Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 10:59
Static task
static1
Behavioral task
behavioral1
Sample
a68530dab223f080e594eed06ecefc44_JaffaCakes118.dll
Resource
win7-20240708-en
General
-
Target
a68530dab223f080e594eed06ecefc44_JaffaCakes118.dll
-
Size
195KB
-
MD5
a68530dab223f080e594eed06ecefc44
-
SHA1
583357a707980ea5f6c1707c582e6f7256206103
-
SHA256
4b6e2186514f55d30155139b381c8d4010be229a9cb2ffa03d1d7798649121d8
-
SHA512
e7c35415bb9f22c8dc3ddfc75046c5d18c6b2a82a045ada35f7084924629f29efd8df550a9c0f5bf63ab7e6f9b71dc57e391108da33c6513b24176b95745c112
-
SSDEEP
3072:KqLZ0EabcgO8JqJOuj3Yy+d1Amg6kbF85pGCDz7EQtVx1Phij8+WeH87Ywl:xqEabD0JOMKd1moJhkjZPy
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" notepad.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" notepad.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3132405443" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3132405443" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0108abf5df1da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3131623619" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main notepad.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430743725" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000ea5ec2101ddb15b6d8c5490c23aeeec38aa5593509114d62dd775e39f1087bc9000000000e800000000200002000000009acaa198f28f91a4ab0f6dcae1dd8b92b1946a023359a3d14ea780f6ee1169320000000f94a7de494702bb69fdb03425bb029d8c4c06767e7f95e6e7a90af78479b46cb40000000928e66803d2f85242c3c113552e7c8ea2526a9d058c9b2c3f81cc7177683bab58d98a796f9d1b302ad2771342d5cee5615cdab72dc3a9bd57e18d04a4d99085b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125853" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e482bf5df1da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000cb1880eec9510d252111c07f63f02cea1465c1cb567c6a12c877c866cf15e8eb000000000e80000000020000200000000e6d79ed7f49ab25d46fcbc9f6a82bfb2bda4e136420a9a46e3a5ef2fc6ad9ac200000000ab37417d08598c99fbaf7650c7d9bf2adbce552cf32aa85d6b07276d3cff5e240000000eb8ae236a6b19871fb5c6d660886351913b1bc5b42c972f56978529cabce5510d84d5eee1e13c4dbe091491395a4a6b48adaf3928d3a512f20ef3ab4781c842a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3131623619" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125853" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E59131D8-5D50-11EF-BB4F-EEE1DD5A0987} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main notepad.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125853" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125853" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1188 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 656 rundll32.exe 656 rundll32.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 3848 notepad.exe 3848 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 656 rundll32.exe 656 rundll32.exe 656 rundll32.exe 656 rundll32.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe 1028 notepad.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe 3568 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1188 explorer.exe 1188 explorer.exe 3568 iexplore.exe 3568 iexplore.exe 3396 IEXPLORE.EXE 3396 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1176 wrote to memory of 656 1176 rundll32.exe 84 PID 1176 wrote to memory of 656 1176 rundll32.exe 84 PID 1176 wrote to memory of 656 1176 rundll32.exe 84 PID 656 wrote to memory of 920 656 rundll32.exe 85 PID 656 wrote to memory of 920 656 rundll32.exe 85 PID 656 wrote to memory of 920 656 rundll32.exe 85 PID 656 wrote to memory of 1028 656 rundll32.exe 87 PID 656 wrote to memory of 1028 656 rundll32.exe 87 PID 656 wrote to memory of 1028 656 rundll32.exe 87 PID 656 wrote to memory of 1028 656 rundll32.exe 87 PID 3568 wrote to memory of 3396 3568 iexplore.exe 100 PID 3568 wrote to memory of 3396 3568 iexplore.exe 100 PID 3568 wrote to memory of 3396 3568 iexplore.exe 100 PID 656 wrote to memory of 3848 656 rundll32.exe 101 PID 656 wrote to memory of 3848 656 rundll32.exe 101 PID 656 wrote to memory of 3848 656 rundll32.exe 101 PID 656 wrote to memory of 3848 656 rundll32.exe 101 PID 656 wrote to memory of 3568 656 rundll32.exe 99
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a68530dab223f080e594eed06ecefc44_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a68530dab223f080e594eed06ecefc44_JaffaCakes118.dll,#12⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:1028
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:3848
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵PID:3172
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:1992
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3568 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD55807ccf18a4daa262942fd318d06027d
SHA1dbc8a19819ea0e72bb69aea4e08b5c08b19cebe9
SHA25649127429f1b3e1e3126358abbce54b463587489939f48256edc3f4f54dc10890
SHA512204d2d8ff7d0b847b6263f9759441c88c32d39fca326de017c1c1e2bb33d64455adfcde5e96705f5408361a3a34baf002aaff12645413e5ec3bb13b2d7e980ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5019e6402d500d38e035d50da2b3b837b
SHA15659ce1155622a02805da12179107b3c44f44661
SHA256f39cac4236620b2b13441ba89b7ee6cd2bea019379b7cad06e165cc22ddf1971
SHA5125616a7a4b1d7f34421f19fd7d0ae2ea7ea04704811d731ce331122ab3bd714adcb4cf1a8cdbd806850a727c88c61ca62828a1b65cb8ab8fac050d5db4749bf1a
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee