027274ac962d9b98e743983a84fee81ef37299f32761503993db59df60e8febc

Analysis

max time kernel
2s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Size

18KB
MD5

fba481af59a2a9a96e61c2db01c0e165
SHA1

d40b49ecc10cfccc3679799dd3af42b27c6aecc7
SHA256

027274ac962d9b98e743983a84fee81ef37299f32761503993db59df60e8febc
SHA512

9df4d0dd3c0c022788f06a3e746523d6d7ef0425896bf82ac1619d936e51656e9a3ffe1f3978234b5d1de7fff9811b86b865fc4fbbb60b1a79e24b4a127f18be
SSDEEP

384:I/swepWgn766GhJ5f3/Hu3O+sJ2FA+DIeZU6FieAAJ/5uDakuNVgG6yaSOkZeun7:QswepWg2/n//O3OrUW3E1kepuDakuNVZ

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5448	zscqahlp.exe
5552	zscqahlp.exe
5632	zscqahlp.exe
5172	zscqahlp.exe

Loads dropped DLL 8 IoCs

pid	Process
2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
5448	zscqahlp.exe
5448	zscqahlp.exe
5552	zscqahlp.exe
5552	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe

Installs/modifies Browser Helper Object 2 TTPs 10 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{80AF1289-F140-A140-D012-C1458759FC08}\ = "ypcqghlp.dll"	zscqahlp.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\zscqahlp.exe	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\xscqbhlp.sys	zscqahlp.exe
File created	C:\Windows\SysWOW64\ypcqghlp.dll	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zscqahlp.exe	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ypcqghlp.dll	zscqahlp.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zscqahlp.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ = "C:\\Windows\\SysWow64\\ypcqghlp.dll"	zscqahlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AF1289-F140-A140-D012-C1458759FC08}\InprocServer32\ThreadingModel = "Apartment"	zscqahlp.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
5448	zscqahlp.exe
5448	zscqahlp.exe
5552	zscqahlp.exe
5552	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe
5632	zscqahlp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Token: SeDebugPrivilege	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
Token: SeDebugPrivilege	5448	zscqahlp.exe
Token: SeDebugPrivilege	5448	zscqahlp.exe
Token: SeDebugPrivilege	5552	zscqahlp.exe
Token: SeDebugPrivilege	5552	zscqahlp.exe
Token: SeDebugPrivilege	5632	zscqahlp.exe
Token: SeDebugPrivilege	5632	zscqahlp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3012	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	28
PID 2348 wrote to memory of 3012	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	28
PID 2348 wrote to memory of 3012	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	28
PID 2348 wrote to memory of 3012	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	28
PID 2348 wrote to memory of 5448	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	30
PID 2348 wrote to memory of 5448	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	30
PID 2348 wrote to memory of 5448	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	30
PID 2348 wrote to memory of 5448	2348	fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe	30
PID 5448 wrote to memory of 5516	5448	zscqahlp.exe	31
PID 5448 wrote to memory of 5516	5448	zscqahlp.exe	31
PID 5448 wrote to memory of 5516	5448	zscqahlp.exe	31
PID 5448 wrote to memory of 5516	5448	zscqahlp.exe	31
PID 5448 wrote to memory of 5552	5448	zscqahlp.exe	33
PID 5448 wrote to memory of 5552	5448	zscqahlp.exe	33
PID 5448 wrote to memory of 5552	5448	zscqahlp.exe	33
PID 5448 wrote to memory of 5552	5448	zscqahlp.exe	33
PID 5552 wrote to memory of 5620	5552	zscqahlp.exe	34
PID 5552 wrote to memory of 5620	5552	zscqahlp.exe	34
PID 5552 wrote to memory of 5620	5552	zscqahlp.exe	34
PID 5552 wrote to memory of 5620	5552	zscqahlp.exe	34
PID 5552 wrote to memory of 5632	5552	zscqahlp.exe	35
PID 5552 wrote to memory of 5632	5552	zscqahlp.exe	35
PID 5552 wrote to memory of 5632	5552	zscqahlp.exe	35
PID 5552 wrote to memory of 5632	5552	zscqahlp.exe	35
PID 5632 wrote to memory of 5696	5632	zscqahlp.exe	37
PID 5632 wrote to memory of 5696	5632	zscqahlp.exe	37
PID 5632 wrote to memory of 5696	5632	zscqahlp.exe	37
PID 5632 wrote to memory of 5696	5632	zscqahlp.exe	37
PID 5632 wrote to memory of 5172	5632	zscqahlp.exe	39
PID 5632 wrote to memory of 5172	5632	zscqahlp.exe	39
PID 5632 wrote to memory of 5172	5632	zscqahlp.exe	39
PID 5632 wrote to memory of 5172	5632	zscqahlp.exe	39
PID 5172 wrote to memory of 5224	5172	zscqahlp.exe	40
PID 5172 wrote to memory of 5224	5172	zscqahlp.exe	40
PID 5172 wrote to memory of 5224	5172	zscqahlp.exe	40
PID 5172 wrote to memory of 5224	5172	zscqahlp.exe	40

C:\Users\Admin\AppData\Local\Temp\fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fba481af59a2a9a96e61c2db01c0e165_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429007.bat
  2⤵
  PID:3012
- C:\Windows\SysWOW64\zscqahlp.exe
  C:\Windows\system32\zscqahlp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429678.bat
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\zscqahlp.exe
    C:\Windows\system32\zscqahlp.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429787.bat
      4⤵
      PID:5620
  - - C:\Windows\SysWOW64\zscqahlp.exe
      C:\Windows\system32\zscqahlp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5632
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429912.bat
        5⤵
        
        PID:5696
    - - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        5⤵
        Executes dropped EXE
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5172
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430411.bat
        6⤵
        
        PID:5224
      - C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        6⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431066.bat
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        7⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259434982.bat
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        8⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259436339.bat
        9⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        9⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259437244.bat
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        10⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259438227.bat
        11⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        11⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259439443.bat
        12⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259440489.bat
        13⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259450800.bat
        14⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        14⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549065.bat
        15⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        15⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259558425.bat
        16⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        16⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560500.bat
        17⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        17⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259572512.bat
        18⤵
        
        PID:596
        
        C:\Windows\SysWOW64\zscqahlp.exe
        
        C:\Windows\system32\zscqahlp.exe
        18⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578300.bat
        19⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578690.bat
        14⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259501423.bat
        13⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483904.bat
        12⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259487960.bat
        11⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259468335.bat
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259481501.bat
        9⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259468085.bat
        8⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259465355.bat
        7⤵
        
        PID:4164
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259462157.bat
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259463795.bat
        5⤵
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259462313.bat
      4⤵
      PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259461798.bat
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460987.bat
  2⤵
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259430411.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259460987.bat

Filesize
225B

MD5
899d1363f32a92c20e366980d8574227

SHA1
719360780ca1a4282fd8c2fb21458c1721fd0a2b

SHA256
9e1a5c794c648cf73ca4546ab09d96991c0bbe31028d5a666d6c9966cc1886f4

SHA512
2a44aa984178c5a849aa4ee6b7bc27920e4d4ba62ae3764ae85c92c54a309dbc07ff0690d05f43a1416dd10a5eac2ce6dbe11e0f03638a94bfd10c03e9b546f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259462157.bat

Filesize
121B

MD5
c2c0873091165aeac1ca8b123e633948

SHA1
00c5eded4d1d987c07591bc2cba9d24f8a1ca643

SHA256
0eeb85cae44714f166d04bc76ffc4232001a4ab111b0bf3e89cb1efe94f49146

SHA512
dbd1e6fda9d9bef507000c9d859b818569e61e493b83da93029232a36edca33f627f62b0d90cb72c062ff5f6d4c7b7e9153989b7b355bed7d7663ccd12a5be12

Download Submit
C:\Windows\SysWOW64\xscqbhlp.sys

Filesize
520B

MD5
539c61ed79e509fc0d16a30f0ef657fc

SHA1
b6285a0932806100cb8ad18a8d79ba81b33dcf77

SHA256
df298f958275582f4ac6e14b89f3c4cafe1cd766ca4c4f31fa06f9f3ebb36100

SHA512
2a38b57d8920485ff8c53763d010d562719b019be2702196aa40fdc01f220e34a36ae4bf729ebf049adecc25027afc97d5e7548452fbd1508f17bfa375565069

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
526KB

MD5
d1fd78b0f8b952a20a4d07bc4bfc6db7

SHA1
9ff4e93a2cc6fa01196f82ecad59c60c6ab602d9

SHA256
f433bf6d8b77a2cd0c9a43c3d470760ba4a81a2e25a4c9adbc36882fb4cb9e7c

SHA512
18f8edb19b38766f90a6012114ec15c4008ba53eb5a2b3eade83f1bd0c880c5cf82b2df3400cc60ff9522b56f2328add90e50c8ea48f92c692f2f912457829ca

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
526KB

MD5
38d6fb9f0b3cc7cc411beed5af7f0c4d

SHA1
ae51d8a845fa6d5648ad86c8f637b3798d759bef

SHA256
a3e836ce6aa7c41162342dd7ca8776f8c2209cb140027091301c87029c7090f0

SHA512
6e2d0738b2b6fe66e873d06ffc84e8d2b60121a41a68c704bfd675e278fa3fd1ad0f2798420da956a90752c6b421602e09069533ceac07ad75f50601bc8de0e1

Download Submit
C:\Windows\SysWOW64\ypcqghlp.dll

Filesize
70KB

MD5
5c3c88cd8b295080c3f05866b39b3469

SHA1
8870be57d76d02485b190e95d10373b2f090bbb6

SHA256
dbeee1663fc9f321eb652889219a160b309c8c47c5dc6913b1e77ea3846805ac

SHA512
e3d1928e2e170a763cdcbe940bc5696f24322ccd7ad855378c23c4e989fab56efa2cd2185997e613d29dfea2005d243d8be8f5c0923d7d8ef44d8b3850a2f9a8

Download Submit
C:\Windows\SysWOW64\zscqahlp.exe

Filesize
18KB

MD5
fba481af59a2a9a96e61c2db01c0e165

SHA1
d40b49ecc10cfccc3679799dd3af42b27c6aecc7

SHA256
027274ac962d9b98e743983a84fee81ef37299f32761503993db59df60e8febc

SHA512
9df4d0dd3c0c022788f06a3e746523d6d7ef0425896bf82ac1619d936e51656e9a3ffe1f3978234b5d1de7fff9811b86b865fc4fbbb60b1a79e24b4a127f18be

Download Submit
memory/544-8359-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/544-8358-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2040-8350-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/2348-4145-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2348-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2348-1026-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/2348-3126-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2688-6215-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/3292-8342-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/3292-8341-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/3292-7325-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3324-8376-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/3324-8368-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4680-7324-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4680-8360-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4800-5190-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/4892-6214-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/5264-3122-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/5448-1048-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/5448-1046-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/5448-4157-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/5552-1049-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5552-1060-0x0000000000270000-0x000000000028C000-memory.dmp

Filesize
112KB

Download
memory/5632-2079-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/5632-2088-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/5632-5187-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/5632-5175-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download