Analysis
-
max time kernel
81s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 07:48
Static task
static1
Behavioral task
behavioral1
Sample
113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll
-
Size
193KB
-
MD5
113da7d187f20fe726dc04e1b86ed1a1
-
SHA1
592790461e388de6cfe81261622cac52c4c2d337
-
SHA256
bd5440f408773d078e21b726e5bcc8931aa78b396204a969edd3f06a40f01520
-
SHA512
84eba7665a4906f4e5064676cec8eb98b1fda00a1d524ca91174d3eac21799e1867bc9cfbb76566c8fc21017080c061c19949c534e86436f05b95ad4bf0855cf
-
SSDEEP
3072:I73MITL/9oSmkbx3ZtffjBTnIwanLM0EWARqiyp0giE/Uco+yuO:OdTpountf75Iwk3Biyw2RAuO
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1156 regsvr32mgr.exe 220 WaterMark.exe -
resource yara_rule behavioral2/memory/1156-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1156-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/220-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/220-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/220-38-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px4A47.tmp regsvr32mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe regsvr32mgr.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2900 1236 WerFault.exe 84 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{778545F3-3390-11EF-BCA5-E20E9B62A9C1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425549983" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7782E3C2-3390-11EF-BCA5-E20E9B62A9C1} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Modifies registry class 45 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ = "IWMPDeskBandDispatch" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\LocalizedString = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll,-101" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\ = "{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\CLSID\ = "{0A4286EA-E355-44FB-8086-AF3DF7645BD9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories\{00021492-0000-0000-C000-000000000046} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ProgID\ = "WMP.DeskBand.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\VersionIndependentProgID\ = "WMP.DeskBand" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\ = "WMPDeskBand 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\MenuText = "@C:\\Users\\Admin\\AppData\\Local\\Temp\\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll,-101" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A4286EA-E355-44FB-8086-AF3DF7645BD9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A55922C-3B1F-469B-8D0D-B15060499A52}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand.1\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DeskBand\ = "&Windows Media Player" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B6DD1ED6-573F-40FD-99A1-F28D8BF23916}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe 220 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 220 WaterMark.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2280 iexplore.exe 4752 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4752 iexplore.exe 4752 iexplore.exe 2280 iexplore.exe 2280 iexplore.exe 3416 IEXPLORE.EXE 3416 IEXPLORE.EXE 380 IEXPLORE.EXE 380 IEXPLORE.EXE 3416 IEXPLORE.EXE 3416 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1156 regsvr32mgr.exe 220 WaterMark.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3940 wrote to memory of 3428 3940 regsvr32.exe 81 PID 3940 wrote to memory of 3428 3940 regsvr32.exe 81 PID 3940 wrote to memory of 3428 3940 regsvr32.exe 81 PID 3428 wrote to memory of 1156 3428 regsvr32.exe 82 PID 3428 wrote to memory of 1156 3428 regsvr32.exe 82 PID 3428 wrote to memory of 1156 3428 regsvr32.exe 82 PID 1156 wrote to memory of 220 1156 regsvr32mgr.exe 83 PID 1156 wrote to memory of 220 1156 regsvr32mgr.exe 83 PID 1156 wrote to memory of 220 1156 regsvr32mgr.exe 83 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 1236 220 WaterMark.exe 84 PID 220 wrote to memory of 2280 220 WaterMark.exe 88 PID 220 wrote to memory of 2280 220 WaterMark.exe 88 PID 220 wrote to memory of 4752 220 WaterMark.exe 89 PID 220 wrote to memory of 4752 220 WaterMark.exe 89 PID 2280 wrote to memory of 3416 2280 iexplore.exe 91 PID 2280 wrote to memory of 3416 2280 iexplore.exe 91 PID 2280 wrote to memory of 3416 2280 iexplore.exe 91 PID 4752 wrote to memory of 380 4752 iexplore.exe 90 PID 4752 wrote to memory of 380 4752 iexplore.exe 90 PID 4752 wrote to memory of 380 4752 iexplore.exe 90
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\113da7d187f20fe726dc04e1b86ed1a1_JaffaCakes118.dll2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:1236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 2046⤵
- Program crash
PID:2900
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4752 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:380
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1236 -ip 12361⤵PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7782E3C2-3390-11EF-BCA5-E20E9B62A9C1}.dat
Filesize5KB
MD5bc300c332f319c40ac2296c3a87ba7c4
SHA182e669515b8b67f0f05c3c1163143ccdd6eedce9
SHA2565ee3ca598f3cd405b286362d2d2bd96f0489f0b51828a285a6ecf15a2d5ef24b
SHA5124861a7f85d5d0d85a6fa11fde77bb4b387855cb0d2341c899b31e0b0883a8028715ee3fcfb683a042a39679b7bc8791038df714b13331a2246026aa23cd3a7ad
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{778545F3-3390-11EF-BCA5-E20E9B62A9C1}.dat
Filesize3KB
MD5bc60cc1283505ab3d53e87209309f3a0
SHA1fe7269907085387aa588d5e629d8d29fdeb5e639
SHA256e374e8acbc77bc428155d3bc50e40f25f1721177a016f81c1ef9426b2863f53f
SHA512789f6403cd8fd874ba749e039fd67b2fa56f85a3c437f4af264703a946084cc5a65d59a113c9c585e3a2b1783e58bae9b93538337bb74fa3eb946989f1b2b893
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837