Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 05:18
Behavioral task
behavioral1
Sample
c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
c25ae7a26857912c0d9824740c424366
-
SHA1
1d01beacd7958b2ea547eb3afa9e01f39920b904
-
SHA256
c0108b4982c074e06c92ed7e29a7d721f0bd6ba7391396b13268680e32e312e9
-
SHA512
2f8be82e480efdf7596c8e9388874095a14731e5fab966305b8c2f959f5f3aca3ac9999ac6d11d57950379f5508d89effd868d0e1ab112ab229f9f63eafed0cc
-
SSDEEP
24576:rdAw5ThqaUocH/CTxiQuBf49W9b2KKkuKoNV1qYlBv7BOf1jFrEhOYZ0XAvJvyNp:r9qav1TgQu9oWR244V1qYlBv7BgOZ0X9
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000f000000015ea2-31.dat acprotect behavioral1/files/0x000900000001660f-56.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 3044 1.exe 2568 Windows:ThesharKProject.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe -
Loads dropped DLL 7 IoCs
pid Process 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 3044 1.exe 2660 regsvr32.exe 3044 1.exe 2568 Windows:ThesharKProject.exe -
resource yara_rule behavioral1/memory/2324-0-0x0000000000400000-0x00000000006DF000-memory.dmp themida behavioral1/memory/2324-6-0x0000000000400000-0x00000000006DF000-memory.dmp themida behavioral1/memory/2324-15-0x0000000000400000-0x00000000006DF000-memory.dmp themida behavioral1/memory/2324-17-0x0000000000400000-0x00000000006DF000-memory.dmp themida behavioral1/memory/2324-29-0x0000000000400000-0x00000000006DF000-memory.dmp themida -
resource yara_rule behavioral1/memory/3044-33-0x0000000010000000-0x0000000010014000-memory.dmp upx behavioral1/files/0x000f000000015ea2-31.dat upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run Windows:ThesharKProject.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sharK Server = "C:\\Windows:ThesharKProject.exe" Windows:ThesharKProject.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\sharK Server = "C:\\Windows:ThesharKProject.exe" Windows:ThesharKProject.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Windows:ThesharKProject.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jpg.dll 1.exe File opened for modification C:\Windows\SysWOW64\win.com 1.exe File opened for modification C:\Windows\SysWOW64\zlib.dll Windows:ThesharKProject.exe File opened for modification C:\Windows\SysWOW64\mswinsck.ocx Windows:ThesharKProject.exe File opened for modification C:\Windows\SysWOW64\jpg.dll Windows:ThesharKProject.exe File opened for modification C:\Windows\SysWOW64\zlib.dll 1.exe File opened for modification C:\Windows\SysWOW64\mswinsck.ocx 1.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows:ThesharKProject.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Windows:ThesharKProject.exe 1.exe File created C:\Windows:ThesharKProject.exe 1.exe File opened for modification C:\Windows:ThesharKProject.exe Windows:ThesharKProject.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 3044 1.exe 3044 1.exe 3044 1.exe 3044 1.exe 3044 1.exe 2568 Windows:ThesharKProject.exe 2568 Windows:ThesharKProject.exe 2568 Windows:ThesharKProject.exe 2568 Windows:ThesharKProject.exe 2568 Windows:ThesharKProject.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 3044 1.exe 2568 Windows:ThesharKProject.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2904 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2904 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2904 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 30 PID 2324 wrote to memory of 2904 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 30 PID 2324 wrote to memory of 3044 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 31 PID 2324 wrote to memory of 3044 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 31 PID 2324 wrote to memory of 3044 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 31 PID 2324 wrote to memory of 3044 2324 c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe 31 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 2660 3044 1.exe 33 PID 3044 wrote to memory of 1832 3044 1.exe 34 PID 3044 wrote to memory of 1832 3044 1.exe 34 PID 3044 wrote to memory of 1832 3044 1.exe 34 PID 3044 wrote to memory of 1832 3044 1.exe 34 PID 3044 wrote to memory of 2568 3044 1.exe 35 PID 3044 wrote to memory of 2568 3044 1.exe 35 PID 3044 wrote to memory of 2568 3044 1.exe 35 PID 3044 wrote to memory of 2568 3044 1.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\c25ae7a26857912c0d9824740c424366_JaffaCakes118.exe"2⤵PID:2904
-
-
C:\Users\Admin\AppData\Roaming\1.exeC:\Users\Admin\AppData\Roaming\1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Windows\system32\mswinsck.ocx"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\1.bat3⤵
- System Location Discovery: System Language Discovery
PID:1832
-
-
C:\Windows:ThesharKProject.exeC:\Windows:ThesharKProject.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
113B
MD530fb8674b40c1dc7958909ba1584b37e
SHA1d35c5a768c6e655175571c4bfe3c485e24d47f2e
SHA25611e9fcb10ce29674d8bf41ca773837207427409f108c01c882cfe21427c7dbed
SHA51263049a21a3bb72795c247400350a2f84c00db8def7cecd7a800e0a9280b622fda4f259bfe4cbde2a6f3cf200973d5dfda838479f76a20d5a5d50b697413bdd9e
-
Filesize
1.1MB
MD5e14ba6a9464bed1127c50214acaf0c1a
SHA13eeda63ac8209ffa2e1beeefdde6531e61f8dc4d
SHA256fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38
SHA51255a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26
-
Filesize
51KB
MD54eda362e326609a0a80e2736b67607ab
SHA164aa572d16f7cd6e6bd2296f2c96ad1604c713d1
SHA256061e9f721af9a538dcfd96d13cb3deef1479b5785f566818c34c3faa585d650a
SHA512f23f6a5c362808aef98516dcf12e3eeefd8498c812c27f96820d7d086694641cb4eefc7970b4750a0e4a5a0be1f90ac8981fc2f028e7085d50bd44bd4880c51d
-
Filesize
296KB
MD5a63e6c36032e934147da66150e52e0a2
SHA16f87e80c6804485a98c7d1f9821412680701303c
SHA256f004b37cf83f8f220f1fae8826831e4f63fba4335631eb9204cd16b21d1c9c94
SHA51221c406d9424bfccb182156a6458bc5500dcb915cfbd5b1b3c6c977565ef677100792a2b4e66c7d52a86d44a49ccf0cfd4e55f5a2cc6f6073e07250e70ff604fc
-
Filesize
105KB
MD59484c04258830aa3c2f2a70eb041414c
SHA1b242a4fb0e9dcf14cb51dc36027baff9a79cb823
SHA256bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5
SHA5129d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0
-
Filesize
27KB
MD5200d52d81e9b4b05fa58ce5fbe511dba
SHA1c0d809ee93816d87388ed4e7fd6fca93d70294d2
SHA256d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617
SHA5127b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5