Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 06:39
Static task
static1
Behavioral task
behavioral1
Sample
e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe
-
Size
11.4MB
-
MD5
e1e8346ff1d31ae330cb44c91541cd5a
-
SHA1
6c798b54cc3d1291f0b8295e9283d4a0475876ad
-
SHA256
0f11eb03b72c4111f98ddbde874a09707e663ed3b420b0faa23e66042f37fceb
-
SHA512
ea915a3a2ae8bae8b306208dc26bd4fea480730b0f6070638f8457a6badb954192ea7ec7ed23c21d40359e423bdf3acc15c28dc531b62ca1ad5fc81ab705111f
-
SSDEEP
196608:UTwx42RPPBdebEm1iWWHc1SUX6apg3ZhncrJPm59vzgO8L1vsqFRUo7t/IbsCTMs:UaRPiGWW8sUtu/Am5q91vsqFRn5AACTN
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo F3D1.tmp -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F3D1.tmp Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ F3D1.tmp Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ F3D1.tmp -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions F3D1.tmp -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F3D1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F3D1.tmp -
Executes dropped EXE 6 IoCs
pid Process 2272 F0A6.tmp 2808 F3D1.tmp 2832 F3D2.tmp 2884 F3D1.tmp 1632 F3D1.tmp 604 F3D2.tmp -
Loads dropped DLL 17 IoCs
pid Process 2844 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 2272 F0A6.tmp 2272 F0A6.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 1632 F3D1.tmp 1632 F3D1.tmp 1632 F3D1.tmp 1632 F3D1.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 F3D1.tmp -
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName F3D1.tmp -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN F3D1.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\fonts\pns.ttf F3D1.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3D2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3D1.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F3D2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F0A6.tmp -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main F3D1.tmp -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\chst F3D2.tmp Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\chst F3D2.tmp Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\chst F3D2.tmp -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 F3D1.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 F3D1.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 F3D1.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 F3D1.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 F3D1.tmp -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1632 F3D1.tmp 1632 F3D1.tmp -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2808 F3D1.tmp Token: SeRestorePrivilege 2808 F3D1.tmp Token: SeDebugPrivilege 2808 F3D1.tmp Token: SeTakeOwnershipPrivilege 1632 F3D1.tmp Token: SeRestorePrivilege 1632 F3D1.tmp Token: SeDebugPrivilege 1632 F3D1.tmp -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp 2808 F3D1.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2808 F3D1.tmp 2808 F3D1.tmp -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2272 2844 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2272 2844 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2272 2844 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 30 PID 2844 wrote to memory of 2272 2844 e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe 30 PID 2272 wrote to memory of 2808 2272 F0A6.tmp 31 PID 2272 wrote to memory of 2808 2272 F0A6.tmp 31 PID 2272 wrote to memory of 2808 2272 F0A6.tmp 31 PID 2272 wrote to memory of 2808 2272 F0A6.tmp 31 PID 2272 wrote to memory of 2832 2272 F0A6.tmp 32 PID 2272 wrote to memory of 2832 2272 F0A6.tmp 32 PID 2272 wrote to memory of 2832 2272 F0A6.tmp 32 PID 2272 wrote to memory of 2832 2272 F0A6.tmp 32 PID 2808 wrote to memory of 2884 2808 F3D1.tmp 35 PID 2808 wrote to memory of 2884 2808 F3D1.tmp 35 PID 2808 wrote to memory of 2884 2808 F3D1.tmp 35 PID 2808 wrote to memory of 2884 2808 F3D1.tmp 35 PID 2808 wrote to memory of 1632 2808 F3D1.tmp 36 PID 2808 wrote to memory of 1632 2808 F3D1.tmp 36 PID 2808 wrote to memory of 1632 2808 F3D1.tmp 36 PID 2808 wrote to memory of 1632 2808 F3D1.tmp 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1e8346ff1d31ae330cb44c91541cd5a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\F0A6.tmp"C:\Users\Admin\AppData\Local\Temp\F0A6.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\F3D1.tmp"C:\Users\Admin\AppData\Local\Temp\F3D1.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\F3D1.tmp"C:\Users\Admin\AppData\Local\Temp\F3D1.tmp" /test4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\F3D1.tmp"C:\Users\Admin\AppData\Local\Temp\F3D1.tmp" /restart /util4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Temp\F3D2.tmp"C:\Users\Admin\AppData\Local\Temp\F3D2.tmp" "install"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Users\Admin\AppData\Local\Temp\F3D2.tmp"C:\Users\Admin\AppData\Local\Temp\F3D2.tmp" run1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:604
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6207ec3c5c5dd09e107e32323fa6aef
SHA14b4b2176ef992ca0289448f3d254c7147ee1f5ad
SHA25690c5abf3cf668d6518d65a58a2bc5a33b5458802ac355e8579381253305c26d8
SHA5124fa52bac3f1aad33f531dae44c0afca91be4b4b2d259e7d9be6b74832735271c5e1608260d608f8ccc788497c666a52e214a44b960d9bd7c0943aaf63454b102
-
Filesize
476KB
MD5bb094f254599a26547a3484e35a29482
SHA18b618de226450871b02e7788a5673512157db5ce
SHA256f845f1859bea42f1d9c6205344eb557296042296745cb8f7e0adbe9d652928f7
SHA5124b1d9c01847293aa99d0fa585788efdd4fb053461a4ce8ea1a20ace661a9bccba6a2265eeb7f06cc552941a530981b883bb6079131c8787a7427fc966fec06e1
-
Filesize
445B
MD5d5180d4557b08cd31ed9758722bea039
SHA18d699db057625d887fb465edaea8af08f9c62255
SHA256a8a5db6a3b541cd704d8c4aceeeaa16b147d0cbcfd8c97e59d434d1c0522b1f7
SHA51211439f5d492729d662576dfbfeaa7c7e5a7d796271442b31e928b27e305f81b761d0f1c0cb85bb2e0f91cb8dbce1456a687559584b5eb1db0403cb3382f02cef
-
Filesize
5.9MB
MD5d7ebb78bf1f0e4a8278b2d63013b1134
SHA1498b315dcba9bf4403d6748be61453d5d8991b61
SHA256c5a685088c44b1fbd01f49587af753b6a0f8f793de8d3b3d7e170574fef27ba8
SHA512ead20a19b5262ce34f13bae9c9d1082ce5bf740759ea82042d83600094e38de7aea87d7533fdd7660369ec5bb8549e107aff562fa477711515eb9c15c9c93312
-
Filesize
49KB
MD5abee4387ab69da821ed9397cc651597d
SHA15d14f4afdbe15448bf884b528ffffab874f920a7
SHA256ac1dfd38d2fa61e28211e196cd3d754f6ccfb220e8c1beba52e54825cf615e22
SHA512e014294cb60b66bd259f4a6ce262fc9eca30a30e7674dae178dbac6132ba464120e5d1076ee81c1210a2f42f819d94373733172cef9fda77c9effb4eed53a904
-
Filesize
1KB
MD50e52a20612b76b36bea4993f84153850
SHA1875134557ab36c302533e4a8f0463461417c38e6
SHA25673e63183921f2b265bb796c701b113a6673f6601c450f4a2615356000617bc03
SHA5122a188dce3bbf502bb4b0bc2e136eef8a5db119e73352bdfafe990909db2b9233d5d22bf89754c872cf6ef11e230755d969a58372cfee57d0f4981cc2f1b0193a
-
Filesize
127KB
MD5df8c626474a73ab7a8b511655597c7c4
SHA15de28f387ea88553d195d1978286d43c33231969
SHA256723091ba5a1b8e65164075516d69c00c71225c6dde61ffc32dd4047803ab42b5
SHA512c8f7d1577cb70610c40b96c835faca6b916c4924b5061351c8a67287567556b2014efb7c73cdcc4fb6533829541cd0264b8a9e428d3c572e29c06b0d96633d59
-
Filesize
11.0MB
MD560647b7c7b5645fd43bfaee784becd67
SHA1efb89b51296c016fd482f20bfe68895644caab18
SHA25645909a961618e850f0a737995c2d71760453abc9040e72965fe1816dc15cc390
SHA512a384cf75dd29e7b2c89d00632447cd4726f875a6a8b91ee8bc31bbccb77bffed120fc96e4898491bacbb62f1141ab93c41d7fecfce3771c6a28d6ac3a43a03a1
-
Filesize
10.3MB
MD59cff02c5ee349922b08481ef0e786401
SHA1a5c90378fe2581f8a69a7d6f11b8283d452562ab
SHA256df8aa536fac28254bec6f2083337d0a0f1e10e132f35c119eedb925b02792474
SHA512979484f010481d69cc8ad89ec183baeae4fa63414e0896a36c043ebad374780debcbe591b9342c764c089b400237d52a3d94658e6f72c9fee99476aee0daaf87
-
Filesize
324KB
MD5bf9f6045d47dd87ae6d41fc7b5485506
SHA1462184bdd3c143f70ff7e9553966cb3d63b7cd12
SHA256f4cc03a26f2d13a41a86da8629b5d5c80a9ea586b6ba044e952b1972ab013440
SHA512bce57892b7cc2f44dae9eed0113530775f64e16d2846e6f08b10d76b9829e0885a94d816bf84d20ee5751ae3d3c536b6a9e6a75b4f95197d6317b032a839b605
-
Filesize
5.0MB
MD59d23e2946b37a886dd9b5ce146cdd280
SHA1ac82352e5ef3988dd53403a9552bf9c4bc5162d3
SHA2569fabfffee8ef815f6e0f34c8909597ddf360ebff061151f18365202b774ceb20
SHA512872951f7ed72422e05e5957ab7bd274fdae2fba465b3177bba4b0dd1f1c7b047d7684977f7ad51fa79dd98b30b30dc6e52eac424798c31ae0e0fe31961b682a5