Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 05:30
Static task
static1
Behavioral task
behavioral1
Sample
0da1bb1322636afe3b601d6f3c775b04_JaffaCakes118.html
Resource
win7-20240419-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
0da1bb1322636afe3b601d6f3c775b04_JaffaCakes118.html
Resource
win10v2004-20240419-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
0da1bb1322636afe3b601d6f3c775b04_JaffaCakes118.html
-
Size
673KB
-
MD5
0da1bb1322636afe3b601d6f3c775b04
-
SHA1
eac08212c5e35a7270991c80e5e6cd47a9fdd64b
-
SHA256
b698da8c2966af3d240cc5be00154262226a4097d9cde8c8f1fb94a68e8ea17e
-
SHA512
5991cce78d8bb8f271c3aeb45de4de824ad1c6c839a206ceb2dd95895be961a1cad4763b92896d0e5104adb55a832dbdc91c77f7276909cdad0a8de8be5d4bf8
-
SSDEEP
12288:85d+X3w5d+X3S5d+X3K5d+X385d+X3f5d+X3+:++q+I+A+e+P+e
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 2756 svchost.exe 2600 DesktopLayer.exe 2580 svchost.exe 2476 svchost.exe 2992 svchost.exe 1764 svchost.exe 1656 DesktopLayer.exe 1464 svchost.exe 1192 DesktopLayer.exe -
Loads dropped DLL 7 IoCs
pid Process 2772 IEXPLORE.EXE 2756 svchost.exe 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE -
resource yara_rule behavioral1/memory/2756-6-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x0008000000013a85-7.dat upx behavioral1/memory/2756-10-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2756-9-0x0000000000230000-0x000000000023F000-memory.dmp upx behavioral1/memory/2600-19-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2476-27-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1656-41-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1464-45-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px760.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px7ED.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA1E.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA6C.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px7FC.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px83B.tmp svchost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420789709" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aaa2ef519cda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A8F95F1-0845-11EF-88AC-F2AB90EC9A26} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000009bee0aa8da0d4444524d47b6922933ef3af642f422bb9b3bdfd71d0952282bac000000000e800000000200002000000056e72ae414a3180a7bd263c966670c43f9a66f03589447107ae87bf8f364a3a420000000f6de76bf2a5f70f45deff6f5672353185d4411c9f6a3c7371ebf133e85629c9940000000fd769c074fd3d6e41dd18d513e5709cc167903011a2829ea21315cba683a89fc3dc395db9e29a03ec53baf57ae9d9445ba0ed75d5f655d14491722faf5d25957 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000e1b9900e72567492565d3f9df2f80e56613adafb49416f8f3b77486496ef4197000000000e800000000200002000000028ad0f588daf7a7852502585fb90847669c0e626f58959552a0a6ccff8f60a6b9000000086dab1de37ae55f397e4b53154a6bf1279ba06c21051383a0d3b06565d3f824ad1cccabbe591fd3124f66aedaf8f31b4d0876737b73d97ed9573571dc9c1f2be97cba2c8ae5cc64fe06a4b63d9d6f6caee59b5df16ee2cf0c77b6db6960bba2b270bbe152b0b78e2cf7946412f48680b89aa418f6914b3cb72f94dd060e602d12087c9ceb638b1bd9a49213a2977a54f40000000cabfd08e7eb11d9e2f5637cf2354af5dee90b8a538ca548ff02d6f1d8e5e4ff68c9e3193521f39c6bc4890964c0a4b3c7b60c4628650d10c97ffa6b852c58ce5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2600 DesktopLayer.exe 2600 DesktopLayer.exe 2600 DesktopLayer.exe 2600 DesktopLayer.exe 2580 svchost.exe 2580 svchost.exe 2476 svchost.exe 2476 svchost.exe 2476 svchost.exe 2476 svchost.exe 2580 svchost.exe 2580 svchost.exe 2992 svchost.exe 2992 svchost.exe 2992 svchost.exe 2992 svchost.exe 1656 DesktopLayer.exe 1656 DesktopLayer.exe 1656 DesktopLayer.exe 1656 DesktopLayer.exe 1192 DesktopLayer.exe 1192 DesktopLayer.exe 1192 DesktopLayer.exe 1192 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2248 iexplore.exe 2248 iexplore.exe 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2248 iexplore.exe 2248 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2248 iexplore.exe 2696 IEXPLORE.EXE 2696 IEXPLORE.EXE 2704 IEXPLORE.EXE 2704 IEXPLORE.EXE 2704 IEXPLORE.EXE 2704 IEXPLORE.EXE 320 IEXPLORE.EXE 320 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE 2772 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2772 2248 iexplore.exe 28 PID 2248 wrote to memory of 2772 2248 iexplore.exe 28 PID 2248 wrote to memory of 2772 2248 iexplore.exe 28 PID 2248 wrote to memory of 2772 2248 iexplore.exe 28 PID 2772 wrote to memory of 2756 2772 IEXPLORE.EXE 29 PID 2772 wrote to memory of 2756 2772 IEXPLORE.EXE 29 PID 2772 wrote to memory of 2756 2772 IEXPLORE.EXE 29 PID 2772 wrote to memory of 2756 2772 IEXPLORE.EXE 29 PID 2756 wrote to memory of 2600 2756 svchost.exe 30 PID 2756 wrote to memory of 2600 2756 svchost.exe 30 PID 2756 wrote to memory of 2600 2756 svchost.exe 30 PID 2756 wrote to memory of 2600 2756 svchost.exe 30 PID 2600 wrote to memory of 2764 2600 DesktopLayer.exe 31 PID 2600 wrote to memory of 2764 2600 DesktopLayer.exe 31 PID 2600 wrote to memory of 2764 2600 DesktopLayer.exe 31 PID 2600 wrote to memory of 2764 2600 DesktopLayer.exe 31 PID 2248 wrote to memory of 2864 2248 iexplore.exe 32 PID 2248 wrote to memory of 2864 2248 iexplore.exe 32 PID 2248 wrote to memory of 2864 2248 iexplore.exe 32 PID 2248 wrote to memory of 2864 2248 iexplore.exe 32 PID 2772 wrote to memory of 2580 2772 IEXPLORE.EXE 33 PID 2772 wrote to memory of 2580 2772 IEXPLORE.EXE 33 PID 2772 wrote to memory of 2580 2772 IEXPLORE.EXE 33 PID 2772 wrote to memory of 2580 2772 IEXPLORE.EXE 33 PID 2772 wrote to memory of 2476 2772 IEXPLORE.EXE 34 PID 2772 wrote to memory of 2476 2772 IEXPLORE.EXE 34 PID 2772 wrote to memory of 2476 2772 IEXPLORE.EXE 34 PID 2772 wrote to memory of 2476 2772 IEXPLORE.EXE 34 PID 2476 wrote to memory of 2380 2476 svchost.exe 35 PID 2476 wrote to memory of 2380 2476 svchost.exe 35 PID 2476 wrote to memory of 2380 2476 svchost.exe 35 PID 2476 wrote to memory of 2380 2476 svchost.exe 35 PID 2580 wrote to memory of 2972 2580 svchost.exe 36 PID 2580 wrote to memory of 2972 2580 svchost.exe 36 PID 2580 wrote to memory of 2972 2580 svchost.exe 36 PID 2580 wrote to memory of 2972 2580 svchost.exe 36 PID 2772 wrote to memory of 2992 2772 IEXPLORE.EXE 37 PID 2772 wrote to memory of 2992 2772 IEXPLORE.EXE 37 PID 2772 wrote to memory of 2992 2772 IEXPLORE.EXE 37 PID 2772 wrote to memory of 2992 2772 IEXPLORE.EXE 37 PID 2992 wrote to memory of 2732 2992 svchost.exe 38 PID 2992 wrote to memory of 2732 2992 svchost.exe 38 PID 2992 wrote to memory of 2732 2992 svchost.exe 38 PID 2992 wrote to memory of 2732 2992 svchost.exe 38 PID 2248 wrote to memory of 2696 2248 iexplore.exe 39 PID 2248 wrote to memory of 2696 2248 iexplore.exe 39 PID 2248 wrote to memory of 2696 2248 iexplore.exe 39 PID 2248 wrote to memory of 2696 2248 iexplore.exe 39 PID 2248 wrote to memory of 2704 2248 iexplore.exe 40 PID 2248 wrote to memory of 2704 2248 iexplore.exe 40 PID 2248 wrote to memory of 2704 2248 iexplore.exe 40 PID 2248 wrote to memory of 2704 2248 iexplore.exe 40 PID 2772 wrote to memory of 1764 2772 IEXPLORE.EXE 41 PID 2772 wrote to memory of 1764 2772 IEXPLORE.EXE 41 PID 2772 wrote to memory of 1764 2772 IEXPLORE.EXE 41 PID 2772 wrote to memory of 1764 2772 IEXPLORE.EXE 41 PID 1764 wrote to memory of 1656 1764 svchost.exe 42 PID 1764 wrote to memory of 1656 1764 svchost.exe 42 PID 1764 wrote to memory of 1656 1764 svchost.exe 42 PID 1764 wrote to memory of 1656 1764 svchost.exe 42 PID 1656 wrote to memory of 1544 1656 DesktopLayer.exe 43 PID 1656 wrote to memory of 1544 1656 DesktopLayer.exe 43 PID 1656 wrote to memory of 1544 1656 DesktopLayer.exe 43 PID 1656 wrote to memory of 1544 1656 DesktopLayer.exe 43
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\0da1bb1322636afe3b601d6f3c775b04_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2972
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2380
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2732
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1544
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1464 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1192 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2044
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:209930 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:5714946 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:6894593 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:3486728 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58484161ba5b4100f901b9eaa2b12fe5c
SHA15bcb51d431af78a02570a9fdd1dbb81ff4a6c6d6
SHA25604f7617fef63f870008d5a10ba94c210e52d5cf9c052bbe5765f780a534de39d
SHA512ca015c89982bad869f4a8f27bd110ecca40972dcfa0ac27c060b8efd95ceb8968b4338b4909b940b639bed1100153240dfca3084ff7b9d641e1a4ec67cb87a77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dd8fcf4bc8c7dbe294ad41140e27faec
SHA1f1ed398e3e08b9697453627e093b52e18385d9c3
SHA25669649b0d4c9068bb034a12a917f9a2fc9dab99b4ebcb104ea17a43798b419754
SHA5120948c923e36a49c53240e29f296eb3601434788e4db56632a68d24c1264f86be6085db83717a13709e886b79cd77914ea0e2201a651b461bce9991c2a1f95cdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a90e55ac78be0a65fb87584c43775a34
SHA1de6642d6fe7c0ef441c2170d26f561174cf0db2a
SHA25682d72129a07688a5df009a39be338b5ac518f6aac14bb7351c9ad05483b5a4ac
SHA512a3094fec35775cff15ca8814df58b85e2db4b88adc510cbd436e42a642776a11bf30bdd9686d933ab6ee4653b06c83f031ef27ce714c8f2f07def47a5a33de21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58d6ff464081b1a9b536e848532fe425c
SHA16b0d8821eefadacf37a61ca30dd5f7d1c5424b2e
SHA2569b05b511c17a5f469523c8b95a54cea3a2f154934e6d59bf6cb498992bf19344
SHA512873575952b976734eeaf297d6c1f5eba45f4a0372c430d342ce3f41cedb1983b39de47517ca4d60ea469c3efd3e17cfadb0a64290f3863bbe509db2f89ce9234
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56ff39018228341e8914052881838e5a0
SHA10a34a19161de9ffcd29f7e14f6fe91cd504ac3ba
SHA2567a41e057ae434bd4c1385dd639d0340b48b0e030f849d9f565e99a37c8b6296d
SHA512f0899fbb7c1a4fc432dff1dea9de370df95f3bf1895c65ae6d00bda4f5bf8948a4f3011377dd1c8431213e2fc76370b45427aec90da376ed5999811a8eed6658
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD568457ceb19e08e5d78d6240321cc84a5
SHA18337b663c3747cb781cf7dd51df91accfd43f36d
SHA256e4456a3abfe4d263945b5c5555343c233f15b36026737d4f257b181a7335058c
SHA5121537124aa77e4648222ce01d0f63831542fc619c4d13c2cd70b3e4325b39420d8542a4d19a6f018926c87ac8fca6d5f1905cd19af8f776c9bbe747ee4a9e83f2
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a