Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24/09/2024, 20:00 UTC
General
-
Target
f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe
-
Size
920KB
-
MD5
f467ad374c4a6a470cde9f4893fd628c
-
SHA1
b6fb7decf1da130faa70e8115f5593ba6b9235b9
-
SHA256
1c6d003793adae594719fc0572cf770437af2f24c1f8fe2307633a7cc59d8102
-
SHA512
49d5a9e9bb3fe6367a8081509913e6706a26887644af8233809c25cb913d72b3233341cecc665520c08fa3529dc457f1d80327a8eba2a330970e22aebc08ab83
-
SSDEEP
24576:tJXWAayET+QuawV+XTUknfiuG7weke8juowZKMnunK:WTzuaxjnsywKMnY
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 16 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\MDdyAsuPL1.exeC:\Users\Admin\MDdyAsuPL1.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ruode.exe"C:\Users\Admin\ruode.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del MDdyAsuPL1.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\2eaj.exeC:\Users\Admin\2eaj.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\2eaj.exe"C:\Users\Admin\2eaj.exe"4⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe startC:\Users\Admin\AppData\Roaming\5B378\EC9AF.exe%C:\Users\Admin\AppData\Roaming\5B3784⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\3eaj.exeC:\Users\Admin\3eaj.exe startC:\Program Files (x86)\78CCD\lvvm.exe%C:\Program Files (x86)\78CCD4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\LP\AF05\59A5.tmp"C:\Program Files (x86)\LP\AF05\59A5.tmp"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\4eaj.exeC:\Users\Admin\4eaj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\8a1d53fa\X*0*bc*611bbb90*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\5eaj.exeC:\Users\Admin\5eaj.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del f467ad374c4a6a470cde9f4893fd628c_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
-
DNScom9.us.toRemote address:8.8.8.8:53Requestcom9.us.toIN AResponse -
DNSpromos.fling.comRemote address:8.8.8.8:53Requestpromos.fling.comIN AResponsepromos.fling.comIN A64.210.151.32
-
GEThttp://promos.fling.com/geo/txt/city.phpRemote address:64.210.151.32:80RequestGET /geo/txt/city.php HTTP/1.0
Host: promos.fling.com
Connection: close
ResponseHTTP/1.1 302 Found
content-length: 0
location: https://promos.fling.com/geo/txt/city.php
cache-control: no-cache
connection: close
-
DNScsc3-2004-crl.verisign.comRemote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
DNSqa9.firoli-sys.comRemote address:8.8.8.8:53Requestqa9.firoli-sys.comIN AResponse
-
DNSfreedownload3.comRemote address:8.8.8.8:53Requestfreedownload3.comIN AResponse
-
DNSw3vmn908n.firoli-sys.comRemote address:8.8.8.8:53Requestw3vmn908n.firoli-sys.comIN AResponse
-
DNS8h2o08jr6r.hdmediastore.comRemote address:8.8.8.8:53Request8h2o08jr6r.hdmediastore.comIN AResponse
-
DNSusl7ne4gbc.wwwmediahosts.comRemote address:8.8.8.8:53Requestusl7ne4gbc.wwwmediahosts.comIN AResponse
-
DNSTRANSERSDATAFORME.COMRemote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
DNSntp2.usno.navy.milRemote address:8.8.8.8:53Requestntp2.usno.navy.milIN AResponsentp2.usno.navy.milIN A192.5.41.209
-
DNSntp.adc.amRemote address:8.8.8.8:53Requestntp.adc.amIN AResponsentp.adc.amIN A194.163.183.141
-
DNSchronos.cru.frRemote address:8.8.8.8:53Requestchronos.cru.frIN AResponse
-
DNSwwv.nist.govRemote address:8.8.8.8:53Requestwwv.nist.govIN AResponsewwv.nist.govIN CNAMEtime-a-wwv.nist.govtime-a-wwv.nist.govIN A132.163.97.1
-
DNSclock.isc.orgRemote address:8.8.8.8:53Requestclock.isc.orgIN AResponseclock.isc.orgIN CNAMEclockisc.ntp.orgclockisc.ntp.orgIN CNAMEclockisc.nwtime.orgclockisc.nwtime.orgIN A64.62.194.188clockisc.nwtime.orgIN A64.62.194.189clockisc.nwtime.orgIN A204.93.207.11
-
DNStime2.one4vision.deRemote address:8.8.8.8:53Requesttime2.one4vision.deIN AResponsetime2.one4vision.deIN A212.82.32.26
-
DNStime.cerias.purdue.eduRemote address:8.8.8.8:53Requesttime.cerias.purdue.eduIN AResponse
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.178.4
-
GEThttp://www.google.com/Remote address:142.250.178.4:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 200 OK
Date: Tue, 24 Sep 2024 20:01:39 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RZg1e00wsuRYf7J0MkystQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cqufzgtLU_tzQrVwayoWOTQB9V43wzMDJsb0CVHvia1oMSU9Rlp7QY; expires=Sun, 23-Mar-2025 20:01:39 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Accept-Ranges: none
Vary: Accept-Encoding
-
GEThttp://www.google.com/Remote address:142.250.178.4:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 200 OK
Date: Tue, 24 Sep 2024 20:01:40 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-lDER3LgrrH2i3ZOzUerd6g' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7crngO2BQ4bBpH2UEyy5Lw_jWExQTctOTymTRpixTuCtNVgnjrFSGQ; expires=Sun, 23-Mar-2025 20:01:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Accept-Ranges: none
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
-
64.210.151.32:80http://promos.fling.com/geo/txt/city.phphttp
HTTP Request
GET http://promos.fling.com/geo/txt/city.phpHTTP Response
302 -
176.53.17.23:80 -
176.53.17.23:80
-
176.53.17.23:80
-
176.53.17.23:80
-
176.53.17.23:80
-
142.250.178.4:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
200 -
142.250.178.4:80http://www.google.com/http
HTTP Request
GET http://www.google.com/HTTP Response
200 -
213.230.116.4:17235 -
195.29.46.78:17235 -
187.91.217.113:17235 -
79.127.53.33:17235 -
89.229.97.163:17235 -
46.30.176.5:17235
-
85.187.238.100:17235 -
98.144.113.151:17235
-
77.20.207.44:17235 -
12.202.192.98:17235
-
212.225.134.30:17235 -
92.47.236.8:17235 -
111.88.51.87:17235 -
186.18.132.122:17235 -
186.89.211.62:17235 -
46.130.103.19:17235 -
80.238.96.55:17235
-
83.103.153.186:17235 -
84.240.211.228:17235
-
99.226.154.34:17235 -
190.179.16.6:17235
-
201.29.227.108:17235
-
190.208.100.198:17235 -
81.218.205.245:17235 -
90.239.103.203:17235 -
186.69.85.209:17235 -
189.68.15.111:17235
-
46.194.146.209:17235
-
186.110.109.95:17235
-
186.9.164.184:17235
-
89.115.80.171:17235 -
2.132.136.252:17235
-
182.9.71.184:17235 -
178.131.166.222:17235
-
92.53.22.163:17235 -
95.65.49.165:17235 -
87.97.197.10:17235
-
189.93.131.18:17235
-
72.172.204.167:17235
-
110.37.5.129:17235
-
46.191.188.14:17235 -
177.30.198.222:17235
-
37.28.12.180:17235 -
46.48.196.145:17235
-
89.68.69.157:17235
-
59.115.91.6:17235 -
91.73.86.87:17235 -
151.80.230.131:17235 -
180.215.200.159:17235 -
187.25.169.83:17235
-
46.185.208.184:17235 -
178.45.72.43:17235
-
190.191.245.125:17235
-
50.88.157.57:17235
-
200.109.190.128:17235
-
220.134.3.66:17235
-
89.215.145.101:17235
-
141.196.23.74:17235
-
190.100.206.54:17235
-
190.135.144.145:17235 -
116.202.11.232:17235
-
24.90.4.120:17235
-
86.104.67.72:17235
-
207.68.235.36:17235
-
90.129.10.162:17235
-
90.172.11.71:17235
-
68.207.187.223:17235
-
71.207.110.68:17235
-
95.58.205.107:17235
-
14.99.173.70:17235 -
87.248.74.98:17235
-
213.99.66.0:17235
-
80.216.75.28:17235
-
188.159.204.245:17235
-
95.106.63.172:17235
-
31.169.1.95:17235
-
114.79.141.144:17235
-
190.17.183.167:17235
-
37.17.141.234:17235 -
89.132.219.107:17235 -
188.138.138.120:17235
-
176.222.188.62:17235
-
41.70.186.224:17235 -
109.253.3.25:17235
-
187.27.247.221:17235
-
2.144.30.250:17235
-
93.116.165.253:17235
-
14.99.110.4:17235
-
187.3.157.74:17235
-
201.167.22.48:17235 -
78.250.116.83:17235
-
116.202.176.175:17235
-
202.43.124.150:17235
-
217.162.103.153:17235 -
37.17.136.190:17235
-
79.102.11.183:17235
-
84.121.125.223:17235
-
2.185.190.139:17235
-
46.100.131.188:17235
-
189.65.207.58:17235
-
58.9.22.7:17235 -
2.185.145.145:17235
-
62.63.181.168:17235 -
94.196.75.194:17235
-
2.180.34.85:17235
-
202.176.97.4:17235
-
201.235.152.2:17235
-
85.84.82.6:17235
-
186.32.180.193:17235 -
24.186.5.51:17235
-
2.134.24.98:17235
-
180.215.69.240:17235
-
213.43.210.201:17235
-
67.21.147.13:17235
-
202.179.1.112:17235 -
72.196.208.132:17235
-
207.235.23.179:17235
-
190.205.65.41:17235
-
112.210.67.179:17235 -
188.136.237.9:17235
-
188.240.61.163:17235
-
77.210.34.213:17235
-
95.58.33.8:17235
-
180.178.166.98:17235
-
186.36.104.136:17235
-
87.242.37.143:17235
-
158.181.29.36:17235 -
176.222.147.194:17235
-
84.215.99.41:17235 -
189.34.224.122:17235
-
217.203.69.84:17235 -
186.212.228.104:17235
-
77.79.176.8:17235
-
14.97.100.90:17235
-
178.122.108.12:17235 -
78.90.60.160:17235
-
189.195.26.138:17235
-
106.198.217.61:17235
-
95.69.65.106:17235
-
113.193.49.183:17235
-
204.152.219.45:17235
-
24.188.75.61:17235
-
82.158.46.230:17235
-
202.6.123.101:17235 -
95.252.203.127:17235
-
178.139.90.158:17235
-
84.236.130.178:17235
-
78.94.66.225:17235
-
24.205.91.13:17235
-
190.86.115.124:17235 -
85.84.171.230:17235
-
91.99.246.90:17235 -
178.203.201.122:17235
-
85.218.71.211:17235
-
175.106.58.63:17235 -
69.122.68.227:17235
-
200.148.99.73:17235
-
115.242.148.129:17235
-
101.63.194.175:17235
-
212.251.252.201:17235
-
46.248.58.137:17235
-
31.151.31.206:17235 -
121.160.10.144:17235 -
41.251.177.89:17235 -
78.31.230.213:17235 -
68.9.201.72:17235
-
203.125.134.162:17235 -
173.25.37.252:17235
-
190.194.14.223:17235
-
164.132.191.18:17235
-
78.9.73.254:17235
-
117.200.247.246:17235
-
190.161.13.109:17235
-
79.149.147.79:17235
-
116.68.245.37:17235
-
190.75.104.66:17235
-
201.235.244.128:17235
-
109.105.237.112:17235 -
41.71.178.66:17235
-
190.132.12.9:17235
-
178.89.86.157:17235
-
158.181.136.202:17235
-
84.224.81.177:17235
-
71.239.233.90:17235
-
95.82.41.206:17235
-
186.36.4.45:17235
-
98.122.43.156:17235
-
89.34.33.125:17235
-
201.37.222.106:17235
-
68.59.48.123:17235
-
14.98.87.110:17235
-
24.41.147.173:17235 -
112.202.179.233:17235
-
2.132.32.160:17235
-
68.68.31.58:17235
-
111.91.102.106:17235
-
187.69.97.64:17235
-
78.96.93.105:17235
-
85.87.136.35:17235
-
94.243.120.149:17235
-
186.22.6.122:17235
-
66.229.245.73:17235
-
188.65.76.144:17235 -
186.176.247.177:17235
-
119.154.48.101:17235
-
95.56.169.128:17235
-
8.8.8.8:53com9.us.todns
DNS Request
com9.us.to
-
8.8.8.8:53promos.fling.comdns
DNS Request
promos.fling.com
DNS Response
64.210.151.32
-
31.193.3.240:53dns
-
31.193.3.240:53dns
-
31.193.3.240:53dns
-
31.193.3.240:53dns
-
31.193.3.240:53dns
-
8.8.8.8:53csc3-2004-crl.verisign.comdns
DNS Request
csc3-2004-crl.verisign.com
-
8.8.8.8:53qa9.firoli-sys.comdns
DNS Request
qa9.firoli-sys.com
-
8.8.8.8:53freedownload3.comdns
DNS Request
freedownload3.com
-
8.8.8.8:53w3vmn908n.firoli-sys.comdns
DNS Request
w3vmn908n.firoli-sys.com
-
8.8.8.8:538h2o08jr6r.hdmediastore.comdns
DNS Request
8h2o08jr6r.hdmediastore.com
-
8.8.8.8:53usl7ne4gbc.wwwmediahosts.comdns
DNS Request
usl7ne4gbc.wwwmediahosts.com
-
8.8.8.8:53TRANSERSDATAFORME.COMdns
DNS Request
TRANSERSDATAFORME.COM
-
8.8.8.8:53ntp2.usno.navy.mildns
DNS Request
ntp2.usno.navy.mil
DNS Response
192.5.41.209
-
8.8.8.8:53ntp.adc.amdns
DNS Request
ntp.adc.am
DNS Response
194.163.183.141
-
8.8.8.8:53chronos.cru.frdns
DNS Request
chronos.cru.fr
-
8.8.8.8:53wwv.nist.govdns
DNS Request
wwv.nist.gov
DNS Response
132.163.97.1
-
8.8.8.8:53clock.isc.orgdns
DNS Request
clock.isc.org
DNS Response
64.62.194.18864.62.194.189204.93.207.11
-
8.8.8.8:53time2.one4vision.dedns
DNS Request
time2.one4vision.de
DNS Response
212.82.32.26
-
8.8.8.8:53time.cerias.purdue.edudns
DNS Request
time.cerias.purdue.edu
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.178.4
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5afaca64214594290a9e01c2ab012f00c
SHA1eb1183a49d6da506072d34673f60a623687d2f82
SHA256ca9e0ce2d0cf500ddbad4e9ad42e6e4136e3fa351839ccc654f393e624528f7a
SHA5129f91e78c3a1de2e877e16b3cc862bc512051ccd011868c333dc66487bf1979c5f52406fa3498996e397705050b9c41a65a318d1f72e1e611dd9e2674a794a8b7
-
Filesize
121KB
MD56735cacc68031001bcf6459daa770b42
SHA178fc873eee60454534d7f39279d53d9bd9780c77
SHA256b1a7250c0fc8caa1a26ca2ebf18507ba4dcc564149ccfa81ed07e4fe2fbed026
SHA512ef092414d0b7f51ec8ec697148dba5656ba13987f2b7f746bda77267320dbbfdc0504e51699becbe30162ee0dd102cea80ab689f74221a2c6a50e1912ab82f08
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
600B
MD5b54747a884559ca1c0a6d8fb71ffb1fd
SHA1fce5f27fab7377833954d953601ab52c6faadaee
SHA2560434dcf8ed305938a3db8ca366abdf76693c69260835ef96fc35efa8a94d5433
SHA512b2ad6d0f231668e6cad0292ca4a4cd3a9e2cfc1317184af2f3a210b5b9ebbc6dc64a5f77c40a8fc3cc0e3dc4720c48cfaea7ca3ba2468b110e7e5b6d3c9b4f72
-
Filesize
996B
MD5f34a5d739e01bd9cfe51c61aeaaa6371
SHA165b03b82bba0f7658512736056c60a939659fafe
SHA25681a9d7d8512d4707ccd4ed671d9fbc6f69846efafe883b6b8a5b2d8082180fa1
SHA51266e97b4d172eaf8c1597c9415a11697ac7c2ed7f7ce760cc07d42e8a6421760ab7ef3b9d163d0239bff1580c48cda320e9f75e963353758895ed2a253cf28754
-
Filesize
29KB
MD51149c1bd71248a9d170e4568fb08df30
SHA16f77f183d65709901f476c5d6eebaed060a495f9
SHA256c2dcf387cb4d218f50463338291e7db38afbdab9aab88fc54e7f9283df1792d1
SHA5129e6eac8facb23b38552d37c9f3cb24098f871d2885ecb3630fcd0199c5600b12a42f095f9fbeb90e5632496491d46fd987660cdda695e92dc386bd482d3ff459
-
Filesize
100KB
MD58659e2fdb286421874e997e5b1d56ae4
SHA1e3b46183011a317dd80baf92ff9ef1b2da53cc05
SHA25680ceedded02c13a9c4ade2d2242b2bb295bc122b5c7c0f6b3332b0f4fceae2b8
SHA512ae12fd737c0a6f765ebe7a6e312230220e5fb79d42c1478a6f00edf5e67b6dec201aee90d3082b7817726c6501c7c94ce4a8eab72b2a00547bfdc382bbf2a8dc
-
Filesize
283KB
MD5ab0bbc81ff15b6d295989e4076711c04
SHA199372e440fceb26128534ae44ba6649f4d6f5354
SHA256b936e7056270188775662177402c86da4028950320a772f3d56763e2f935b4e5
SHA512f1fa46e0fc9480766b68f7b3aba23bf41bb66e22d529d1006f5dbbfe467ec0bf490b50067184b38fa76639a76c15e88ca654544ea045bcbfce8c12d3d8347077
-
Filesize
273KB
MD590cfd3294a276c3bc20a9fddf574a8d1
SHA1fc294843a290d0bc223e67f3370009e0bd63e3b8
SHA2565b076d47b571824cd668c26e7fc0a53b54a58547b7cb6a70eccdf44b4ccbda14
SHA512a1ffc3e46490c74e7cd45b919b4668e0f38cbf28b3c3b81a25c68233cd68b72a5d9444306b9e8ef03fa1739d441c7f6504a36aabc2c53a7025b3c6260adc1aeb
-
Filesize
256KB
MD5601683a024c1e27dd62d33de59536641
SHA14584d66af41c4f77a6e1b7df3dcd3e78217ad270
SHA25611ba7731f1b9b48116167234553254116e86f06091b0bbd7eaf0cbea4c2df049
SHA512b6ee2b371198d5a70124444596fb28831ec6b2f06910e0f772852f7d80ad2974373aead6f9597c61a89bd99496ca33a838030e458265f6ddea4920ffb0472008
-
Filesize
256KB
MD549812146416b5cbd77451e23d59a3d50
SHA12f3a63e1a25e0f43083cc6d6bb2d4d49b521b218
SHA256dc3b3afd6fd62b7309a49ca1b2e3ff7bd3938201a2820705eb4f01affd6ad600
SHA5123e4ce89a0c940060556395c61706756052b5d9dda0d08b0453c421dca626269c98061381e4b711133de041b8fd61ad6624a8fc33a2aaaa6f3b892f3fad8c9e57
-
Filesize
2KB
MD5a5d7eac6c01a44b6a6256612f4b57ca3
SHA134197d3d33960563f01cd4fbc860af205e891de4
SHA256b205656391dba5728e73ba32074253a1da407794ebd3c192aacf22d73764e637
SHA512bd31f51eb92f9a08e0e5b96f2a28979115630a2776040f22c9cf46c1477bc92845a236b1e8a244a959c03a8f092da9be451f697ad892c8bf48a73a87410da582
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB