Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
29/09/2024, 11:55
General
-
Target
fe793af48ea5f6a280b870e90d3ac04c_JaffaCakes118.exe
-
Size
270KB
-
MD5
fe793af48ea5f6a280b870e90d3ac04c
-
SHA1
31ea595d97f612905124203dd1c1d7c5fa902415
-
SHA256
962a22738f293250720a92b9a81ba199d144f3b6cf646f6e97151696f6e38756
-
SHA512
cbb213fb49fee2c345a4ba5763c3be3ff53474d864dda2fdd549ffd37d18363a9f33fe62907dd2b5db7de98b02d0b5db31b931d21ce0976e3a9c22ad879b0f17
-
SSDEEP
6144:eOnRyfNFO0HR7Wu55Onn+VI3zMJ79Wm0fvxT6/eaZ:eI8fNBHlV5I+coJZ+5G/l
Malware Config
Signatures
-
Gh0st RAT payload 14 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 45 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 45 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 61 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe793af48ea5f6a280b870e90d3ac04c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe793af48ea5f6a280b870e90d3ac04c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\en.exe"C:\ProgramData\en.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install4821093.exeC:\Users\Admin\AppData\Roaming\install4821093.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\qa.exe"C:\ProgramData\qa.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\install4903109.exeC:\Users\Admin\AppData\Roaming\install4903109.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FE793A~1.EXE >> NUL2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4472 -ip 44721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1408 -ip 14081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 32121⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 676 -ip 6761⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1996 -ip 19961⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4856 -ip 48561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1076 -ip 10761⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1016 -ip 10161⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 35681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5084 -ip 50841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 5882⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4256 -ip 42561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1972 -ip 19721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3036 -ip 30361⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 5842⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4820 -ip 48201⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1264 -ip 12641⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 6002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1712 -ip 17121⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2172 -ip 21721⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 340 -ip 3401⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3648 -ip 36481⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2640 -ip 26401⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4368 -ip 43681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2788 -ip 27881⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2244 -ip 22441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4536 -ip 45361⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4988 -ip 49881⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 456 -ip 4561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 752 -ip 7521⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1832 -ip 18321⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4560 -ip 45601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3332 -ip 33321⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1544 -ip 15441⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 5962⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 3056 -ip 30561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 1300 -ip 13001⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4660 -ip 46601⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4556 -ip 45561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 1368 -ip 13681⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 5922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4688 -ip 46881⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 5442⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3748 -ip 37481⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k OutlookSharing1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 3312 -ip 33121⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4456 -ip 44561⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 384 -ip 3841⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k CurrentControlServices1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 5402⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4452 -ip 44521⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118KB
MD52d32fa5e3cb6e967cf3e93d14756c443
SHA1fc584e983cddc75bd953c6fb47107b503e7c3b13
SHA256ab74ee4cef9b9d08b9f46cc276047ff490b83588a0ef301e7982aae59663e888
SHA512c187efea4808cd33d942acac74ac43b35cd336c992e6f277698e1ab60510fd7debc2d2650ffc4952d5715f1d54e6c58130a7ed838afb15fa072d5348e1b32a00
-
Filesize
117KB
MD56f09bbc6d1e24d76251c0a566ca4310b
SHA1f38af11d64517fd6e5294e6017e25c016fe0bd7d
SHA25663bd165b4037893b26af4bf6a29e0dfe6637f0649caddd7196872e5fca2af8c0
SHA5128eb44d4c7c08cd668b30236193512d1e274922b7b8a1c200af69edba1a83def382c7e2d8b32885fbc658b2ed3c5173fde095f79d39f5209ce51a6168b4f97db0
-
Filesize
192KB
MD52cdced1cdbb37e687771c7eb297eebc5
SHA194ba6b37a5e81090672ed0dc6f4c63dc6b0ee537
SHA256e008441c0d970ec6a3ac09027b5a32050599339d87ee5392457ce692d2099580
SHA512330d6ba34633214f5a24e0d18a702121fc87b779ab37f79676f91c09db3be1c158d4e5606dd0529dddc2a822e6d07791a83d72cfbb7e38f8a8b2f38c9ec69def
-
Filesize
192KB
MD51d3bf95fb92486b71c1c8939ebc27f08
SHA1008b3fdf0b742b306f50f8503dc5be4b1023a4ca
SHA256c333f006f231c1dd310d8f97010120cdf710f43fcb555eeec27232f202c2fcf8
SHA5128f262e10fa53e70f41acb02fcc3208871d9b9ca5e263f3a70aa14aa4b8cb9169e73963740aa3e600e8e4830c67e5c6513721e36decf740f843c8ae8e7b0388e5
-
Filesize
19.1MB
MD5ce17b3971d39f6f7d3429b743ed1a29c
SHA1a996be6afbe0b1f210e966588662c76967d10ad6
SHA25665f4923f2848089bfbc4f4a55a4d1b8df0fa35952df03a4a07aa246bba7cf002
SHA51204f24345488ac4900f214749ef92e922820e1b472f0c51cb2e7589073ebdfb03e6527a7311f31482a25578518a9d150bf0cdecd254700e939c387b5214ad2bf8
-
Filesize
22.0MB
MD5aeb9b59888ff5f6af810984e5d961ad7
SHA16d96db0e0eab7d417a040386ad713fd58c72a124
SHA256bc1b09f4ae5a1ee44d47fd98e34009d54d1f555d6b584071e6e868db35a29df8
SHA51276b4d4272d11a9b9388a2bb55b6934c23836b045ed8510f6823f04ab5158827c8c18b7b9c084ab62142fb2351314b3a6c7be587f121e4cbe186dce413f829f59
-
Filesize
23.0MB
MD564ae65f32f5dd89de433d8448d91cc6e
SHA19405fbcc1164b1baf09231f13a84469c0c1c4dea
SHA2562961e8eac39a65bce61ca57ca80e2ae5e9ad794ee1811c59e70451095cb40672
SHA512cc9d0e2cb51fe0d5b27446bf26b05437893680b664835c6dc35582b262a6cf5d53428f5fab4e3193cfcd8bb2128d3ed850c4c638bfba2575a8b44b2668e756e1
-
Filesize
23.1MB
MD5fc14f5c16ecbf26668615f958640bf7d
SHA1d90f5369ebfa7a48164e62d9e29faea6c6d6f231
SHA256757f4e3c9b26caf17fc510ca396eb4735b82ff457a26788394480ae9fb78314c
SHA5124f968d99f482486f9c191eeea0ffef4874aaa794b58f317b7f950b92234a99abf45a61a2e70074310f23cbc07256043d2c05fe88b50b26979cc66aa66df415e7
-
Filesize
19.1MB
MD5a317af347509adcb29f13e43a45e8fd3
SHA150889df200e550542ef38fd83b6392c4fc08a27f
SHA256ef6d0ece043eb71e2704b77295f06661e81f3437dddd2147cee50eb88ed22368
SHA5124e1dd9cd110692dbf4b6881c0707b7378cb07b6019a9cdafd2be219ebfbcdd7f7907b62b5396b8bf2f8364b1e9a7f1bbfedb67aa72b2da4955f652b7cf130256
-
Filesize
20.1MB
MD5666da8c17b231ee81ada7a1211436b0e
SHA106101c4868b0ef1a1056dc13d42d90bae031d05b
SHA256e6f167af2b65b07a4b6c7c3fea8f7a3a8e41ae5f6153ff61e13ae92ba2cc12b2
SHA512ef83dcbfe1256074bbe8498c21fab94ab98af4b82c21378c5ff89e481f6bb1dab05a37a85cab3e597195b6709237b62133e5ad59d822c6678afe5ee9da9491d1
-
Filesize
23.1MB
MD5c34452ae524c27a3be22e8ccb1422251
SHA1911a4287a6bf4efd879b4bcaf3e47db88aaebc41
SHA25652084175858039afd5140ece3ab36569ab1c75122b9077f41bf7b61f8a4f7082
SHA512e5248f0880b64ed45c88f2518743933151f2fb5f1d82938c590628a8d25818b53db9cb0787ebe4f208ed87bd98d4f457854328722c7298e7cc63c82dc5809579
-
Filesize
24.0MB
MD5e7d9f25d4f49198cc371d6fb9aa63958
SHA16c4a87961b55d4fe04f9d47452d2e59bb5131ca0
SHA2560fd2f2fc8626f914bedd9ad1bc1814d203ac9d33651403c756e7b99f62b21dbd
SHA5122cb2a11ffdec272d824faf251f60fa69cc4154fada387da241371a0ca8f7ffd28a4354a6597a58fb6775e09a4e94cf014bd4f12922ab7d337c2e8bbc8bc32da5
-
Filesize
21.0MB
MD5a42876c7ae5430b2cc95ab6da0604d93
SHA1401eb48386df39ef4b42cc13d10dc10797c1fc25
SHA256721bbf1bd16aa538b8bc4c0d0af1c215574f0f96f881998460fb68d8291a4dc7
SHA5123ec2c5c036867d76309391ddc7a230477d4af97c236cc02bf3f89c2acb727f1c57d3219b648aae613013190d59d17fbf1ab18839bc0da9685671c41178a2fb57
-
Filesize
23.0MB
MD5e0d6f663136ae0c73ec7d9b154084036
SHA15df3fa5e4adcded33671e43a7281b301854dc4c7
SHA2562e08234256d6f93ecc7c84b06c72fa31d22d0ca3849faa4021d2b3c3b1b00c6d
SHA512103cd84a5cc67959b9922c6b26df7b25cd991cdc70e450ab7ba0c340f11e556a5f8ac7cb6e40fcda4b38e022f477435b1260779ce2dd19df0498f4683b3e6f5d
-
Filesize
24.1MB
MD53de58d1d8c096a0c4799eedfde81b294
SHA1c4e4488218f8eb03c301c082e8edf8d3d523e288
SHA25616ae59eb56c9c28e404652a6c5e1e9f4ad1d638d3578974f97230ec7bd696ab0
SHA512b55e8a42ca01579934b2f2d1cf51262130612413923d9b13eebe92b0551a11790c349deb8bdc9c6112f0a622fdec1c68dbb4139ed0a5d29d1ccb7e12afa6c00b
-
Filesize
24.0MB
MD55920118e137d0a4b566bfe6deaa66f91
SHA1439db65964d68731c0835c063221930c4f9b63ae
SHA256f8bfb48dc151f620b2e876d3b4bd9374a636e3f6d2e6cf44c13f0e9605900b22
SHA51292c793d6460866e67bd6c09138c1524a2c4b13d877ef54e46249a1496a9790c21367931413ad069b469139c0f983629d12cc34717477fcd59f3534d01bad202c
-
Filesize
21.0MB
MD5fde800af9d1a203665fc1e91a24491fc
SHA18bbe6b61fc324ffb08f18c93688aaf080ccf37ef
SHA256533a6d5ca30839b7fe23cc6bd0ec9cb1781aa4e60a258889baaedd4210708c2e
SHA51282a3e0c63a1dcfaae8110c55c3d5498f2ba322f348a66de5916cdd24850d5b6325213d4248ad2ce88179f849195878d6eedccb0d21f1a1ba4ca4cf1a416310bb
-
Filesize
23.0MB
MD5c620819344633d9a7215f2f2df83e68d
SHA1c4882cb93b7df91c064f828c17d2dcce8ee64263
SHA256ffa0668ab47706eee7f2711af219781f0247a2972f777f53ef82bdc7ec44852e
SHA512dd963cbff342a3af0643fc4f01a08e776d28bdcc69befabc4bc6d44449e3c308d0d87ef944fd6c98a9b6378bb1b96584c6ff1356d879a3adfdc4fc51879978a5
-
Filesize
32KB
-
Filesize
32KB