Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 21:48
Behavioral task
behavioral1
Sample
def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
def612ad0554006378f185d3b56efb57_JaffaCakes118.exe
-
Size
148KB
-
MD5
def612ad0554006378f185d3b56efb57
-
SHA1
b27ea28e772fbc6b7f80b75b2ba6d32b39d6f256
-
SHA256
219423a32336987838bea44a471fe02700e2e74ba4c98ebb41512b7bc15e0c32
-
SHA512
5ebc664726aad811d6f91de8c7d355b312799e39e69af5218de0eda7d6696c5f1c025737c87c7bda0b22883425fd808770592c9bd7a3f39e759c5dbc46f14f9e
-
SSDEEP
1536:OjLzLxke+a6vLZqyMe6Gfo84U0taH3DfBTF7kK3RmkdumKlT4j0wEwVAcEDKgf:oxka6gGfoucaH3VBmkduXl8+wVAcw/
Malware Config
Signatures
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk def612ad0554006378f185d3b56efb57_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ def612ad0554006378f185d3b56efb57_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\netmgr.lnk netmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ netmgr.exe -
Executes dropped EXE 1 IoCs
pid Process 4756 netmgr.exe -
Loads dropped DLL 1 IoCs
pid Process 4756 netmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language def612ad0554006378f185d3b56efb57_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131174" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3370028395" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433029095" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3306591180" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F0A37D4A-7219-11EF-BFD9-6ADB259EA846} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1C3718AA-721A-11EF-BFD9-6ADB259EA846} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{43F20856-721A-11EF-BFD9-6ADB259EA846} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3307528561" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3369091042" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31131174" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31131174" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3306591180" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4756 netmgr.exe 4756 netmgr.exe 4756 netmgr.exe 4756 netmgr.exe 4756 netmgr.exe 4756 netmgr.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3880 def612ad0554006378f185d3b56efb57_JaffaCakes118.exe 4748 IEXPLORE.EXE 220 IEXPLORE.EXE 4756 netmgr.exe 4704 IEXPLORE.EXE 4756 netmgr.exe 4852 IEXPLORE.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3880 def612ad0554006378f185d3b56efb57_JaffaCakes118.exe 4756 netmgr.exe 4756 netmgr.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 4748 IEXPLORE.EXE 4748 IEXPLORE.EXE 5084 IEXPLORE.EXE 5084 IEXPLORE.EXE 220 IEXPLORE.EXE 220 IEXPLORE.EXE 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE 1812 IEXPLORE.EXE 4704 IEXPLORE.EXE 4704 IEXPLORE.EXE 2832 IEXPLORE.EXE 2832 IEXPLORE.EXE 2832 IEXPLORE.EXE 2832 IEXPLORE.EXE 4852 IEXPLORE.EXE 4852 IEXPLORE.EXE 1576 IEXPLORE.EXE 1576 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3880 wrote to memory of 4756 3880 def612ad0554006378f185d3b56efb57_JaffaCakes118.exe 85 PID 3880 wrote to memory of 4756 3880 def612ad0554006378f185d3b56efb57_JaffaCakes118.exe 85 PID 3880 wrote to memory of 4756 3880 def612ad0554006378f185d3b56efb57_JaffaCakes118.exe 85 PID 4756 wrote to memory of 3692 4756 netmgr.exe 92 PID 4756 wrote to memory of 3692 4756 netmgr.exe 92 PID 4756 wrote to memory of 3692 4756 netmgr.exe 92 PID 3692 wrote to memory of 4748 3692 iexplore.exe 93 PID 3692 wrote to memory of 4748 3692 iexplore.exe 93 PID 4748 wrote to memory of 5084 4748 IEXPLORE.EXE 94 PID 4748 wrote to memory of 5084 4748 IEXPLORE.EXE 94 PID 4748 wrote to memory of 5084 4748 IEXPLORE.EXE 94 PID 4756 wrote to memory of 2344 4756 netmgr.exe 98 PID 4756 wrote to memory of 2344 4756 netmgr.exe 98 PID 4756 wrote to memory of 2344 4756 netmgr.exe 98 PID 2344 wrote to memory of 220 2344 iexplore.exe 99 PID 2344 wrote to memory of 220 2344 iexplore.exe 99 PID 220 wrote to memory of 1812 220 IEXPLORE.EXE 100 PID 220 wrote to memory of 1812 220 IEXPLORE.EXE 100 PID 220 wrote to memory of 1812 220 IEXPLORE.EXE 100 PID 4756 wrote to memory of 4548 4756 netmgr.exe 103 PID 4756 wrote to memory of 4548 4756 netmgr.exe 103 PID 4756 wrote to memory of 4548 4756 netmgr.exe 103 PID 4548 wrote to memory of 4704 4548 iexplore.exe 104 PID 4548 wrote to memory of 4704 4548 iexplore.exe 104 PID 4704 wrote to memory of 2832 4704 IEXPLORE.EXE 105 PID 4704 wrote to memory of 2832 4704 IEXPLORE.EXE 105 PID 4704 wrote to memory of 2832 4704 IEXPLORE.EXE 105 PID 4756 wrote to memory of 3024 4756 netmgr.exe 106 PID 4756 wrote to memory of 3024 4756 netmgr.exe 106 PID 4756 wrote to memory of 3024 4756 netmgr.exe 106 PID 3024 wrote to memory of 4852 3024 iexplore.exe 107 PID 3024 wrote to memory of 4852 3024 iexplore.exe 107 PID 4852 wrote to memory of 1576 4852 IEXPLORE.EXE 108 PID 4852 wrote to memory of 1576 4852 IEXPLORE.EXE 108 PID 4852 wrote to memory of 1576 4852 IEXPLORE.EXE 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\def612ad0554006378f185d3b56efb57_JaffaCakes118.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\netmgr.exe"C:\Users\Admin\AppData\Local\Temp\netmgr.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4748 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1812
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4704 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe-nohome3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4852 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1576
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD584231e6b703a4b64fa601076af9e016a
SHA1210e330be937e617085d28bf356c990a49dce0a5
SHA256e10b7b5f4f3291d340cebafd2d87bbec8689ffb1750a813a2887b6cd31ce61b3
SHA512e13fcb1e344dbd4cd9429faa51f61615ce602908e3eabb7ae9190e745f38747b62b563ca9c0c71abecff1fc398afd2652d32ec37511061d2dff2356aaad0b8d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD508fa9edcfc0d02fd7897650346fab066
SHA14ab043de647b92bdfdd862f3e313d5af83bd74ca
SHA25656048545e1ac16480492ebe593762864579aba3482af998d0c8a324e190f54ad
SHA512da912b03636cdd7d530a43ece67c12086698f0bbe0bc6c8f429c88d566e8297645fe4bd07707e7450b805369a08609927e2f0765eb6c450060cc70fbfefcef4e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0A37D4A-7219-11EF-BFD9-6ADB259EA846}.dat
Filesize5KB
MD59bbf6398eca4267c18a364a4194c3232
SHA1d8ab28ac036a3f5b17ec3d79d092b7b01e49a3a4
SHA256c4a4d18f3918b5ff11ac2ae9a5483a0f9dde77e59dc553f8a92208074e85e505
SHA5129aab43fabeb31e24f9542e53b2fe19c9d17c6139cb984e04adab85dccc3c2c3fda632a22e8942aa5ec019c51957d3490e6778164e2e63fefb7cfd15e867124b5
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat
Filesize5KB
MD54e5d5dae379a097ef82ede202a8dadc9
SHA165f2b9269db937f8f76fe3a228c75bb4b83ac86d
SHA256c844ce46bfa61c6dea7dfbdad602a687c1693dffe2691bbd7dedb8b6118f00ae
SHA512e24a01d401f084d5389f59693c06ef2e5a6f98711d17375003f8de9bc5adcc939854786211bd4eb76872ffc3e6137a6971716b301a62ea5f0c74164c0bdaca66
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F4776410-7219-11EF-BFD9-6ADB259EA846}.dat
Filesize4KB
MD5c09fa684accf27ff7d9e359838b03cd2
SHA17e9fa32a00fde26fca34c99efff3c40f9d46f9d5
SHA2560f2fbab8113fc1820f3c93201274f642cede29e6b23eccc5ec8b23b1122d73d9
SHA5121c9c48a185975fede96c78b5219fc610710c489dabb6c464ab607e4c90b316ab80ca40123d89e297b49d0035f920e7909381c3052320cae822a90e46ff5eda5b
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
96KB
MD5c0c093987a55fe9ac61e6e2b5a362d51
SHA152126b81560e3319518c50058c86a8c5fce0d3d1
SHA2565c7d07858c7d01156a7f624d86b16e948a4630a2388d0c3cc1be86bd95f4858e
SHA512716e9dc694a1544be5730cc8b82a4a73d4f8763408c80fe38a61d66cc201d9cc440510b036dfb49d2b1353b827a7628c389e833678860e358c72951deea1c7ec
-
Filesize
20KB
MD54968882f189236952fd38a11586b395a
SHA11e9838e98b25619d9680854a6bd2418e044e52e5
SHA256e917d277ce6d27e9740fede690f7bd810e99c0757ae4226cb30f8227c6b30b43
SHA5123164a7d5fdbf3abc67caa56f974ad74d87059620d42ce6a656ede0480cf5a8d2fb87dd2fd3ba247409376437267af8b6388a78f3fbd67b42517ac0f2b4d13ef6
-
Filesize
138B
MD51b084b39bb267c7265f99bbf76c58b9d
SHA185abcded0afb763acaa24801236fa58bc2a2b740
SHA256ceb3ff7139c7ab61399b932bb6a98746f367b6ae1304062cf8fa61dc66a1909e
SHA512b986a1800fab0f9091ff174c318284097639bee155576976114820cdd7f8543dc0a3c3990be22f38d8d571d11adf6f8a0248e142b205bb5ac7077e481fc39406