Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
216ca65ab4e45f62e1feb9ec72cadaf0
-
SHA1
4c15261de134999b8ddc318886057fb4ea7517e6
-
SHA256
cbf4704f11c6d4a57c374d2333f76eacef1d8ed7929a1af1f43ed4e5eaabf958
-
SHA512
62dfea4e8b38802c9163fddc92904fcfaad70a05310433ec55c6e4d69d014a086f981756d415aeaa9540b399b00b82cc19db096cf563e8045fb986e38fe1694f
-
SSDEEP
24576:NKoFi8yx1uJVsxu/XvcAcb5UPWbApAQCVZPkTfvAGBQDQYr2bs:NKiiPx1oVsUfcVFU+bApqVebHBQsYC
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/1148-28-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/1148-30-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/1148-39-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/1148-40-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Executes dropped EXE 2 IoCs
pid Process 2900 RHPIBA~1.EXE 4528 WhTX.exe -
Accesses Microsoft Outlook accounts 1 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0009000000023c8a-3.dat autoit_exe -
Suspicious use of SetThreadContext 44 IoCs
description pid Process procid_target PID 4528 set thread context of 1148 4528 WhTX.exe 88 PID 1148 set thread context of 2792 1148 RegSvcs.exe 89 PID 1148 set thread context of 4960 1148 RegSvcs.exe 94 PID 4528 set thread context of 3324 4528 WhTX.exe 96 PID 3324 set thread context of 728 3324 RegSvcs.exe 97 PID 3324 set thread context of 1956 3324 RegSvcs.exe 99 PID 4528 set thread context of 4512 4528 WhTX.exe 100 PID 4512 set thread context of 3148 4512 RegSvcs.exe 101 PID 4512 set thread context of 4112 4512 RegSvcs.exe 103 PID 4528 set thread context of 2768 4528 WhTX.exe 108 PID 2768 set thread context of 1996 2768 RegSvcs.exe 109 PID 2768 set thread context of 1044 2768 RegSvcs.exe 112 PID 4528 set thread context of 856 4528 WhTX.exe 113 PID 856 set thread context of 4640 856 RegSvcs.exe 114 PID 856 set thread context of 3968 856 RegSvcs.exe 116 PID 4528 set thread context of 3216 4528 WhTX.exe 117 PID 3216 set thread context of 4848 3216 RegSvcs.exe 118 PID 3216 set thread context of 2944 3216 RegSvcs.exe 121 PID 4528 set thread context of 1060 4528 WhTX.exe 123 PID 1060 set thread context of 3956 1060 RegSvcs.exe 124 PID 1060 set thread context of 3240 1060 RegSvcs.exe 126 PID 4528 set thread context of 116 4528 WhTX.exe 127 PID 116 set thread context of 3920 116 RegSvcs.exe 128 PID 116 set thread context of 3296 116 RegSvcs.exe 130 PID 4528 set thread context of 1336 4528 WhTX.exe 133 PID 1336 set thread context of 3452 1336 RegSvcs.exe 134 PID 1336 set thread context of 4412 1336 RegSvcs.exe 136 PID 4528 set thread context of 2528 4528 WhTX.exe 137 PID 2528 set thread context of 3924 2528 RegSvcs.exe 138 PID 2528 set thread context of 1636 2528 RegSvcs.exe 141 PID 4528 set thread context of 1704 4528 WhTX.exe 142 PID 1704 set thread context of 1560 1704 RegSvcs.exe 143 PID 1704 set thread context of 4864 1704 RegSvcs.exe 145 PID 4528 set thread context of 1220 4528 WhTX.exe 148 PID 1220 set thread context of 4292 1220 RegSvcs.exe 149 PID 1220 set thread context of 3632 1220 RegSvcs.exe 151 PID 4528 set thread context of 1380 4528 WhTX.exe 152 PID 1380 set thread context of 2036 1380 RegSvcs.exe 153 PID 1380 set thread context of 4988 1380 RegSvcs.exe 156 PID 4528 set thread context of 2656 4528 WhTX.exe 159 PID 2656 set thread context of 2292 2656 RegSvcs.exe 160 PID 2656 set thread context of 4052 2656 RegSvcs.exe 163 PID 4528 set thread context of 5080 4528 WhTX.exe 164 PID 5080 set thread context of 4012 5080 RegSvcs.exe 165 -
resource yara_rule behavioral2/memory/4960-34-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4960-35-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4960-37-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/4960-38-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/728-45-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/728-46-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/728-48-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/728-49-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/1956-53-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1956-55-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/1956-56-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Program crash 8 IoCs
pid pid_target Process procid_target 3656 2792 WerFault.exe 89 212 4848 WerFault.exe 118 4928 3296 WerFault.exe 130 892 3924 WerFault.exe 138 1164 2036 WerFault.exe 153 2892 4988 WerFault.exe 156 2944 2292 WerFault.exe 160 4724 4012 WerFault.exe 165 -
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RHPIBA~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WhTX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 2900 RHPIBA~1.EXE 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe 4528 WhTX.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1148 RegSvcs.exe 3324 RegSvcs.exe 4512 RegSvcs.exe 2768 RegSvcs.exe 856 RegSvcs.exe 3216 RegSvcs.exe 1060 RegSvcs.exe 116 RegSvcs.exe 1336 RegSvcs.exe 2528 RegSvcs.exe 1704 RegSvcs.exe 1220 RegSvcs.exe 1380 RegSvcs.exe 2656 RegSvcs.exe 5080 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2900 2624 216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe 84 PID 2624 wrote to memory of 2900 2624 216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe 84 PID 2624 wrote to memory of 2900 2624 216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe 84 PID 2900 wrote to memory of 4528 2900 RHPIBA~1.EXE 87 PID 2900 wrote to memory of 4528 2900 RHPIBA~1.EXE 87 PID 2900 wrote to memory of 4528 2900 RHPIBA~1.EXE 87 PID 4528 wrote to memory of 1148 4528 WhTX.exe 88 PID 4528 wrote to memory of 1148 4528 WhTX.exe 88 PID 4528 wrote to memory of 1148 4528 WhTX.exe 88 PID 4528 wrote to memory of 1148 4528 WhTX.exe 88 PID 4528 wrote to memory of 1148 4528 WhTX.exe 88 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 2792 1148 RegSvcs.exe 89 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 1148 wrote to memory of 4960 1148 RegSvcs.exe 94 PID 4528 wrote to memory of 3324 4528 WhTX.exe 96 PID 4528 wrote to memory of 3324 4528 WhTX.exe 96 PID 4528 wrote to memory of 3324 4528 WhTX.exe 96 PID 4528 wrote to memory of 3324 4528 WhTX.exe 96 PID 4528 wrote to memory of 3324 4528 WhTX.exe 96 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 728 3324 RegSvcs.exe 97 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 3324 wrote to memory of 1956 3324 RegSvcs.exe 99 PID 4528 wrote to memory of 4512 4528 WhTX.exe 100 PID 4528 wrote to memory of 4512 4528 WhTX.exe 100 PID 4528 wrote to memory of 4512 4528 WhTX.exe 100 PID 4528 wrote to memory of 4512 4528 WhTX.exe 100 PID 4528 wrote to memory of 4512 4528 WhTX.exe 100 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 3148 4512 RegSvcs.exe 101 PID 4512 wrote to memory of 4112 4512 RegSvcs.exe 103 PID 4512 wrote to memory of 4112 4512 RegSvcs.exe 103 PID 4512 wrote to memory of 4112 4512 RegSvcs.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\216ca65ab4e45f62e1feb9ec72cadaf0_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RHPIBA~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Roaming\WhTX.exe"C:\Users\Admin\AppData\Roaming\WhTX.exe" "C:\Users\Admin\AppData\Roaming\iXZCO"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\RWZ2VMBvk6.ini"5⤵PID:2792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 806⤵
- Program crash
PID:3656
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\9Vv8IqpyQr.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4960
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\5EUAPpKuc9.ini"5⤵
- System Location Discovery: System Language Discovery
PID:728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\FYkjEt8chL.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1956
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Nku1ZAn7Cj.ini"5⤵
- System Location Discovery: System Language Discovery
PID:3148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\KdUeDnut6U.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4112
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\TmjcVD7lUD.ini"5⤵
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ppoq2zG34I.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\YrSWU7t2tM.ini"5⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\381xZsBU4E.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3968
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\NAKgk3n4X9.ini"5⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 806⤵
- Program crash
PID:212
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ti0qM6kA1T.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2944
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:1064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\1rFoeWw2PC.ini"5⤵
- System Location Discovery: System Language Discovery
PID:3956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OuK3BI5KzG.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3240
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\7wyjdQiJoL.ini"5⤵
- System Location Discovery: System Language Discovery
PID:3920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\81smreuDB5.ini"5⤵PID:3296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 806⤵
- Program crash
PID:4928
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OSOZnlAWPv.ini"5⤵
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ATuRYcsaDU.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4412
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\UVEAjoUAgP.ini"5⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 806⤵
- Program crash
PID:892
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\CUaGWH7CMA.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OHWU7c7y6c.ini"5⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\h6Oz0xjU63.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4864
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:4104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\0Ab2Fznhgd.ini"5⤵
- System Location Discovery: System Language Discovery
PID:4292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\HgcOUL0G0h.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:3632
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4taVW4iOIk.ini"5⤵PID:2036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 806⤵
- Program crash
PID:1164
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\mswbKYLQxV.ini"5⤵PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 806⤵
- Program crash
PID:2892
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\RqXClRSkX5.ini"5⤵PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 806⤵
- Program crash
PID:2944
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\UDYyWvIICH.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:4052
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe/scomma "C:\Users\Admin\AppData\Local\Temp\dMowoMVAa0.ini"5⤵PID:4012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 806⤵
- Program crash
PID:4724
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2792 -ip 27921⤵PID:2368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4848 -ip 48481⤵PID:2476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3296 -ip 32961⤵PID:1152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3924 -ip 39241⤵PID:4704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2036 -ip 20361⤵PID:2244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 49881⤵PID:2368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 22921⤵PID:2900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4012 -ip 40121⤵PID:516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
1.8MB
MD598c4f8e6cbf337a38504887861d63714
SHA1a8988859b8d4b976680ee35c3598289fefdbc875
SHA2566441cf49b87dc4b5e43fcbbf20c12efef3ba2ad9aebc4fbe10ac22c341ea67f2
SHA512d5c316b36360576dfbffb53f513c618bfadff33f670878ccb4f46f3965c8ca308e8843be6d5ef942f04eb31277ae63a830662e156afe323b88d90592850af8fd
-
Filesize
915KB
MD54744edba858885bfe4d513e5ba6030ac
SHA17706ebc3097465571daf5bc0c26721a79e8b50c2
SHA256b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b
SHA51214cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685
-
Filesize
492KB
MD5af639e2097d320f5f1ab120d810da850
SHA12bd6e743fd19ce4c581cc53ab91314d45abf6044
SHA2569e46e54f04d7a8642419db4f3e6d891476d2e1ddd2c339a2e87f82d11be221cc
SHA512e5ea9c6b372be020eafe33214d1bdcb12358dbe2f47f63ca70039c1863a588d78a233478bb3712ef7ad7228f84470ec9aec34b2d1f50429cf7931760d3effb1c
-
Filesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
Filesize
369KB
MD53fcf27371696b46d07890a695f75f394
SHA1bc58d4d7e64925b273acb91d9a15f9da62efc845
SHA2569d0d58afacd8a5b08c2c8d0be5eee42f75d148d8de42b49914f8a390fbcf05ca
SHA51206b5fc740bfe94520dbe349cb42e957cf0cd05c80224fb53b341b86d1eb101f6706fcd7234bbc06ce4ad8333010eab427685d5184031cb4e441de88d3929b896