Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 06:10
Static task
static1
Behavioral task
behavioral1
Sample
c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
c26dde74c4e50e22121b1ec50dd30417
-
SHA1
c2086ad96557af08bf3d406d0b40054fd8ce5465
-
SHA256
adda323ba6c6dff2b728907819ed779c56114a07a5ed07f9ac9bc08117fe0d08
-
SHA512
968563b793f2f01f0def5312fd79f0b5600a0034a2f2a771c39cf20f2ee37602aefe67a878f0fe8fdeff2ce5bb8df2916f6b15b1688be0fc01f7eab5160d6839
-
SSDEEP
3072:A4tngvlGPo7OmH2MGn8hEXRjCC1K0mKGVpeH:3ytGPyOetGnNXRj+Re
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c00700072006f006300730071006c006f0062006a002e006500780065000000 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe -
Executes dropped EXE 37 IoCs
pid Process 2564 objsqlinfo.exe 2612 smss.exe 2624 smss.exe 2164 smss.exe 1136 smss.exe 1756 smss.exe 1720 smss.exe 1472 smss.exe 1636 smss.exe 1288 smss.exe 844 smss.exe 612 smss.exe 1644 smss.exe 3028 smss.exe 1812 smss.exe 2220 smss.exe 1740 smss.exe 1600 smss.exe 2988 smss.exe 2828 smss.exe 1808 smss.exe 2676 smss.exe 2592 smss.exe 1520 smss.exe 2064 smss.exe 2880 smss.exe 1296 smss.exe 1908 smss.exe 1524 smss.exe 3024 smss.exe 2332 smss.exe 844 smss.exe 1064 smss.exe 856 smss.exe 2196 smss.exe 1152 smss.exe 1868 smss.exe -
Loads dropped DLL 38 IoCs
pid Process 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe 2752 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook objsqlinfo.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hostsqlproc.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\hostsqlproc.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\procsqlobj.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ipdhcpmon.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fwcnetdhcp.ocx c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\fwcnetdhcp.ocx c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\poolpdblsa.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fwclsapdb.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\procsqlobj.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\ipdhcpmon.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\poolpdblsa.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe File created C:\Windows\SysWOW64\fwclsapdb.exe c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\fwcnetdhcp.ocx" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeBackupPrivilege 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe Token: SeDebugPrivilege 2564 objsqlinfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2564 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2564 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2564 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 30 PID 1732 wrote to memory of 2564 1732 c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe 30 PID 2564 wrote to memory of 2752 2564 objsqlinfo.exe 31 PID 2564 wrote to memory of 2752 2564 objsqlinfo.exe 31 PID 2564 wrote to memory of 2752 2564 objsqlinfo.exe 31 PID 2564 wrote to memory of 2752 2564 objsqlinfo.exe 31 PID 2752 wrote to memory of 2612 2752 cmd.exe 33 PID 2752 wrote to memory of 2612 2752 cmd.exe 33 PID 2752 wrote to memory of 2612 2752 cmd.exe 33 PID 2752 wrote to memory of 2612 2752 cmd.exe 33 PID 2752 wrote to memory of 2600 2752 cmd.exe 35 PID 2752 wrote to memory of 2600 2752 cmd.exe 35 PID 2752 wrote to memory of 2600 2752 cmd.exe 35 PID 2752 wrote to memory of 2600 2752 cmd.exe 35 PID 2752 wrote to memory of 2624 2752 cmd.exe 36 PID 2752 wrote to memory of 2624 2752 cmd.exe 36 PID 2752 wrote to memory of 2624 2752 cmd.exe 36 PID 2752 wrote to memory of 2624 2752 cmd.exe 36 PID 2752 wrote to memory of 2312 2752 cmd.exe 37 PID 2752 wrote to memory of 2312 2752 cmd.exe 37 PID 2752 wrote to memory of 2312 2752 cmd.exe 37 PID 2752 wrote to memory of 2312 2752 cmd.exe 37 PID 2752 wrote to memory of 2164 2752 cmd.exe 38 PID 2752 wrote to memory of 2164 2752 cmd.exe 38 PID 2752 wrote to memory of 2164 2752 cmd.exe 38 PID 2752 wrote to memory of 2164 2752 cmd.exe 38 PID 2752 wrote to memory of 1056 2752 cmd.exe 39 PID 2752 wrote to memory of 1056 2752 cmd.exe 39 PID 2752 wrote to memory of 1056 2752 cmd.exe 39 PID 2752 wrote to memory of 1056 2752 cmd.exe 39 PID 2752 wrote to memory of 1136 2752 cmd.exe 40 PID 2752 wrote to memory of 1136 2752 cmd.exe 40 PID 2752 wrote to memory of 1136 2752 cmd.exe 40 PID 2752 wrote to memory of 1136 2752 cmd.exe 40 PID 2752 wrote to memory of 1852 2752 cmd.exe 41 PID 2752 wrote to memory of 1852 2752 cmd.exe 41 PID 2752 wrote to memory of 1852 2752 cmd.exe 41 PID 2752 wrote to memory of 1852 2752 cmd.exe 41 PID 2752 wrote to memory of 1756 2752 cmd.exe 42 PID 2752 wrote to memory of 1756 2752 cmd.exe 42 PID 2752 wrote to memory of 1756 2752 cmd.exe 42 PID 2752 wrote to memory of 1756 2752 cmd.exe 42 PID 2752 wrote to memory of 2952 2752 cmd.exe 43 PID 2752 wrote to memory of 2952 2752 cmd.exe 43 PID 2752 wrote to memory of 2952 2752 cmd.exe 43 PID 2752 wrote to memory of 2952 2752 cmd.exe 43 PID 2752 wrote to memory of 1720 2752 cmd.exe 44 PID 2752 wrote to memory of 1720 2752 cmd.exe 44 PID 2752 wrote to memory of 1720 2752 cmd.exe 44 PID 2752 wrote to memory of 1720 2752 cmd.exe 44 PID 2752 wrote to memory of 1700 2752 cmd.exe 45 PID 2752 wrote to memory of 1700 2752 cmd.exe 45 PID 2752 wrote to memory of 1700 2752 cmd.exe 45 PID 2752 wrote to memory of 1700 2752 cmd.exe 45 PID 2752 wrote to memory of 1472 2752 cmd.exe 46 PID 2752 wrote to memory of 1472 2752 cmd.exe 46 PID 2752 wrote to memory of 1472 2752 cmd.exe 46 PID 2752 wrote to memory of 1472 2752 cmd.exe 46 PID 2752 wrote to memory of 2328 2752 cmd.exe 47 PID 2752 wrote to memory of 2328 2752 cmd.exe 47 PID 2752 wrote to memory of 2328 2752 cmd.exe 47 PID 2752 wrote to memory of 2328 2752 cmd.exe 47 -
Views/modifies file attributes 1 TTPs 35 IoCs
pid Process 2588 attrib.exe 832 attrib.exe 1260 attrib.exe 1476 attrib.exe 2328 attrib.exe 2888 attrib.exe 1120 attrib.exe 1976 attrib.exe 2800 attrib.exe 2668 attrib.exe 2132 attrib.exe 2312 attrib.exe 1852 attrib.exe 1744 attrib.exe 700 attrib.exe 1608 attrib.exe 2448 attrib.exe 1056 attrib.exe 2952 attrib.exe 688 attrib.exe 1828 attrib.exe 2208 attrib.exe 1760 attrib.exe 2700 attrib.exe 3032 attrib.exe 1952 attrib.exe 1000 attrib.exe 1700 attrib.exe 2168 attrib.exe 2868 attrib.exe 304 attrib.exe 2600 attrib.exe 1968 attrib.exe 1032 attrib.exe 1768 attrib.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook objsqlinfo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c26dde74c4e50e22121b1ec50dd30417_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\objsqlinfo.exe"C:\Users\Admin\AppData\Local\Temp\objsqlinfo.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CC44.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1136
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:1720
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:844
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- Views/modifies file attributes
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:612
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:700
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- Views/modifies file attributes
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- Views/modifies file attributes
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- Views/modifies file attributes
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2888
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:304
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\OBJSQL~1.EXE"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:1868
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Credential Access
Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168B
MD5e7efc2c945a798b4dab3fe50f1524592
SHA10bb937ccd89e40c91c0e58b376873ef909fe805b
SHA256624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc
SHA512e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257
-
Filesize
4KB
MD53adea70969f52d365c119b3d25619de9
SHA1d303a6ddd63ce993a8432f4daab5132732748843
SHA256c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
SHA512c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8
-
Filesize
1.7MB
MD5c26dde74c4e50e22121b1ec50dd30417
SHA1c2086ad96557af08bf3d406d0b40054fd8ce5465
SHA256adda323ba6c6dff2b728907819ed779c56114a07a5ed07f9ac9bc08117fe0d08
SHA512968563b793f2f01f0def5312fd79f0b5600a0034a2f2a771c39cf20f2ee37602aefe67a878f0fe8fdeff2ce5bb8df2916f6b15b1688be0fc01f7eab5160d6839
-
Filesize
112KB
MD5ddeeebb34da3deea82ea1f4ff4c894a5
SHA1c1e229219e84203ba9e26f2917bd268656ff4716
SHA25635f911365d14ff533acce7367c2ab74167a9beb7b4e8fd487f25b9db4d68f627
SHA51230c0f41c311591f39f6441af7e872bc6e1954c5050f4977f417f5e07f7550480fff17994fedc79316d93f18236abb6b11ef44b8fcfa3f71f9086b34044ac52d6
-
Filesize
15KB
MD56242e3d67787ccbf4e06ad2982853144
SHA16ac7947207d999a65890ab25fe344955da35028e
SHA2564ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d
SHA5127d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf