Admin\AppData\Local\Temp\is-3C818.tmp\IssProc.dll

Filesize
184KB

MD5
8eae382eabf41d58cb4e4f6bccb48bca

SHA1
104b402efcf67cfb885d3d5f2c3cbad9837c6fd2

SHA256
154cb086cf647d673cc0646ab3db30e2c68974743eb8348cd3d77113bd15d18b

SHA512
bc1d46e2b91b51c2adb84f6fa08cb5c0c95909fd7761e0a19a6db8e7f6a0e768d575530dd920e722ba5440cfcdee48677d3260bae473bced72a1a1c62ab0e469

Download Submit
\Users\Admin\AppData\Local\Temp\is-3C818.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-5RJPR.tmp\AcPro.tmp

Filesize
680KB

MD5
ed69e64731547eba52476a2d2a2f7882

SHA1
cbcd56bbb5230d11a01f18e9bf59f97802bb475b

SHA256
427fa988a8a8c63393693ffeb61ddec195f000220ee55fd5112ec91682e933b0

SHA512
04202de8dafb4c8964230d94eb44ad8ffd1d138b24f445aa3d707f4d9a9e9520d3d6f80cb0731ab9ebb7143011fe0d856d7e262d9672272876958d5e8ad55afe

Download Submit
\Users\Admin\AppData\Local\Temp\msindex.exe

Filesize
217KB

MD5
43b930742524589b90068b05d1dff6d1

SHA1
c301874b2621c764b1b5a29e0acf2a4998dc5554

SHA256
3de93c3367781abf74e1e37af0043cec8b5efe2ea8d2d47bf74570b0d80e0e7a

SHA512
8547291c347aaa49e21c01bb018db33e752749b2415801c734bd9f4e5bf01f9a8e8f23d8100265169bad11fa4850deccb7a6002e92f9ce7406d6f91814265888

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7734.tmp\NSISdl.dll

Filesize
14KB

MD5
a5b84d250794433db5a2d26f34699dd9

SHA1
bc06abccf6a4783973ec11b6766b43b4a265820c

SHA256
96f3357a024c549d7cb9e6447b1a56a2a8029b4f12e6e597428e68620761c5e0

SHA512
121d67f85a24096799ed913dccb64ef65d9479f98a6d88c2a0e05f05a65f460d557c5fdfe2c42a0a61b9cbaedd9b7031978111a2713250a89848ab4f3bb4ce84

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7734.tmp\NsisPluginOB.dll

Filesize
148KB

MD5
71b36382009ed5b31788441fb3c7e05f

SHA1
34248376866accdeeebea6fdb2d102377cd5db35

SHA256
1e06ce4f7298c67068211982d36013c8e65401dfbdbd03134900a2c8677de534

SHA512
59f6e3b58f7b7e17ad79fef336cd3f46b9ddf4b67f6f4705132a0184cd98460dc27d3a21cdfe0cdd121f05633fb9e6687f49a49d829163ac7d9d0448b066277e

Download Submit
memory/1264-362-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1264-416-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1268-415-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2128-419-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-603-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-597-0x0000000000340000-0x000000000035F000-memory.dmp

Filesize
124KB

Download
memory/2128-418-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2128-0-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2592-633-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-634-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2592-635-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2592-604-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-609-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2592-611-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2592-610-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/2844-33-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download