Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    28/04/2024, 18:52

General

  • Target

    05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe

  • Size

    150KB

  • MD5

    05da866cdc40e2426903e2c3ba8bbcb6

  • SHA1

    c8df5f665324305d51851c1f6decbf612b4be8ab

  • SHA256

    c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

  • SHA512

    a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818

  • SSDEEP

    1536:cWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAMOwklOcjUpkWb2TTghpwuh:lz6ODIn3u//vS4oEOXOcjWJuuth

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs
  • Disables RegEdit via registry modification 14 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Modifies system executable filetype association 2 TTPs 24 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 60 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • Modifies Control Panel 8 IoCs
  • Modifies registry class 27 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2372
      • C:\Windows\4k51k4.exe
        C:\Windows\4k51k4.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1944
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:608
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1408
        • C:\Windows\4k51k4.exe
          C:\Windows\4k51k4.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2280
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:1536
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2980
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2148
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1516
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2640
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 376
          4⤵
          • Program crash
          PID:1940
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2480
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:1592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:396
        • C:\Windows\4k51k4.exe
          C:\Windows\4k51k4.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1984
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:1524
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2532
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2260
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2436
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2860
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2820
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 372
          4⤵
          • Program crash
          PID:1616
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2252
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:1400
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1896
        • C:\Windows\4k51k4.exe
          C:\Windows\4k51k4.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2600
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2692
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2448
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2856
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:776
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1580
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2884
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 344
          4⤵
          • Program crash
          PID:536
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:600
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:380
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2332
        • C:\Windows\4k51k4.exe
          C:\Windows\4k51k4.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2512
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2440
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2964
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2432
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1164
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3060
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2328
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 360
          4⤵
          • Program crash
          PID:1780
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2348
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:2312
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:852
        • C:\Windows\4k51k4.exe
          C:\Windows\4k51k4.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:376
        • C:\Windows\SysWOW64\IExplorer.exe
          C:\Windows\system32\IExplorer.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:1356
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2196
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2024
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1564
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1156
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 364
          4⤵
          • Program crash
          PID:596
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:944
          • C:\Windows\SysWOW64\Shell.exe
            "C:\Windows\system32\Shell.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:1716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 368
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1904
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:284
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:3012
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 216
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1220
        • C:\Windows\SysWOW64\Shell.exe
          "C:\Windows\system32\Shell.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1468
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 240
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1748
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:1576
            • C:\Windows\SysWOW64\Shell.exe
              "C:\Windows\system32\Shell.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Windows directory
              • Suspicious use of SetWindowsHookEx
              PID:328
    • C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1232
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2120
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2684
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      PID:2572
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
        PID:3020
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        2⤵
          PID:2984
        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
          2⤵
            PID:2412
          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
            "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
            2⤵
              PID:2932
            • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
              "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
              2⤵
                PID:2532
              • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
                "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
                2⤵
                  PID:2980
                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
                  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
                  2⤵
                    PID:2416

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\4K51K4\Folder.htt

                  Filesize

                  640B

                  MD5

                  5d142e7978321fde49abd9a068b64d97

                  SHA1

                  70020fcf7f3d6dafb6c8cd7a55395196a487bef4

                  SHA256

                  fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

                  SHA512

                  2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

                • C:\4k51k4.exe

                  Filesize

                  150KB

                  MD5

                  1523e36aeef239101629b4be86d9fa79

                  SHA1

                  020d1154946350715b6821a8e9078d8766f16994

                  SHA256

                  e458c123ffba1f0747d50f324fc6f16f08525642fb5ae411369cb23ab0abce73

                  SHA512

                  9b35b4c686856919f8f3fb8a8b30059bbfd5e8ccee9247d25eab5a18c9a5c3cea654ff93ab6b971e461ac6269a148a677583eef08742e5e5b294e7eb1e0a0567

                • C:\Puisi.txt

                  Filesize

                  442B

                  MD5

                  001424d7974b9a3995af292f6fcfe171

                  SHA1

                  f8201d49d594d712c8450679c856c2e8307d2337

                  SHA256

                  660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

                  SHA512

                  66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

                • C:\Users\Admin\AppData\Local\services.exe

                  Filesize

                  150KB

                  MD5

                  05da866cdc40e2426903e2c3ba8bbcb6

                  SHA1

                  c8df5f665324305d51851c1f6decbf612b4be8ab

                  SHA256

                  c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

                  SHA512

                  a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818

                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

                  Filesize

                  150KB

                  MD5

                  e68bcf3a137dac9f6864da3952e81223

                  SHA1

                  5ac4e01ea418db213788181825d00e45d449811b

                  SHA256

                  d48222d56a40cb8605a6318fc3349f603843205d38cc9fc2f20317b2b1261474

                  SHA512

                  568561586acde06ef0e133ccfc012ee6b04b7c1a1375a13178ee7a07c2ee1e0a3f19bf6f0d3d0a871d4be6df458bd806190d34517678c85b38a29db518b90a10

                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

                  Filesize

                  150KB

                  MD5

                  74e2bb695cdaeae6c2b6eb8fae96c73b

                  SHA1

                  9a5c6b8fee8a6808e5d651a5e63e959c09f34b96

                  SHA256

                  bcd9d0e910686c462e3e701899b93f7b98053778c198be79a94ff20e54241377

                  SHA512

                  21debf2d4dac577b7e110ef9b869b1f98f77170ec250a9130295a6ba25db99e4751fa8e36d797ad4390f91e1dbc883560efa61b38554d11e4da29a0d18c87b9d

                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

                  Filesize

                  150KB

                  MD5

                  e6a07d6b3d08834e770cb0e779ad5070

                  SHA1

                  675b4ac3cfe12977a485935f16b08fedb8f9b61a

                  SHA256

                  1a4c84c0be1abac86e08aa4431ffe25b51ffeaa53ce39550c49cfd8ac1e8f121

                  SHA512

                  f59bcf41279ea0cae062607928fc44650189d540b746dede44943ca38f5715e2213051b0baab3a3a5f0f6c89a1e7d9497ffb1c2bdd073652a1fa56126077ae91

                • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

                  Filesize

                  150KB

                  MD5

                  f2663a4524a5c50b342e4bd95f40f419

                  SHA1

                  a3c4b2327836a7ebc92ff741fc829e5efbaf5fb2

                  SHA256

                  22e006c601710cca7cbe6f3bae88a9300db9036d09c5a4efe79d370d284b5ba3

                  SHA512

                  222bb1382427fbcbff587687304efd2a73dd9665d86fe26de763e2e1c161bb762b1ba60b2c45e3f7f334fbdc301ed826c88c715bf999387207a35d5dc4d75710

                • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

                  Filesize

                  150KB

                  MD5

                  b9c752975f0fada8fa1d28e0280974b8

                  SHA1

                  56888996cc9aba0949e15af10d2b8765c8ecc12e

                  SHA256

                  6d068faae63c61d50ef0832f4bedc22cb1fae85add032e63d8e7da2c115d379c

                  SHA512

                  ea09138de2e676624605257ba50622da24dd8341d470a11d715e9c72c2635fd73baaf56392c28586d888652eefeb79aaa6bbd1576322603e30ed70fc702b37e1

                • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

                  Filesize

                  150KB

                  MD5

                  a3a5231d6f12463c8f1ded3eeef85246

                  SHA1

                  5c7beeb2406f2c6867b183393360492d292d56ad

                  SHA256

                  230760ffe58e4271bb12e948df15416215a9c66f0db1be51554530e50eb6159a

                  SHA512

                  f94b8b8d2320d829c627e117f32e21e7bf0d0c587f5952c7b40f005db879e2c78eb10ed2444c67f39fc85397a8cc75272101e82976d136b64e4a015696ae8b74

                • C:\Windows\4k51k4.exe

                  Filesize

                  150KB

                  MD5

                  508b43f2f3548bec6c60c94bfde4abc3

                  SHA1

                  9da03f7ffb0226ac2f9e365ca568b60bff6dc56f

                  SHA256

                  85b3659eb325f5b5530fe1bf0620b6c2b395a0d98ba64c4be97e40a9066bd5df

                  SHA512

                  a63a1b86730e1ab797aad34d77f23032002a2f38cf94b6369a555af355b54b23e014965dec31ab61508d53cb168d3ae2900c3c0fd7e3e10992d5922512b1fcb5

                • C:\Windows\SysWOW64\MrHelloween.scr

                  Filesize

                  150KB

                  MD5

                  ce8fbe7e9918fa5dba056ea6cdea50af

                  SHA1

                  a008ea2f6afeb8e9a56a2bccd830ac8a400cba05

                  SHA256

                  0d7496a8ac5ad7ee7850fa3f553dbe369c5b0a9ef062e7ef0676b1c27325258d

                  SHA512

                  97898bba94632b2058439544381c8788ef3f8fa84c4b64e2e354c3d264615a03f963bbec563968226127be2bf87034380f05488d5337f357202382143963e95c

                • C:\Windows\msvbvm60.dll

                  Filesize

                  1.3MB

                  MD5

                  5343a19c618bc515ceb1695586c6c137

                  SHA1

                  4dedae8cbde066f31c8e6b52c0baa3f8b1117742

                  SHA256

                  2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

                  SHA512

                  708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

                • \Windows\SysWOW64\IExplorer.exe

                  Filesize

                  150KB

                  MD5

                  4ad22f32782f2e9eb2cb79e7819ce95f

                  SHA1

                  36e34a8111f60494adbcfa8619a5ac176e329823

                  SHA256

                  35bae5cbeb46bbc42f3e6aafecec844ffb0447c216a38e8dff1132929b0f86fc

                  SHA512

                  829d58c6398af06b417b8d3eafbb2b4e4ffb90b8ba92aec4eed635cf4dc25a2779e8c6957b6b2f21c89198171e1c974c53cc61c76750a4ee81b00477ed9b0c97

                • \Windows\SysWOW64\shell.exe

                  Filesize

                  150KB

                  MD5

                  3e020aa11416229b464731ad1bf719d6

                  SHA1

                  e434d28895b73332e074320881ffcf2e22d0e992

                  SHA256

                  4734a0ac53acc70dbd153be3db272146589f24367372e7abc78fbd2ce574672e

                  SHA512

                  62ffcc4fcf8b89651919d5f00c5a3aebfefb8e2038508d8b4b7b42e807ab727126ab7925c9d1ec6d90cde8c08906bf6f1e3cb07af38cc046d0a9a99223c53196

                • memory/376-423-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/1408-216-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                • memory/1468-131-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                • memory/1944-203-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/1984-317-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/2280-313-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                • memory/2372-113-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                • memory/2440-375-0x0000000000230000-0x0000000000240000-memory.dmp

                  Filesize

                  64KB

                • memory/2440-376-0x0000000000230000-0x0000000000240000-memory.dmp

                  Filesize

                  64KB

                • memory/2472-123-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                • memory/2512-374-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/2600-347-0x0000000000230000-0x0000000000240000-memory.dmp

                  Filesize

                  64KB

                • memory/2600-351-0x0000000072940000-0x0000000072A93000-memory.dmp

                  Filesize

                  1.3MB

                • memory/2600-346-0x0000000000230000-0x0000000000240000-memory.dmp

                  Filesize

                  64KB

                • memory/2964-382-0x0000000000220000-0x0000000000230000-memory.dmp

                  Filesize

                  64KB