Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/08/2024, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
9c1c607c7085f6819346979715dda033_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9c1c607c7085f6819346979715dda033_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
9c1c607c7085f6819346979715dda033_JaffaCakes118.exe
-
Size
981KB
-
MD5
9c1c607c7085f6819346979715dda033
-
SHA1
166414beefabaf1866cfdfea8a72b222dcc674dc
-
SHA256
9b0d3e63e3167214577b30e6f2e19034414f2f565c708f689de51390fe0c772e
-
SHA512
f1824dd69f9250664c71ae28d5b1045c6551abc5af61f9f44cc0f877de722acb7100d72486584df614979dc27222dba1e1dbeddd02161afc633fab68670176b9
-
SSDEEP
24576:T/////76QhEtOa5VxNmfFWBlI9G4hOkjIIkGhBLE:fREtO8xNmwB293rIvqB
Malware Config
Extracted
latentbot
1rockanimal.zapto.org
2rockanimal.zapto.org
3rockanimal.zapto.org
4rockanimal.zapto.org
5rockanimal.zapto.org
6rockanimal.zapto.org
7rockanimal.zapto.org
8rockanimal.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\b5Srg.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5Srg.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe = "C:\\Users\\Admin\\AppData\\Roaming\\IGTN21UM2I.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2688 TUza5.exe 2756 bUnQwWvf.exe 2864 b5Srg.exe -
Loads dropped DLL 5 IoCs
pid Process 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Desktop Windows Manager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwm.exe" TUza5.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2516 set thread context of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bUnQwWvf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b5Srg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TUza5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 576 reg.exe 864 reg.exe 1236 reg.exe 1760 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe 2756 bUnQwWvf.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe Token: 1 2864 b5Srg.exe Token: SeCreateTokenPrivilege 2864 b5Srg.exe Token: SeAssignPrimaryTokenPrivilege 2864 b5Srg.exe Token: SeLockMemoryPrivilege 2864 b5Srg.exe Token: SeIncreaseQuotaPrivilege 2864 b5Srg.exe Token: SeMachineAccountPrivilege 2864 b5Srg.exe Token: SeTcbPrivilege 2864 b5Srg.exe Token: SeSecurityPrivilege 2864 b5Srg.exe Token: SeTakeOwnershipPrivilege 2864 b5Srg.exe Token: SeLoadDriverPrivilege 2864 b5Srg.exe Token: SeSystemProfilePrivilege 2864 b5Srg.exe Token: SeSystemtimePrivilege 2864 b5Srg.exe Token: SeProfSingleProcessPrivilege 2864 b5Srg.exe Token: SeIncBasePriorityPrivilege 2864 b5Srg.exe Token: SeCreatePagefilePrivilege 2864 b5Srg.exe Token: SeCreatePermanentPrivilege 2864 b5Srg.exe Token: SeBackupPrivilege 2864 b5Srg.exe Token: SeRestorePrivilege 2864 b5Srg.exe Token: SeShutdownPrivilege 2864 b5Srg.exe Token: SeDebugPrivilege 2864 b5Srg.exe Token: SeAuditPrivilege 2864 b5Srg.exe Token: SeSystemEnvironmentPrivilege 2864 b5Srg.exe Token: SeChangeNotifyPrivilege 2864 b5Srg.exe Token: SeRemoteShutdownPrivilege 2864 b5Srg.exe Token: SeUndockPrivilege 2864 b5Srg.exe Token: SeSyncAgentPrivilege 2864 b5Srg.exe Token: SeEnableDelegationPrivilege 2864 b5Srg.exe Token: SeManageVolumePrivilege 2864 b5Srg.exe Token: SeImpersonatePrivilege 2864 b5Srg.exe Token: SeCreateGlobalPrivilege 2864 b5Srg.exe Token: 31 2864 b5Srg.exe Token: 32 2864 b5Srg.exe Token: 33 2864 b5Srg.exe Token: 34 2864 b5Srg.exe Token: 35 2864 b5Srg.exe Token: SeDebugPrivilege 2756 bUnQwWvf.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2864 b5Srg.exe 2864 b5Srg.exe 2864 b5Srg.exe 2864 b5Srg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2008 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2008 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2008 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 30 PID 2516 wrote to memory of 2008 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 30 PID 2008 wrote to memory of 3036 2008 csc.exe 32 PID 2008 wrote to memory of 3036 2008 csc.exe 32 PID 2008 wrote to memory of 3036 2008 csc.exe 32 PID 2008 wrote to memory of 3036 2008 csc.exe 32 PID 2516 wrote to memory of 2688 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2688 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2688 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2688 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 33 PID 2516 wrote to memory of 2792 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 34 PID 2516 wrote to memory of 2792 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 34 PID 2516 wrote to memory of 2792 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 34 PID 2516 wrote to memory of 2792 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 34 PID 2792 wrote to memory of 2752 2792 csc.exe 36 PID 2792 wrote to memory of 2752 2792 csc.exe 36 PID 2792 wrote to memory of 2752 2792 csc.exe 36 PID 2792 wrote to memory of 2752 2792 csc.exe 36 PID 2516 wrote to memory of 2756 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 37 PID 2516 wrote to memory of 2756 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 37 PID 2516 wrote to memory of 2756 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 37 PID 2516 wrote to memory of 2756 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 37 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2516 wrote to memory of 2864 2516 9c1c607c7085f6819346979715dda033_JaffaCakes118.exe 38 PID 2864 wrote to memory of 2588 2864 b5Srg.exe 39 PID 2864 wrote to memory of 2588 2864 b5Srg.exe 39 PID 2864 wrote to memory of 2588 2864 b5Srg.exe 39 PID 2864 wrote to memory of 2588 2864 b5Srg.exe 39 PID 2864 wrote to memory of 2608 2864 b5Srg.exe 40 PID 2864 wrote to memory of 2608 2864 b5Srg.exe 40 PID 2864 wrote to memory of 2608 2864 b5Srg.exe 40 PID 2864 wrote to memory of 2608 2864 b5Srg.exe 40 PID 2864 wrote to memory of 2640 2864 b5Srg.exe 41 PID 2864 wrote to memory of 2640 2864 b5Srg.exe 41 PID 2864 wrote to memory of 2640 2864 b5Srg.exe 41 PID 2864 wrote to memory of 2640 2864 b5Srg.exe 41 PID 2864 wrote to memory of 2668 2864 b5Srg.exe 42 PID 2864 wrote to memory of 2668 2864 b5Srg.exe 42 PID 2864 wrote to memory of 2668 2864 b5Srg.exe 42 PID 2864 wrote to memory of 2668 2864 b5Srg.exe 42 PID 2608 wrote to memory of 1760 2608 cmd.exe 47 PID 2608 wrote to memory of 1760 2608 cmd.exe 47 PID 2608 wrote to memory of 1760 2608 cmd.exe 47 PID 2608 wrote to memory of 1760 2608 cmd.exe 47 PID 2668 wrote to memory of 1236 2668 cmd.exe 50 PID 2668 wrote to memory of 1236 2668 cmd.exe 50 PID 2668 wrote to memory of 1236 2668 cmd.exe 50 PID 2668 wrote to memory of 1236 2668 cmd.exe 50 PID 2588 wrote to memory of 864 2588 cmd.exe 48 PID 2588 wrote to memory of 864 2588 cmd.exe 48 PID 2588 wrote to memory of 864 2588 cmd.exe 48 PID 2588 wrote to memory of 864 2588 cmd.exe 48 PID 2640 wrote to memory of 576 2640 cmd.exe 49 PID 2640 wrote to memory of 576 2640 cmd.exe 49 PID 2640 wrote to memory of 576 2640 cmd.exe 49 PID 2640 wrote to memory of 576 2640 cmd.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c1c607c7085f6819346979715dda033_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9c1c607c7085f6819346979715dda033_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6di0trcl.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB1D2.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3036
-
-
-
C:\Users\Admin\AppData\Local\Temp\TUza5.exe"C:\Users\Admin\AppData\Local\Temp\TUza5.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aiprvdeb.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB3B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB3B5.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\bUnQwWvf.exe"C:\Users\Admin\AppData\Local\Temp\bUnQwWvf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\b5Srg.exeC:\Users\Admin\AppData\Local\Temp\b5Srg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5Srg.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:576
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IGTN21UM2I.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1236
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c19e36e21f3861e4d8106755d0f32af8
SHA1f720e79b31ce47b08c6afac026b4ea7dffd26bc9
SHA256f4181d937b43274d01cd417116e58e20b3e720fb57013f35a26e5886266c0a96
SHA512bd63a36a7578964baf258d1cf069af399f991fcf0eb66ca8544db9f6ef4eac444e0150b167875205f9637403af7f5be355155e007e70a38ed3a83ca61984330c
-
Filesize
1KB
MD56c5c723c607205538f9da0f995ac1eae
SHA166709ecbb255053235c54b0c450de8fa578f3ab0
SHA256cd6b10e4da5cd9c565aa9a0a976e81a38ed53981e390fa03f8d5c13d16272dd0
SHA51238c72c6fce01cc9102eb53c67ea4d7436b70dc73e9a5eca276e5c46f331dfc5044f52d8d38ca74199689e5ec2ae39270f46e3276471b5ca1a763e5ddd97e0431
-
Filesize
4KB
MD52fe4d06b132fcf903e1c479a59f890a7
SHA19499642e4b50763bfe4ae66218e49a7c8a9f69d6
SHA256b23bc41333f03f4b5c76331b7b3819c33d3029c7ce47ee6b034316124471c2c3
SHA5126d6a7314724881a94a2e374e5d0101006d9c4c0a3231335d6a2b222eb2a6e0dd95e489a9250de1744ec1b533bc1e23aacd8ed2a1d38e1288751b8a287b7e7be8
-
Filesize
20KB
MD5b0f29a2310e6c604ae55dbfa07889ef2
SHA1db135993ce46d21e9f67a0f6fafe35d4af76dc8d
SHA256f1a56e8bc78b7ef1dcd68111b1125463f0e43a1f0c92aab7a8052d325e5d64a1
SHA512e631aaff777ab1830b0b5634fcbc87f908cf31a86eb04847d02e523a99f6c79ad8457a0135ed1270e4264e304ca6739f2af3547ed4ba399e00e4781f5607dddf
-
Filesize
1KB
MD5e940e1d28d80e3124599d150cc8fb399
SHA18b8e9390e582e50f9370a5fc14bc85da793b36ba
SHA25673e91506323efce31ff4b24197e6d8e527453a3308dd9d78e38602feb31abad6
SHA51223ee20cc5ca65e67e9d4651b5f90d7c786d84712ec726c4bd725ce40f5241289249fa243b21bb5564aa335e6080f8f775e9eaa47289f8f8c623d44beda25bfd9
-
Filesize
258B
MD56cd551e27b253558b94ef473deb7122d
SHA106243114d453ece6209ea2c0aabe94a2bf6dc6fb
SHA2567327c4dd82a46ad1a962fc32635c51b1f032c60ebef27251448c488a357be5de
SHA5129057d4b30d3f02fcf345efcfbd77bd9e2fb3c503b68c7ac5281b677c7053323c84d7b272e0010e4e64583ce7e6a45c897031233df6aa96d456e10393610b4038
-
Filesize
636B
MD5729f44c1955f67140715900aafbe8403
SHA1f97f52197cdff16634475f1272a6bd5893133206
SHA25636b00dbac3ff22f0d514c99721c3320c95ecaf0e80f80171b40eb0752bc754a6
SHA512142446e606cbad39d89122c409acdef22d9af77ea1332483af08a1069a4308a4b31a8c0809bbcec6a379a98ccb4d4e1d63c50bdbba1ad3e72595de884bd8a5f2
-
Filesize
652B
MD5a37aac35a137cd5aa3c2c294239a51a6
SHA156f6d5860ade02a365e6443d43d09975cf4cf339
SHA2561c3207eeb9c0edf7c1234c30b941c38091d9f1afaf6fde9697c18d1393cb8c79
SHA512f6e945e250eb41d9c99091317581004abce8cc921614fbb37d0fcaa2ce87f65c47d04a9995e46d15430658e73c85e1f4c7777d36a84c45ccc1a85ae59305fd50
-
Filesize
4KB
MD57df9180c3f5b6196c59973db10b4d440
SHA12214927c4cbbccc13dc9bba7fecd1089983bae0d
SHA2562f41060f63bf356e7203ebc9d8470cef9857a0e8989e9272f8bbcfd32562b7b0
SHA51200673937e60ef2f830138783ebc05855efa1f579934f5faeb70f40e86bb574e1f5d80cc97471ea930c4f5234acd884b0d80572ef170ecfd384a8a4b0c524db66
-
Filesize
321B
MD5bb288f31969e3963dcf539898d3f55ef
SHA1b5c6389516bfb261b27fa0c759dd419ba0c734af
SHA256ef1448d92d988838accf503c2cedabd68cb47e8e57c14b27d868934b795483db
SHA512a5be4291b19e551a98d665dda6a7e61a6f3c8282d279fdd418a79d882c2b54d0c12a1f86e574e7f2b4cc692fd9fd0fc8715f68dc97a521a720a72e4ef74c5ed3
-
Filesize
15KB
MD5db0c52b40bc874c5d7bd341393dedb46
SHA1aba3cb5906f7bf781f29aec29d97a42d00bca493
SHA256a477525c8edd8dcb09abcc36da61222127a221b5caa858d8c0d5284cb5964d98
SHA512441146923575350f4943a5645d954e18c42bcf66384b428f63782d07cd1831f6b67f6a7e24d4e2607ca6529f95c09910285ce33342d554042fa387dd8fd116e3
-
Filesize
31KB
MD5ed797d8dc2c92401985d162e42ffa450
SHA10f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2