Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe
-
Size
20KB
-
MD5
ebf0477ea66e2b448e03c7d894b55764
-
SHA1
68943914562bc01f5d7c2002898de95720cc9b60
-
SHA256
4aa5f5138f47225accc17e22463ccaa0e6f6f6f4a3a6bd9abb131b39803c6e34
-
SHA512
05d74d0a3199f862fd5f18ebb453f4515b9e8186f0eaf57fdcc0a88ecf3585365bcb07f6246bd2940b8d0d014633011535d11633b3b1d482aa72ddfd44b7df5b
-
SSDEEP
384:icBKBJGvdw7/bGtOl5YC5HhRI83YdwbomCH7Xrgo7IX3:fBKBJGVw7jGt+55RdnBCHTk
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 552 IEXPLORE.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\Common Files\\Services\\svchost.exe" ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\Y: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\A: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\G: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\I: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\N: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\O: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\B: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\L: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\P: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\R: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\S: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\U: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\W: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\Z: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\H: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\K: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\M: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\Q: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\T: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\E: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\J: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened (read-only) \??\V: ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened for modification C:\autorun.inf ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File created F:\autorun.inf ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened for modification F:\autorun.inf ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\DirectX10.dll ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DirectX10.dll ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Services\svchost.exe ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Services\svchost.exe ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA6D8A31-76B4-11EF-8C8A-62CAC36041A9} = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "2029826559" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe Token: SeDebugPrivilege 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe Token: SeDebugPrivilege 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe Token: SeSystemtimePrivilege 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe Token: SeDebugPrivilege 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2800 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2800 IEXPLORE.EXE 2800 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2592 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2592 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2592 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2592 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 30 PID 3064 wrote to memory of 2568 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2568 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2568 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2568 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 31 PID 3064 wrote to memory of 2736 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 33 PID 3064 wrote to memory of 2736 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 33 PID 3064 wrote to memory of 2736 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 33 PID 3064 wrote to memory of 2736 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 33 PID 3064 wrote to memory of 2032 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 34 PID 3064 wrote to memory of 2032 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 34 PID 3064 wrote to memory of 2032 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 34 PID 3064 wrote to memory of 2032 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 34 PID 3064 wrote to memory of 2800 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 38 PID 3064 wrote to memory of 2800 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 38 PID 3064 wrote to memory of 2800 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 38 PID 3064 wrote to memory of 2800 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 38 PID 2592 wrote to memory of 2376 2592 Net.exe 39 PID 2592 wrote to memory of 2376 2592 Net.exe 39 PID 2592 wrote to memory of 2376 2592 Net.exe 39 PID 2592 wrote to memory of 2376 2592 Net.exe 39 PID 2032 wrote to memory of 2612 2032 net.exe 40 PID 2032 wrote to memory of 2612 2032 net.exe 40 PID 2032 wrote to memory of 2612 2032 net.exe 40 PID 2032 wrote to memory of 2612 2032 net.exe 40 PID 2568 wrote to memory of 2340 2568 Net.exe 41 PID 2568 wrote to memory of 2340 2568 Net.exe 41 PID 2568 wrote to memory of 2340 2568 Net.exe 41 PID 2568 wrote to memory of 2340 2568 Net.exe 41 PID 2736 wrote to memory of 2104 2736 net.exe 42 PID 2736 wrote to memory of 2104 2736 net.exe 42 PID 2736 wrote to memory of 2104 2736 net.exe 42 PID 2736 wrote to memory of 2104 2736 net.exe 42 PID 2800 wrote to memory of 552 2800 IEXPLORE.EXE 43 PID 2800 wrote to memory of 552 2800 IEXPLORE.EXE 43 PID 2800 wrote to memory of 552 2800 IEXPLORE.EXE 43 PID 2800 wrote to memory of 552 2800 IEXPLORE.EXE 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43 PID 3064 wrote to memory of 552 3064 ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ebf0477ea66e2b448e03c7d894b55764_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Net.exeNet Stop Norton Antivirus Auto Protect Service2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 Stop Norton Antivirus Auto Protect Service3⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
C:\Windows\SysWOW64\Net.exeNet Stop mcshield2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 Stop mcshield3⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- System Location Discovery: System Language Discovery
PID:2104
-
-
-
C:\Windows\SysWOW64\net.exenet stop System Restore Service2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop System Restore Service3⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5ebf0477ea66e2b448e03c7d894b55764
SHA168943914562bc01f5d7c2002898de95720cc9b60
SHA2564aa5f5138f47225accc17e22463ccaa0e6f6f6f4a3a6bd9abb131b39803c6e34
SHA51205d74d0a3199f862fd5f18ebb453f4515b9e8186f0eaf57fdcc0a88ecf3585365bcb07f6246bd2940b8d0d014633011535d11633b3b1d482aa72ddfd44b7df5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551f4c21c976bf7068214a3f4c5e9bb7b
SHA1493304b58d56063e1b8ca1ccab7eef2c38241261
SHA256b45c129ded74138c09e204d1aff342d7ade026a02764511337904551d11f2dde
SHA51225cc2c339246fa9130dcf30561f4c8ba531b13123331edd91f4f523c4d7ff10a1358b4f19ca7adb6d65a5daccb553b7c485c005da36175318a27a4c6a413cd7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50509e9e41f21dba7324643cb436703c9
SHA1a7df3ed11a10be8195e939067496cd5df4d2d3b7
SHA25630cad27d00a25aae7c9c762b28c9d566078df5de95e6eaaa9d8e95c6fea0b33d
SHA51294242ba6f08a046a19c7d745d9324e2b37582d6dfa7d816b99be29221dd76205e48bd0a3cb2d64819cb3c8c1a2f1f95b7ddea106815dece7584276b565abb958
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6a5651e5e11540b70572a07f8dab4b3
SHA1e480a9759bd0f747fbdb77b656beb7e5f2d33c1d
SHA25652cf1f205d2943ebb63f09287b61343df832b7ce60e263b9cc1085aefe242077
SHA5123e10aa81bc15cb5382b32ae3a20c35d31222f2b6551fa551f130fa691f8ca6fb51ae27bd49e04f3d90187b2ed736f098b62d5834ee8704f8afbf92486ce8e242
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD525fd2300898fbbf6bc7314dcee243518
SHA11d49ba2f2d2a7d8530038c4d6a8620fb386efd22
SHA25658c4c15d136cd9d80bb37393214a93329097229ebc43e82d57ebcafe412417df
SHA512596f34d6f40cbfcd1d0723fbabec812720080e35374a1850d90fae5a368934062aa4044a533a69ae52f738996acea2fce97f99160b6cc09e1599e4cc233d909b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5813435af746bde3a0048a97f891f295a
SHA117c8d6067326fb2b68523a7ba6680328a736bfc8
SHA25643c533c1dcfc3c74e1faf87847352f0ac09956fe88a7ad3bef91adcbfe5cf8f6
SHA51260b9b86363f33b8e169704407fdb908a1afe7d27e54ce966c6b1b24aa7df01a053fc6b0f9bee13665bd7d457107d6bbc63231b67450fc412e6071604fe900164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD546f97f6c93e008c90be3bd6621f2e131
SHA1eca71eb9856ddc78a32d4f557da36b6b67771717
SHA2568aecca4266bbc6baeb752308b6576644b921dc0d7d15952dde702de303eb0561
SHA51250e899ce317eda7e5e9adf6e0fa511c63d73d13aa6bc0b1d74f6fae3393582bb0bf9c2083e7c2ba5ea02c85eaab05e265970ccf94061350220b0b6aca5855d12
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55f55ea52802c8392ca875e69eb558283
SHA13ef73c0e30c2239451e0cf5132b89916f291001d
SHA2565d353344d517f837afe38d5bfdfbd6a3458c3bc8c5241445df99a7e38b506a53
SHA51283919332b3c751827f361e43e567ba1210a8eba5371494fdb93eac1920392a20252f93c30938b461edae973d93184b4cdc66dd420b8bc3f0e0e3c6a31d46bdac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD555c3914e23ed86fd9c70734047545527
SHA1686a392e203f824fcd9b4b6dec7227dc2104aa1d
SHA256bed8fd1c06249958ae057041fe94b7a89d602eb190622772dab7d9f8de95a55b
SHA5124fe1ef35f62bcc07b843330f40c8bec419b22e2f9e6275c92604973211239efa1ab49ee363ab81dcfce71a3268ebeb0e7125b647bde16bc3d5385a9066828a23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53fc64081b47df983db4f12b77f696898
SHA118f3f0fcf31f334eeb089c20603880e842822497
SHA256afc9e1ca84c9446f1298dadfc5f440446a509e6fc7b23a50000118d9faa68bb0
SHA512028603d2ada79b93bc23b996a4265ee130dc88ab69ea387fdd070de33138604ad21b2caf58a155e86ffe8fac9117e8a03a99b178cd866f5edc87256770d56a3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5db433f9497f9596ae6de0054110201a6
SHA129f804604bc5e2450d2c776f844295eef7f0d4f7
SHA2568f92276834d8b9a05d2b5b429aede0373fc005460e7dfef11c6d8026cabd5d44
SHA512a71c09dd7977718c26c958b974d1a51dc86e256dc374f16352f5d501019a54511e000e5b23690d1afdbfa5bcedabda66f271fb69442285ddb2f5ec90794fc532
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dcf4eb2a1602a86e44a04fe5b8cd8207
SHA1430f9cabbba5ad0902764c8b1be9fe2f8b2f0e79
SHA2565aa0cc2d472c8ef22258671b059a394f65a5372e0b5346365013613201324c76
SHA5122e3766082f6fe7daa6514ab438ac2c790d69429fa13163f979787d21944a0352928d1b9dfeb81b02648a05c80a6992778159f415e787281d3564d8ec87b86fa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587f1e21fb6a01f76b3f6d053aa1cee77
SHA111e8708320eeb7ca3b05affcbb3b55a16292bd5b
SHA25681c712059ea25d8a09f8e27b05c56dedb0e93b96f3d1c9cd4b4f55506f8a8d53
SHA512069350354f8887727e5989537f3a454222d799d5bf262f16fc15df9319590071a6fe5b19e12acdfb2a7f2860a77441ca80c445ad31b28c412faec2183df6b8d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD542eaf4bd93e5013f3e5b1b7647a76007
SHA11f9d5a003eed30bfd06024a23b8c3535588790db
SHA256133c4140d3570ab0f86b67c6efc89c0d21ee0b3ee094fc60f7821061dbcc5649
SHA51254a31088896e60031a0afd62ccf8213898b3cc0d557ad9dd095e8d85aa6f9d054afd046850382bf86f5091342014e6e6dac5c9ea69ed878943196d8fa70d073d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d87d8b45f174df3c2983efb0c2eb711
SHA1e2316d4a4e4da1ab391b67ef3015819d8252fdf9
SHA256c5223aecac9b140855e810b4d391b546b1843bd3a3f48ec95216f9329da02542
SHA5126145823fe89911af70fc0913f0f46fc8c131c64603674d6c97fd020b044985c21c8d16c97f8f7378e80ee6194c5669e8a5709b8269994692a2c9106ba84cd8d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e607b8afa06145a4da37f68b0e1d52b0
SHA120725beb5b098501b6707de8a4b3886acf88c31e
SHA256a8b732ea3ca1db4bb3229abdfb58f424eaf048f1446c0c9417e6f54f6c4501f0
SHA512558630ff2a6d3852e7218b326d9c63d83a62357fdd466d4b3aa32638f2129cde96a94866d63c6c0d5eabdfb486866547e30df4b285eeb15427bc6b84a2dc1712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD505c79bb1ae9ad5219b229edccc9a4a7e
SHA11b6bf3f76c0d6f5000ff9453641cb74334998cda
SHA25696643c64fc72056039296eeb2216ab64fca60545a948faefefe642bdb4a36a84
SHA512809bd6a1f7df0827414234f4fc410d00ac84a333b5fe23f0aabd862d8db76fe0b1487339faf2ed6ac805afd3346a01610061119c7f5c58a7c44c72d5690d7de7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbc174ba5083a44654c3933dab10f1dc
SHA1f0931def34c087c19a04352526f590a3074e6bbf
SHA256d3154d6c413468497d0e549f11988286c93b98efab74d3b5fe2d81f9b8247244
SHA5125ffd5fa90f18e94f420cca2c3b87106f7a2c86217d42c72df8217c6c822fbce6541b9613e3af95a8e6bd60d25365457a1a002688b6cb90042ef66565e000011c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53280c0410c108c4811478acdfb1e243c
SHA11aacea2eaef7bbc57ee5370b2360e40293afab8d
SHA256b10db3ef721c01f0817c97921a5c6c75830d1c8ae57847a608079216f46068ad
SHA5124ccd707e33314d891700dca2dbd8d3bdf0a55751e63b241f1991d68e035c307d408a06c5779b83dd9be69d450ce3b5b2818f903c60fc6c53cec55f68a03458cc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.1MB
MD52ee1e467d73642afddb03019f58c252b
SHA1ea1f3b03f46db029a955190692cecbc571e1d46c
SHA2565a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3
SHA5123482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082