Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html
-
Size
531KB
-
MD5
9cdc3ab1ec0498cd16b1ce5d8573efe2
-
SHA1
32a8944e9a088a9de256710f5d5b52fe8843c34d
-
SHA256
2ff63ce7d6c154e13899100aac7e8a0dce768f83b5dc4b71233fb285f172ccd3
-
SHA512
b9bb5dd2b1226aeb4c70983c840e9039ecac9ed22b315d1c6ea0b4231b060ccdc07d1bc727b601925e7a3a58139559db7230dfba3c6a0fbcd9baede89e78b7ef
-
SSDEEP
6144:S5sMYod+X3oI+Y7meFekWjsMYod+X3oI+Y7meFeklsMYod+X3oI+Y7meFekw:g5d+X30ey35d+X30el5d+X30eE
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exepid process 3060 svchost.exe 2100 svchost.exe 2412 svchost.exe 2680 svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2308 IEXPLORE.EXE 1312 IEXPLORE.EXE 800 IEXPLORE.EXE 2392 IEXPLORE.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/3060-6-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/3060-12-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2100-21-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2412-32-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2680-43-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Drops file in Program Files directory 9 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxC755.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1F15.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px6FF2.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px192C.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424238574" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{142EF931-27A3-11EF-8FA5-CE57F181EBEB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
svchost.exesvchost.exeiexplore.exesvchost.exesvchost.exepid process 3060 svchost.exe 2100 svchost.exe 1676 iexplore.exe 2412 svchost.exe 2680 svchost.exe 1676 iexplore.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 3060 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2100 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe 2412 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3060 svchost.exe Token: SeDebugPrivilege 2100 svchost.exe Token: SeDebugPrivilege 2412 svchost.exe Token: SeDebugPrivilege 2680 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1676 iexplore.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1676 iexplore.exe 1676 iexplore.exe 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 2248 IEXPLORE.EXE 2248 IEXPLORE.EXE 1312 IEXPLORE.EXE 1312 IEXPLORE.EXE 800 IEXPLORE.EXE 800 IEXPLORE.EXE 800 IEXPLORE.EXE 800 IEXPLORE.EXE 2392 IEXPLORE.EXE 2392 IEXPLORE.EXE 2028 IEXPLORE.EXE 2028 IEXPLORE.EXE 2392 IEXPLORE.EXE 2392 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exedescription pid process target process PID 1676 wrote to memory of 2308 1676 iexplore.exe IEXPLORE.EXE PID 1676 wrote to memory of 2308 1676 iexplore.exe IEXPLORE.EXE PID 1676 wrote to memory of 2308 1676 iexplore.exe IEXPLORE.EXE PID 1676 wrote to memory of 2308 1676 iexplore.exe IEXPLORE.EXE PID 2308 wrote to memory of 3060 2308 IEXPLORE.EXE svchost.exe PID 2308 wrote to memory of 3060 2308 IEXPLORE.EXE svchost.exe PID 2308 wrote to memory of 3060 2308 IEXPLORE.EXE svchost.exe PID 2308 wrote to memory of 3060 2308 IEXPLORE.EXE svchost.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 384 3060 svchost.exe wininit.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 392 3060 svchost.exe csrss.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 432 3060 svchost.exe winlogon.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 476 3060 svchost.exe services.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 492 3060 svchost.exe lsass.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 500 3060 svchost.exe lsm.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 596 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe PID 3060 wrote to memory of 676 3060 svchost.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1448
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1036
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1056
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2188
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2080
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1180
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9cdc3ab1ec0498cd16b1ce5d8573efe2_JaffaCakes118.html2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:340994 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:406540 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2248 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275470 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:800 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2412 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:406561 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:2241557 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD56585454cdde61809f12f1dcd33867757
SHA157622c863a4592c2c8f033082ce0bced8f190f51
SHA2563986ab998508a9e4a932c7588cb76b937f0cc3781ca357153ae3db323e7f70c1
SHA512afaefcce077a8bc1a7288977e911b5428be9697bbfd3a4d586261df69c18dc7c33ee8cb76f02255c8b8ef8f9a554e1f1ac5dde368cc4cae0e80a1461f1f40412
-
Filesize
84KB
MD5bee6f1f011766a1f40f0318adc585640
SHA1f9452d74dad86e1dd38108965e40585ff8ef7951
SHA256c8f1baab39b7c77de4504ce7f758ef46c0659e01f6af6922d1a4518687aa6ec9
SHA51213714e5ab6d7da1ab4faa85b4c9801866ffa89f5b39aa053a03aeb13d4adbad4d9bc518f5586a18bb0bc7723f0e6168940ed70d7d6cf71d82120135fe0d51bd3