Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 06:44
Behavioral task
behavioral1
Sample
dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe
-
Size
80KB
-
MD5
dc01df3c40cb4fb0bef448693475ea1b
-
SHA1
a81ba37cce6201f5ad4d256c1eac55976cbdb5ac
-
SHA256
422ba6dae6752430a2e52e1efb327f277e912ce551f9f1408ee6ab13ebf3717a
-
SHA512
9160928492dd4ec28bb00fd00657cd05d104f4e4938dbf25f2acc65a5a0b0280a67a503e58713191a8b95709bdd2fd47439f61529733c7242792c59141359e29
-
SSDEEP
768:DAbj35jVq5PIZtsUD0oc75LXf+Dmu0+zaEMv38S/A6yM+tX/1M5F0knS3qXxDTgP:Eju5gQqhYf8m2aImH1m0uAB24CjFlKE
Malware Config
Signatures
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ netmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk netmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 4372 netmgr.exe -
Loads dropped DLL 1 IoCs
pid Process 4372 netmgr.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DDB90A6D-70D2-11EF-9912-EEE1DD5A0987} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8CF2FF97-70D2-11EF-9912-EEE1DD5A0987} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1681892535" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B6D4AF54-70D2-11EF-9912-EEE1DD5A0987} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1632986595" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1635642251" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31130847" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1683924277" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31130847" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4372 netmgr.exe 4372 netmgr.exe 4372 netmgr.exe 4372 netmgr.exe 4372 netmgr.exe 4372 netmgr.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 5048 IEXPLORE.EXE 2272 IEXPLORE.EXE 4372 netmgr.exe 2000 IEXPLORE.EXE 4372 netmgr.exe 3944 IEXPLORE.EXE 4372 netmgr.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 4372 netmgr.exe 4372 netmgr.exe 4372 netmgr.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 5048 IEXPLORE.EXE 5048 IEXPLORE.EXE 2936 IEXPLORE.EXE 2936 IEXPLORE.EXE 2272 IEXPLORE.EXE 2272 IEXPLORE.EXE 4396 IEXPLORE.EXE 4396 IEXPLORE.EXE 4396 IEXPLORE.EXE 4396 IEXPLORE.EXE 2000 IEXPLORE.EXE 2000 IEXPLORE.EXE 2184 IEXPLORE.EXE 2184 IEXPLORE.EXE 2184 IEXPLORE.EXE 2184 IEXPLORE.EXE 3944 IEXPLORE.EXE 3944 IEXPLORE.EXE 1900 IEXPLORE.EXE 1900 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1064 wrote to memory of 4372 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 84 PID 1064 wrote to memory of 4372 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 84 PID 1064 wrote to memory of 4372 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 84 PID 1064 wrote to memory of 956 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 86 PID 1064 wrote to memory of 956 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 86 PID 1064 wrote to memory of 956 1064 dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe 86 PID 4372 wrote to memory of 4460 4372 netmgr.exe 94 PID 4372 wrote to memory of 4460 4372 netmgr.exe 94 PID 4372 wrote to memory of 4460 4372 netmgr.exe 94 PID 4460 wrote to memory of 5048 4460 iexplore.exe 95 PID 4460 wrote to memory of 5048 4460 iexplore.exe 95 PID 5048 wrote to memory of 2936 5048 IEXPLORE.EXE 96 PID 5048 wrote to memory of 2936 5048 IEXPLORE.EXE 96 PID 5048 wrote to memory of 2936 5048 IEXPLORE.EXE 96 PID 4372 wrote to memory of 1528 4372 netmgr.exe 100 PID 4372 wrote to memory of 1528 4372 netmgr.exe 100 PID 4372 wrote to memory of 1528 4372 netmgr.exe 100 PID 1528 wrote to memory of 2272 1528 iexplore.exe 101 PID 1528 wrote to memory of 2272 1528 iexplore.exe 101 PID 2272 wrote to memory of 4396 2272 IEXPLORE.EXE 102 PID 2272 wrote to memory of 4396 2272 IEXPLORE.EXE 102 PID 2272 wrote to memory of 4396 2272 IEXPLORE.EXE 102 PID 4372 wrote to memory of 4876 4372 netmgr.exe 105 PID 4372 wrote to memory of 4876 4372 netmgr.exe 105 PID 4372 wrote to memory of 4876 4372 netmgr.exe 105 PID 4876 wrote to memory of 2000 4876 iexplore.exe 106 PID 4876 wrote to memory of 2000 4876 iexplore.exe 106 PID 2000 wrote to memory of 2184 2000 IEXPLORE.EXE 107 PID 2000 wrote to memory of 2184 2000 IEXPLORE.EXE 107 PID 2000 wrote to memory of 2184 2000 IEXPLORE.EXE 107 PID 4372 wrote to memory of 1152 4372 netmgr.exe 108 PID 4372 wrote to memory of 1152 4372 netmgr.exe 108 PID 4372 wrote to memory of 1152 4372 netmgr.exe 108 PID 1152 wrote to memory of 3944 1152 iexplore.exe 109 PID 1152 wrote to memory of 3944 1152 iexplore.exe 109 PID 3944 wrote to memory of 1900 3944 IEXPLORE.EXE 110 PID 3944 wrote to memory of 1900 3944 IEXPLORE.EXE 110 PID 3944 wrote to memory of 1900 3944 IEXPLORE.EXE 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\netmgr.exe"C:\Users\Admin\AppData\Local\Temp\netmgr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5048 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2272 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4396
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3944 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\dc01df3c40cb4fb0bef448693475ea1b_JaffaCakes118.exe2⤵
- System Location Discovery: System Language Discovery
PID:956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD55f81c2f0e32c339ad20a7b38cb5b684b
SHA14196d08225494b3da7819301cac57f3618ef8aa7
SHA256f1465c392ed09e095c9ed94934a546cd13bcf3c2f5fcd669bb58fb1475fc3b39
SHA512fff25d77166243ec1c5e029ca5c51b605228e6faebbc08834c3bc9c1042f14596c062e9ab9f9cc6567f5ba3bb0679a4fc833704fbef0c91a1461bc005d4bf19b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e8356122a72dbbbf2d2837f2ac068b49
SHA102e7829fef15e387c3c352494d2e326d6c12c2dd
SHA256a81b7834e05496ced29b2d2f2848241c2445db502f393250d2d4b8444cd68a72
SHA512d5ba35e45a94e0a91eddb299aba6cd0ac42a54a922162de5c66f4c57c5055f6b6383b2f9bd1da11c41da0fb9dace5718b81ea000c855326e3f235a7b3c329e10
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8CF2FF97-70D2-11EF-9912-EEE1DD5A0987}.dat
Filesize5KB
MD552438b446e55238e2ed47f47491ea839
SHA16c1bb7163fa73107c7056dc044177338e8edd228
SHA256b18bed856aea88d08a0ad9d6a807c0ba65e4ed03e787bc5e9305abe3015fabeb
SHA5127847688cd4cbcd03762c8eb4fa9b400a65c8ab95585a3ea453fe853f6b7786bd9b39cdecd86a1b2d4ca06a88d95b3ef32420a7759345b4fc5e71b327667ed589
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat
Filesize5KB
MD5f6e7b0681c1e9d371f32a2dabd87935c
SHA1411b72a52dee442949d826e0323f7037575eaa60
SHA256a1943e92242cd503c765bc1fb5054dad80d1b15aee812a3c9f3b630b4cbd8e6d
SHA512b03fcd7e68f683c75681e2a7b47d921193e4dc20a646249f378ef273fa5820492fc265540ba93f3693ebc07e150bc3fcded2b1ee8e81c376b0db3bcd8e2038ef
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8FE92B6E-70D2-11EF-9912-EEE1DD5A0987}.dat
Filesize4KB
MD5cd831bec1404de9cfd8dc07ce2c2a00d
SHA11df2f3c35b2631377eeedc170024fdfbbf2329b5
SHA2565f660923929bf8fe7cc5aaf943ed50c7b889354aba88b4d3c1f1eb88893546be
SHA512f6af4558c6ab2a0b98f7e38da4e3166de19accedfece4afa8c5a664dc2f2c3d8da15464492bce83b88b281235684a061d645e56e17d0e79e06a83265629d6dcb
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
49KB
MD5d24fa8bc709ada9af8d4d755c132290f
SHA16dbe09062fd25a7c05002bf72ca86da35777b47d
SHA2569a62e435a04486c6acafd602f782cf1ed0ac65a0159c6c47ed4fad996c1799ff
SHA5126386ee31f577ccedc3fc50a6224f07c10fd0a019eac8c8de940c46a7ca56386527678ddfe080f59cf33ce44974273f8e93e1f65a680af1ed55a56f3c4cb26ee2
-
Filesize
16KB
MD5ff04126a5d61a10c81bfd0a6d0a643d0
SHA1ffab0d227b67c60de19af0f3b3b05c7e6fa7eedc
SHA2565a9d84792a06b3d2037f567e0f57781722a950d485854cf5e4042cbdd51d82af
SHA512d22771de0ca11e2efcdcbebae6de8fbc4865a45a3e3aff8eafab8da2fc75dab8a1256ae62ed7463d039c4fe045d4f9d6e161b5fc225583334750f9613199cd56
-
Filesize
145B
MD53404edfd6310bca1c2e0b3d49281b267
SHA1e845182b7ef9d7dda499ce5806401b8e063ed7fc
SHA2568330f32dff8de2a6d6bd38a3b4081ab7bc8aea3595b2ee6382c93c93ea571c60
SHA51289c8af65e3d6b1a4932ab77c851489e4a39109c559caac92506dd84b78a354d101e32fe16e8828ed22260a90b3b3df613cff0c20cc51e10205dfb1e9b3ee870f