Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/01/2025, 14:25 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe
-
Size
121KB
-
MD5
4bde8f0106a634f5db438cec9dd17b6a
-
SHA1
e198af6e680729e5d0703b3ce9270eab50ce9cad
-
SHA256
d1ca348a5190346a4ea5899a85754ffbeb832900edc5f26dddcc04cb6fe21d8a
-
SHA512
2d4b9d2490666b2ab5a6b474fb0e9fd6851a0ce77c3e79f2bf1f49d47ef2fc36da354318f9613de828b0ffe73fe04ce718286903b1eb8784ee979fe0e58da1cb
-
SSDEEP
3072:bssmJjFCzCQZxJX7Zvwz/flgnL4pi+t5AJT+2X2G:4zWzzZxHQOL47Adn
Malware Config
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2000-3-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2000-5-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2000-4-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2000-8-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/1748-16-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/2000-24-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat behavioral1/memory/1420-206-0x0000000000C80000-0x0000000000C92000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 32 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\SysWOW64\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\SysWOW64\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\system32\\windows1\\window.exe restart" JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\system32\\windows1\\window.exe restart" window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} window.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S} JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\SysWOW64\\windows1\\window.exe restart" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{061C7BR1-PE57-38PY-R3PM-D4B1V225TD1S}\StubPath = "C:\\Windows\\system32\\windows1\\window.exe" svchost.exe -
Executes dropped EXE 28 IoCs
pid Process 2084 window.exe 2340 window.exe 2700 window.exe 1392 window.exe 2504 window.exe 2884 window.exe 2452 window.exe 2224 window.exe 1036 window.exe 2308 window.exe 2784 window.exe 2128 window.exe 680 window.exe 2584 window.exe 2972 window.exe 1540 window.exe 2196 window.exe 1584 window.exe 2156 window.exe 2796 window.exe 2508 window.exe 2652 window.exe 1904 window.exe 2020 window.exe 2400 window.exe 2528 window.exe 1420 window.exe 1592 window.exe -
Loads dropped DLL 15 IoCs
pid Process 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 2340 window.exe 2340 window.exe 1748 svchost.exe 1748 svchost.exe 1392 window.exe 1392 window.exe 1748 svchost.exe 1748 svchost.exe 2224 window.exe 2308 window.exe 2128 window.exe 1748 svchost.exe 1748 svchost.exe -
Adds Run key to start application 2 TTPs 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\system32\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\system32\\windows1\\window.exe" JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\system32\\windows1\\window.exe" JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\system32\\windows1\\window.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Windows\\SysWOW64\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\windowsss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\system32\\windows1\\window.exe" window.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Windows\\system32\\windows1\\window.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\windowssss = "C:\\Users\\Admin\\AppData\\Roaming\\windows1\\window.exe" window.exe -
Drops file in System32 directory 29 IoCs
description ioc Process File created C:\Windows\SysWOW64\windows1\window.exe JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File opened for modification C:\Windows\SysWOW64\windows1\window.exe window.exe File created C:\Windows\SysWOW64\windows1\window.exe window.exe -
Suspicious use of SetThreadContext 14 IoCs
description pid Process procid_target PID 2900 set thread context of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2084 set thread context of 2340 2084 window.exe 39 PID 2700 set thread context of 1392 2700 window.exe 49 PID 2504 set thread context of 2884 2504 window.exe 52 PID 2452 set thread context of 2224 2452 window.exe 68 PID 1036 set thread context of 2308 1036 window.exe 72 PID 2784 set thread context of 2128 2784 window.exe 76 PID 680 set thread context of 2584 680 window.exe 99 PID 2972 set thread context of 1540 2972 window.exe 104 PID 2156 set thread context of 2796 2156 window.exe 111 PID 2508 set thread context of 2652 2508 window.exe 136 PID 1904 set thread context of 2020 1904 window.exe 144 PID 2528 set thread context of 1420 2528 window.exe 150 PID 2400 set thread context of 1592 2400 window.exe 149 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language window.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 2084 window.exe 2700 window.exe 2504 window.exe 2452 window.exe 1036 window.exe 2784 window.exe 680 window.exe 2972 window.exe 2156 window.exe 2508 window.exe 1904 window.exe 2400 window.exe 2528 window.exe 1420 window.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2900 wrote to memory of 2000 2900 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 28 PID 2000 wrote to memory of 1748 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 29 PID 2000 wrote to memory of 1748 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 29 PID 2000 wrote to memory of 1748 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 29 PID 2000 wrote to memory of 1748 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 29 PID 2000 wrote to memory of 1748 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 29 PID 2000 wrote to memory of 2848 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 30 PID 2000 wrote to memory of 2848 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 30 PID 2000 wrote to memory of 2848 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 30 PID 2000 wrote to memory of 2848 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 30 PID 2000 wrote to memory of 2848 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 30 PID 2000 wrote to memory of 2792 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 31 PID 2000 wrote to memory of 2792 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 31 PID 2000 wrote to memory of 2792 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 31 PID 2000 wrote to memory of 2792 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 31 PID 2000 wrote to memory of 2792 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 31 PID 2000 wrote to memory of 2568 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 32 PID 2000 wrote to memory of 2568 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 32 PID 2000 wrote to memory of 2568 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 32 PID 2000 wrote to memory of 2568 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 32 PID 2000 wrote to memory of 2568 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 32 PID 2000 wrote to memory of 2052 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 33 PID 2000 wrote to memory of 2052 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 33 PID 2000 wrote to memory of 2052 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 33 PID 2000 wrote to memory of 2052 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 33 PID 2000 wrote to memory of 2052 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 33 PID 2000 wrote to memory of 2176 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 34 PID 2000 wrote to memory of 2176 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 34 PID 2000 wrote to memory of 2176 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 34 PID 2000 wrote to memory of 2176 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 34 PID 2000 wrote to memory of 2176 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 34 PID 2000 wrote to memory of 304 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 35 PID 2000 wrote to memory of 304 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 35 PID 2000 wrote to memory of 304 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 35 PID 2000 wrote to memory of 304 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 35 PID 2000 wrote to memory of 304 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 35 PID 2000 wrote to memory of 2292 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 36 PID 2000 wrote to memory of 2292 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 36 PID 2000 wrote to memory of 2292 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 36 PID 2000 wrote to memory of 2292 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 36 PID 2000 wrote to memory of 2292 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 36 PID 2000 wrote to memory of 2296 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 37 PID 2000 wrote to memory of 2296 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 37 PID 2000 wrote to memory of 2296 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 37 PID 2000 wrote to memory of 2296 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 37 PID 2000 wrote to memory of 2084 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 38 PID 2000 wrote to memory of 2084 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 38 PID 2000 wrote to memory of 2084 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 38 PID 2000 wrote to memory of 2084 2000 JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe 38 PID 2084 wrote to memory of 2340 2084 window.exe 39 PID 2084 wrote to memory of 2340 2084 window.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4bde8f0106a634f5db438cec9dd17b6a.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\system32\windows1\window.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1984
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\SysWOW64\windows1\window.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1036 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2120
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2616
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1876
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1904 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1288
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\system32\windows1\window.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2008
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2040
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
-
-
-
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\system32\windows1\window.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1940
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\SysWOW64\windows1\window.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2400 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2784
-
-
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2292
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2296
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\system32\windows1\window.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2960
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2640
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1392 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:3060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2420
-
-
C:\Windows\SysWOW64\windows1\window.exe"C:\Windows\system32\windows1\window.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\windows1\window.exeC:\Windows\SysWOW64\windows1\window.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1272
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:680 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:3040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2660
-
-
C:\Users\Admin\AppData\Roaming\windows1\window.exe"C:\Users\Admin\AppData\Roaming\windows1\window.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2508 -
C:\Users\Admin\AppData\Roaming\windows1\window.exeC:\Users\Admin\AppData\Roaming\windows1\window.exe12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1064
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ae35f7ae1b8140d689707f10742dbe9e
SHA1a9a3ea242e822a4f92a9ec5bb1ae650e9e814b8c
SHA256668c50c3d2fddc20b41826a2075145b05fa6d7c348fadf57f63372a56fd99c27
SHA5129eb9f784f4406f0774fd60da9d840e9a2cc99727f658f4cd08a40c49cb1b4ffb1f961d34fbc5a83887be7b01fb57c50f0e8367470e27b93c55f7919cabe131cf
-
Filesize
121KB
MD54bde8f0106a634f5db438cec9dd17b6a
SHA1e198af6e680729e5d0703b3ce9270eab50ce9cad
SHA256d1ca348a5190346a4ea5899a85754ffbeb832900edc5f26dddcc04cb6fe21d8a
SHA5122d4b9d2490666b2ab5a6b474fb0e9fd6851a0ce77c3e79f2bf1f49d47ef2fc36da354318f9613de828b0ffe73fe04ce718286903b1eb8784ee979fe0e58da1cb