Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll
-
Size
132KB
-
MD5
e1a2253d2dc01f2581d82006f5699ad9
-
SHA1
75fdd7aa2b25cbcd5d4a46f0eb94d8467cd59e34
-
SHA256
5e0c94ebef74deec4ca62fc13195c8084fa79ef42cd43a597dc89444debea842
-
SHA512
0810663a169edc199ea9477a0459625bf24d29da293716b774d579f2e67bec4bc95e8ae0279db76cd4d4f4438e0431dcd40adcdf5fd0d1fe9873038f37166bef
-
SSDEEP
1536:tibToqp78CcWWG6yhhdikVYFjX0aQe5ID/08htEDotqm:tibTTp78CcW6yVdYWmG0joIm
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2864 rundll32mgr.exe 2596 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2716 rundll32.exe 2716 rundll32.exe 2864 rundll32mgr.exe 2864 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2864-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2864-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2596-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2596-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2596-89-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2596-83-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2596-668-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\skchui.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\sunmscapi.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_transcode_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL svchost.exe File opened for modification C:\Program Files\Internet Explorer\networkinspection.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Csi.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcs.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdfmap.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\npvlc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2964 2716 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2596 WaterMark.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2596 WaterMark.exe Token: SeDebugPrivilege 2628 svchost.exe Token: SeDebugPrivilege 2716 rundll32.exe Token: SeDebugPrivilege 2964 WerFault.exe Token: SeDebugPrivilege 2596 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2864 rundll32mgr.exe 2596 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2672 wrote to memory of 2716 2672 rundll32.exe 30 PID 2716 wrote to memory of 2864 2716 rundll32.exe 31 PID 2716 wrote to memory of 2864 2716 rundll32.exe 31 PID 2716 wrote to memory of 2864 2716 rundll32.exe 31 PID 2716 wrote to memory of 2864 2716 rundll32.exe 31 PID 2716 wrote to memory of 2964 2716 rundll32.exe 32 PID 2716 wrote to memory of 2964 2716 rundll32.exe 32 PID 2716 wrote to memory of 2964 2716 rundll32.exe 32 PID 2716 wrote to memory of 2964 2716 rundll32.exe 32 PID 2864 wrote to memory of 2596 2864 rundll32mgr.exe 33 PID 2864 wrote to memory of 2596 2864 rundll32mgr.exe 33 PID 2864 wrote to memory of 2596 2864 rundll32mgr.exe 33 PID 2864 wrote to memory of 2596 2864 rundll32mgr.exe 33 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2632 2596 WaterMark.exe 34 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2596 wrote to memory of 2628 2596 WaterMark.exe 35 PID 2628 wrote to memory of 256 2628 svchost.exe 1 PID 2628 wrote to memory of 256 2628 svchost.exe 1 PID 2628 wrote to memory of 256 2628 svchost.exe 1 PID 2628 wrote to memory of 256 2628 svchost.exe 1 PID 2628 wrote to memory of 256 2628 svchost.exe 1 PID 2628 wrote to memory of 332 2628 svchost.exe 2 PID 2628 wrote to memory of 332 2628 svchost.exe 2 PID 2628 wrote to memory of 332 2628 svchost.exe 2 PID 2628 wrote to memory of 332 2628 svchost.exe 2 PID 2628 wrote to memory of 332 2628 svchost.exe 2 PID 2628 wrote to memory of 380 2628 svchost.exe 3 PID 2628 wrote to memory of 380 2628 svchost.exe 3 PID 2628 wrote to memory of 380 2628 svchost.exe 3 PID 2628 wrote to memory of 380 2628 svchost.exe 3 PID 2628 wrote to memory of 380 2628 svchost.exe 3 PID 2628 wrote to memory of 392 2628 svchost.exe 4 PID 2628 wrote to memory of 392 2628 svchost.exe 4 PID 2628 wrote to memory of 392 2628 svchost.exe 4 PID 2628 wrote to memory of 392 2628 svchost.exe 4 PID 2628 wrote to memory of 392 2628 svchost.exe 4 PID 2628 wrote to memory of 428 2628 svchost.exe 5 PID 2628 wrote to memory of 428 2628 svchost.exe 5 PID 2628 wrote to memory of 428 2628 svchost.exe 5 PID 2628 wrote to memory of 428 2628 svchost.exe 5 PID 2628 wrote to memory of 428 2628 svchost.exe 5
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1408
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1572
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2864
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:768
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1120
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1048
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1060
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1144
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1180
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2988
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2164
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1a2253d2dc01f2581d82006f5699ad9_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 2244⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize197KB
MD53b13c6ba2611c64912f02e32f6094cbc
SHA1b01f6170dd2c6e42300ffc01c9125f0b7d0e8e27
SHA256d034348b442c14d41c06cf3085babf3a50f360100997944e247ee5e829271f7a
SHA512d2c411bf50712a94938f31bdc972c538a4e405bc174782eca5f4a09cc3b74c6a4a8e2cd7c33c7bb79a3619941855fdad9980f6be568b9622ec74bb31420424e1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize193KB
MD5484b299469746f7e58e61b4ac5ac7fa0
SHA1edeb89113ecdac2d0bbcc11d4ee5344ddd465786
SHA25652fb097cc832e99d00e1c6c7971a021a938ab0d0fa6c9b9c029d22608c75dde4
SHA512a0165a861713d897f6c3ea192f0f2fae04af93a3b4f2f3de4b7f3325b07f476661200b4c2d27a9b6d77026b7346ccf80f7e94ecd7015295030fa47990207bb41
-
Filesize
92KB
MD5a3b5b19b09613a76bd054ce279edb5f2
SHA14324c72de65b2812bfe9cc969f7fba7022a85a55
SHA25613629c42889859682a721bc0927ff258a135f39951a64fd45409ba0d209212ce
SHA51232d3c8a71eaaea6d6074ed63d7fd7b41c5dd4dea66e8c3f5ce84ad4f6ead79838ed28548d4b73103dfb06e426236835622ff337fa692872d7d23cd58da3ae865