Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 18:15
Static task
static1
Behavioral task
behavioral1
Sample
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe
-
Size
468KB
-
MD5
e58e1a94f496400a4dedbefcaf340b2b
-
SHA1
ecea838bb847137c29705c0b546704ff486a4f46
-
SHA256
5471a63ff1fcd035164628b783495591d3836c3153f2e1730929ed18b550f5d7
-
SHA512
b7b60fabd12f902f8cd2f481994f23c4fb61fec28700ccf98bb376345b184a1fecb52334fe1e64b3873580409f57065f6c51b989f31803fe38745b130904b7b6
-
SSDEEP
12288:A06ld0/XOW0WVb3uPjl5XthpFN2BNp/OqAo1/S:A0U0P4yDyf9PT2BN0qAS/S
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xuXKCQEP.exe -
Executes dropped EXE 6 IoCs
pid Process 3996 xuXKCQEP.exe 2840 toast.exe 1184 toast.exe 3972 voast.exe 4824 voast.exe 1564 woast.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /q" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /C" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /G" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /g" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /M" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Z" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Y" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /e" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /j" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /y" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /W" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /l" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /m" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /c" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /h" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /v" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /F" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /U" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /T" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /P" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /N" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /B" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /a" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /s" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /R" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /E" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /x" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /f" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /D" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /k" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /t" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /H" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /J" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /A" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /X" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /K" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /i" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /S" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /o" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /n" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /V" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /I" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /b" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /d" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /Q" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /u" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /r" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /w" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /L" xuXKCQEP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuXKCQEP = "C:\\Users\\Admin\\xuXKCQEP.exe /p" xuXKCQEP.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3944 set thread context of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 2840 set thread context of 1184 2840 toast.exe 100 PID 3972 set thread context of 4824 3972 voast.exe 102 PID 4824 set thread context of 3212 4824 voast.exe 103 -
Program crash 1 IoCs
pid pid_target Process procid_target 4780 4824 WerFault.exe 102 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe 3996 xuXKCQEP.exe 3996 xuXKCQEP.exe 1184 toast.exe 1184 toast.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 3996 xuXKCQEP.exe 1564 woast.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3944 wrote to memory of 3008 3944 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 97 PID 3008 wrote to memory of 3996 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 98 PID 3008 wrote to memory of 3996 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 98 PID 3008 wrote to memory of 3996 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 98 PID 3008 wrote to memory of 2840 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 99 PID 3008 wrote to memory of 2840 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 99 PID 3008 wrote to memory of 2840 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 99 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 2840 wrote to memory of 1184 2840 toast.exe 100 PID 3008 wrote to memory of 3972 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 101 PID 3008 wrote to memory of 3972 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 101 PID 3008 wrote to memory of 3972 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 101 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 3972 wrote to memory of 4824 3972 voast.exe 102 PID 4824 wrote to memory of 3212 4824 voast.exe 103 PID 4824 wrote to memory of 3212 4824 voast.exe 103 PID 4824 wrote to memory of 3212 4824 voast.exe 103 PID 3008 wrote to memory of 1564 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 109 PID 3008 wrote to memory of 1564 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 109 PID 3008 wrote to memory of 1564 3008 e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\e58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exee58e1a94f496400a4dedbefcaf340b2b_JaffaCakes118.exe2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\xuXKCQEP.exeC:\Users\Admin\xuXKCQEP.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Users\Admin\toast.exeC:\Users\Admin\toast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\toast.exetoast.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1184
-
-
-
C:\Users\Admin\voast.exeC:\Users\Admin\voast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\voast.exevoast.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\explorer.exe000000B0*5⤵PID:3212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 2365⤵
- Program crash
PID:4780
-
-
-
-
C:\Users\Admin\woast.exeC:\Users\Admin\woast.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4824 -ip 48241⤵PID:3964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5b6d3a09df822fcf55b889b57c5ad799e
SHA1dc44a91e89534819dcb18d18a42e2c0d3d3b649f
SHA25683f8d74aa948dc8569f2f44174eb4da6e3bf0d6ef9293c8a92d882c2fda0e07c
SHA512a7330d31a38361f41ae8385ff0541455fd098e874a29b0e8de3c92800fbe4ad2aa8a7a0374482d0e8a8db3363ca2e86c60216b9406eb306fe061bfde8086ebf1
-
Filesize
242KB
MD5dc6332b873df679e69e099579c8bc22d
SHA10341ad78eff722fae4142aa1da9e4be0116569f9
SHA2568c95e0048da1c72815701a5bb8000023b96433ad05e63e568ee28246c153ab04
SHA512a6d9966765ede960b5f3929a61337d5582e40fae12cf5176dad9ec1ab608f4d73481ab1cc0ba168e162039fd3aabd75ceb16966b38999d9f71af2a5354fb7376
-
Filesize
24KB
MD5f29656c436f7a25b63fe325b01a86a95
SHA1148fe98b4901aaf454118c89ec71f4d36bed05bc
SHA2561cc6a49d67f8f63801d0ffa3722f96405995e9f30958e5a368589591583932de
SHA512d4eae9c9e02a1887ca30cd1750e73ade9d071594017e6d0d1cead2eff9c418b327752525fac130356d2454325e58ae54e24dd246784f15481ba2c01db7d097e7
-
Filesize
156KB
MD535362b609d4c80aa54977dd3c34f71a1
SHA10f561d1d9aa9543d1e9f759b90f6ff6f8b18dd89
SHA2565c3e9c19f2015acdfda9921a68d6822348d4f82b6b1d12d248264d1361d72ca9
SHA512e96bc0bb4cea72ad7fa55af13a48e4d16c43b66238e663247db93a977d7f926241cae8a3672334cbe10ada0934401472e483d4067ace1358409068984949e9cb