Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 00:57
Static task
static1
Behavioral task
behavioral1
Sample
158ccbad9c0d11495d2a25bba0c0e984_JaffaCakes118.dll
Resource
win7-20240903-en
General
-
Target
158ccbad9c0d11495d2a25bba0c0e984_JaffaCakes118.dll
-
Size
220KB
-
MD5
158ccbad9c0d11495d2a25bba0c0e984
-
SHA1
0b07d0b91017c4f897fa5fd029eefeb5f21de6dc
-
SHA256
90796ea3ec667c4473b2d093c3ebc4183c5c76f56b59336443c403d674ad501e
-
SHA512
6cd7a2a4ffaa7253d013c42d322832878c5c1047454bcc034e532b44b186885b2d2ab8f84e1c643b3d1230bb417c925c99a03c6028b69855144634e75f4d16e3
-
SSDEEP
3072:J7naa9l+SUVuhfgWTzT9r9l1RxhcoeCXqRb27jU8xbT:J7n/lKmoWTzJrtrXkQjBbT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 3020 regsvr32mgr.exe 3060 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2968 regsvr32.exe 2968 regsvr32.exe 3020 regsvr32mgr.exe 3020 regsvr32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
resource yara_rule behavioral1/memory/3020-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3020-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-87-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3060-671-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\deploy.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wabfind.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcs.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\t2k.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penjpn.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DAO\dao360.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_setid_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libglinterop_dxva2_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 3060 WaterMark.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe 2580 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3060 WaterMark.exe Token: SeDebugPrivilege 2580 svchost.exe Token: SeDebugPrivilege 3060 WaterMark.exe Token: SeDebugPrivilege 2968 regsvr32.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3020 regsvr32mgr.exe 3060 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2948 wrote to memory of 2968 2948 regsvr32.exe 31 PID 2968 wrote to memory of 3020 2968 regsvr32.exe 32 PID 2968 wrote to memory of 3020 2968 regsvr32.exe 32 PID 2968 wrote to memory of 3020 2968 regsvr32.exe 32 PID 2968 wrote to memory of 3020 2968 regsvr32.exe 32 PID 3020 wrote to memory of 3060 3020 regsvr32mgr.exe 33 PID 3020 wrote to memory of 3060 3020 regsvr32mgr.exe 33 PID 3020 wrote to memory of 3060 3020 regsvr32mgr.exe 33 PID 3020 wrote to memory of 3060 3020 regsvr32mgr.exe 33 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2820 3060 WaterMark.exe 34 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 3060 wrote to memory of 2580 3060 WaterMark.exe 35 PID 2580 wrote to memory of 256 2580 svchost.exe 1 PID 2580 wrote to memory of 256 2580 svchost.exe 1 PID 2580 wrote to memory of 256 2580 svchost.exe 1 PID 2580 wrote to memory of 256 2580 svchost.exe 1 PID 2580 wrote to memory of 256 2580 svchost.exe 1 PID 2580 wrote to memory of 332 2580 svchost.exe 2 PID 2580 wrote to memory of 332 2580 svchost.exe 2 PID 2580 wrote to memory of 332 2580 svchost.exe 2 PID 2580 wrote to memory of 332 2580 svchost.exe 2 PID 2580 wrote to memory of 332 2580 svchost.exe 2 PID 2580 wrote to memory of 384 2580 svchost.exe 3 PID 2580 wrote to memory of 384 2580 svchost.exe 3 PID 2580 wrote to memory of 384 2580 svchost.exe 3 PID 2580 wrote to memory of 384 2580 svchost.exe 3 PID 2580 wrote to memory of 384 2580 svchost.exe 3 PID 2580 wrote to memory of 392 2580 svchost.exe 4 PID 2580 wrote to memory of 392 2580 svchost.exe 4 PID 2580 wrote to memory of 392 2580 svchost.exe 4 PID 2580 wrote to memory of 392 2580 svchost.exe 4 PID 2580 wrote to memory of 392 2580 svchost.exe 4 PID 2580 wrote to memory of 432 2580 svchost.exe 5 PID 2580 wrote to memory of 432 2580 svchost.exe 5 PID 2580 wrote to memory of 432 2580 svchost.exe 5 PID 2580 wrote to memory of 432 2580 svchost.exe 5 PID 2580 wrote to memory of 432 2580 svchost.exe 5 PID 2580 wrote to memory of 476 2580 svchost.exe 6 PID 2580 wrote to memory of 476 2580 svchost.exe 6 PID 2580 wrote to memory of 476 2580 svchost.exe 6 PID 2580 wrote to memory of 476 2580 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2008
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1468
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:1624
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:840
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2148
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2628
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2260
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\158ccbad9c0d11495d2a25bba0c0e984_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\158ccbad9c0d11495d2a25bba0c0e984_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize198KB
MD5df7012c5cfb2cf260edeaef8bb9eb02a
SHA1069e587394f59049eed5c83acf475b79b23489af
SHA256fd61ad5371b639f333ebc7831fd57831ad8d5aa6dbbf7cdf5e2a67549013ebc4
SHA51283885d06ce48465f70761ec7a26edfedbf85735cf4b57d0b572a87d5257a788818bc8e15e0bd79b96e758f76d64bc39afacf9c79181e7d252d5ea54dd8d19f39
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize194KB
MD5f04bd1f28c63c91b9e16138dd1110bf2
SHA128d8d75c1b9e68bfdfea423ed381ac604d9d72ee
SHA25626ebea632e73f59674843a95eac0fce3f5edfdf63df13951d9606dbf7ee63528
SHA51203b978632d9bce7f92d5b2c41e96f75cbf1b54938aa3e9c283567644551adbda955cc8a438aa26d8ece9d0c33e5c88571408f40b0a102c49dd92c6e8fdc2c00a
-
Filesize
92KB
MD57075add34d45c925954a76c1e17e2281
SHA1966e0b9c0b07f0ba3d2f0445c7b0dde3eeffc2da
SHA2564ed6f25eae75a84499c0c9152db86df27aca9e789e5974fee455c86745019df3
SHA5126946290850fffbacd9295814617e1b19e93ff9bdbbf4c5570e1929652a65eaff39e3e75a4903ff6da9ed97030f9c4601b735f9e577e661aea0dd88079f3b035b