Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/02/2025, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_009efb7ea06f6183149371763bd28700.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_009efb7ea06f6183149371763bd28700.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_009efb7ea06f6183149371763bd28700.exe
-
Size
664KB
-
MD5
009efb7ea06f6183149371763bd28700
-
SHA1
079811152ddc31aaaa9dedb7d0c10e68730a33a8
-
SHA256
5fa8454e72a940330dc39ba77d50acbcdb81b847cd698ed98d43974e80185c8a
-
SHA512
f2e87417ce4756f0aaa5624d2902779045e98232cc8c4fb96cf57dfd25aa543da3f6b593d711cf6a3518457ab81b7d411e8d9fa4861e8d9014016931a421bf99
-
SSDEEP
12288:JpJQH81uIuYUP7WhkYNZvtajnSmGCZIugdiS57s:JAHihudYLvkjlGwnOiSy
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 9 IoCs
resource yara_rule behavioral1/memory/2152-60-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2192-65-0x0000000000400000-0x0000000000449000-memory.dmp family_isrstealer behavioral1/memory/2192-40-0x0000000000400000-0x0000000000449000-memory.dmp family_isrstealer behavioral1/memory/2192-42-0x0000000000400000-0x0000000000449000-memory.dmp family_isrstealer behavioral1/memory/2192-56-0x0000000000400000-0x0000000000449000-memory.dmp family_isrstealer behavioral1/memory/2152-52-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1872-299-0x0000000000400000-0x0000000000449000-memory.dmp family_isrstealer behavioral1/memory/2152-483-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/2152-817-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1400-783-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/768-811-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/768-814-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1400-783-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/768-811-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/768-814-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Deletes itself 1 IoCs
pid Process 2428 cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 2572 bimod.exe 1872 bimod.exe 916 bimod.exe 2740 bimod.exe 276 bimod.exe 768 bimod.exe -
Loads dropped DLL 5 IoCs
pid Process 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 2572 bimod.exe 2572 bimod.exe 1872 bimod.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts bimod.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A18DB5FE-FBD1-15C9-3AE0-11C1A7AE5BF7} = "C:\\Users\\Admin\\AppData\\Roaming\\Moced\\bimod.exe" bimod.exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 2044 set thread context of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 set thread context of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2192 set thread context of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2152 set thread context of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2572 set thread context of 1872 2572 bimod.exe 35 PID 2572 set thread context of 916 2572 bimod.exe 36 PID 1872 set thread context of 2740 1872 bimod.exe 37 PID 2740 set thread context of 276 2740 bimod.exe 40 PID 2152 set thread context of 1400 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 43 PID 2152 set thread context of 1400 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 43 PID 2740 set thread context of 768 2740 bimod.exe 44 PID 2740 set thread context of 768 2740 bimod.exe 44 -
resource yara_rule behavioral1/memory/2192-22-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-18-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-65-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-40-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2804-69-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2804-73-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2804-72-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2804-71-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2192-42-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-56-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-26-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/2192-16-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/1872-299-0x0000000000400000-0x0000000000449000-memory.dmp upx behavioral1/memory/276-326-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2804-480-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1400-778-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1400-783-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/768-811-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/768-814-0x0000000000400000-0x000000000041F000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bimod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bimod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bimod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bimod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bimod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_009efb7ea06f6183149371763bd28700.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Privacy JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" JaffaCakes118_009efb7ea06f6183149371763bd28700.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\01BE1BBD-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe 916 bimod.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Token: SeSecurityPrivilege 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Token: SeSecurityPrivilege 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe Token: SeManageVolumePrivilege 2868 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2868 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2868 WinMail.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 2572 bimod.exe 1872 bimod.exe 2740 bimod.exe 2868 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2192 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 30 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2044 wrote to memory of 2024 2044 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 31 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2192 wrote to memory of 2152 2192 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 32 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2152 wrote to memory of 2804 2152 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 33 PID 2024 wrote to memory of 2572 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 34 PID 2024 wrote to memory of 2572 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 34 PID 2024 wrote to memory of 2572 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 34 PID 2024 wrote to memory of 2572 2024 JaffaCakes118_009efb7ea06f6183149371763bd28700.exe 34 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 1872 2572 bimod.exe 35 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 2572 wrote to memory of 916 2572 bimod.exe 36 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 1872 wrote to memory of 2740 1872 bimod.exe 37 PID 916 wrote to memory of 1112 916 bimod.exe 19 PID 916 wrote to memory of 1112 916 bimod.exe 19
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1176
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe/scomma "C:\Users\Admin\AppData\Local\Temp\Hiv9ch9GCQ.ini"5⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe/scomma "C:\Users\Admin\AppData\Local\Temp\e8aZl563Rw.ini"5⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1400
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_009efb7ea06f6183149371763bd28700.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740 -
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe/scomma "C:\Users\Admin\AppData\Local\Temp\O2w7YLviRs.ini"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:276
-
-
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe/scomma "C:\Users\Admin\AppData\Local\Temp\kbqesnxdHg.ini"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:768
-
-
-
-
C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"C:\Users\Admin\AppData\Roaming\Moced\bimod.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp61ab4bd0.bat"4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2428
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "307022403-218746065-1676923338-102530715-299708864-1364067046-631019521342290470"1⤵PID:2628
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2868
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1168
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1088
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1804
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3032
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1436
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD57a36913975f26055f7e43a14ef7bf9c1
SHA18f1292520acbc0de0293970b8305c6f03bd92844
SHA256a2515de71bb225b06de2b1601f1b7a8e295003e490c68487ab83a07666593304
SHA5129491db9b8cd39e2c461493467b72d732e0a4da00364d69af3b66ac59c25859fb6df5e9243b9b64afe077e55b57f32f8f9c0a72d34ba09c2108954fddc6ceee93
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
271B
MD587c526dce56460559ae589069df2be19
SHA11c3f2ccb2a383574f424dc0a5a490ed0a664da1e
SHA25648a5d65e70b2b89f72074b97bdbfea5425746f977e6fd7e0eac2fba02a5b5276
SHA512655bfe8c015440d856248456c1fcf32a9ccfef8b809397b3b29b0a62c5d8e8e83de1910da9be674188a070cf07149f636610c1b6a762d3de4031617e81a8300d
-
Filesize
380B
MD5b077808628d6fa3dd054823db50096df
SHA1b837bb353f953a9ccf36603b72cdb29192959be0
SHA25642f78c00975be5157086004405c2798d5f5177782339e01e04b8fc39a71e0fe4
SHA51243fa8c7fe09890a6a89457627a5804ff04fd6e8b2a1e11d5724d959ff77ec8c24fe952966e5761dc0a2bbf41cb07ba2964f56491b57479f2b3971dc8b286853d
-
Filesize
664KB
MD53ecf0ecd0dbe383bd23ce8ed630f4153
SHA1267faa379c86c183c4173b70bbee24a3f08e65c5
SHA256ad88432c4e69f099161c0e5f1f9723e314876aab49d68820a1e978881a502124
SHA512c09a2573f0e693dca9d733b388635f9846426a41844c727e72af8809f006a11c24b079aaeb6a7e7e01fffaae33d4099547076bd21cdaa05243674cecc49a4db3