Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:39
Static task
static1
Behavioral task
behavioral1
Sample
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
03c98422dc76b44642c9915cac8689e2
-
SHA1
fa166b50c812393f5dfe874bd1d416ea150cd5af
-
SHA256
cc7ba2aa2b2f23b11f2bc4608eaa6b8e465d00733c14ad42f155abf6606baf1d
-
SHA512
3bb484e01d7f0e087056573e35443638d61fa78a60734deb89d1ad27d0dc0cd82e445eb3b1f23677c041663b50743cc558655fbc7835a355d1fcbff771e4e713
-
SSDEEP
24576:FbSaE4mvt/OjXQ/AJoq/jlxtdp2us7JdHf:FbSv4mv0jQZq/RxK7jHf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
File.exe1430557336.exepid process 2464 File.exe 2780 1430557336.exe -
Loads dropped DLL 10 IoCs
Processes:
File.exeWerFault.exepid process 2464 File.exe 2464 File.exe 2464 File.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe 1348 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1348 2780 WerFault.exe 1430557336.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\File.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\File.exe nsis_installer_2 -
Processes:
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exepid process 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exewmic.exewmic.exewmic.exedescription pid process Token: SeDebugPrivilege 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2836 wmic.exe Token: SeSecurityPrivilege 2836 wmic.exe Token: SeTakeOwnershipPrivilege 2836 wmic.exe Token: SeLoadDriverPrivilege 2836 wmic.exe Token: SeSystemProfilePrivilege 2836 wmic.exe Token: SeSystemtimePrivilege 2836 wmic.exe Token: SeProfSingleProcessPrivilege 2836 wmic.exe Token: SeIncBasePriorityPrivilege 2836 wmic.exe Token: SeCreatePagefilePrivilege 2836 wmic.exe Token: SeBackupPrivilege 2836 wmic.exe Token: SeRestorePrivilege 2836 wmic.exe Token: SeShutdownPrivilege 2836 wmic.exe Token: SeDebugPrivilege 2836 wmic.exe Token: SeSystemEnvironmentPrivilege 2836 wmic.exe Token: SeRemoteShutdownPrivilege 2836 wmic.exe Token: SeUndockPrivilege 2836 wmic.exe Token: SeManageVolumePrivilege 2836 wmic.exe Token: 33 2836 wmic.exe Token: 34 2836 wmic.exe Token: 35 2836 wmic.exe Token: SeIncreaseQuotaPrivilege 2836 wmic.exe Token: SeSecurityPrivilege 2836 wmic.exe Token: SeTakeOwnershipPrivilege 2836 wmic.exe Token: SeLoadDriverPrivilege 2836 wmic.exe Token: SeSystemProfilePrivilege 2836 wmic.exe Token: SeSystemtimePrivilege 2836 wmic.exe Token: SeProfSingleProcessPrivilege 2836 wmic.exe Token: SeIncBasePriorityPrivilege 2836 wmic.exe Token: SeCreatePagefilePrivilege 2836 wmic.exe Token: SeBackupPrivilege 2836 wmic.exe Token: SeRestorePrivilege 2836 wmic.exe Token: SeShutdownPrivilege 2836 wmic.exe Token: SeDebugPrivilege 2836 wmic.exe Token: SeSystemEnvironmentPrivilege 2836 wmic.exe Token: SeRemoteShutdownPrivilege 2836 wmic.exe Token: SeUndockPrivilege 2836 wmic.exe Token: SeManageVolumePrivilege 2836 wmic.exe Token: 33 2836 wmic.exe Token: 34 2836 wmic.exe Token: 35 2836 wmic.exe Token: SeIncreaseQuotaPrivilege 1528 wmic.exe Token: SeSecurityPrivilege 1528 wmic.exe Token: SeTakeOwnershipPrivilege 1528 wmic.exe Token: SeLoadDriverPrivilege 1528 wmic.exe Token: SeSystemProfilePrivilege 1528 wmic.exe Token: SeSystemtimePrivilege 1528 wmic.exe Token: SeProfSingleProcessPrivilege 1528 wmic.exe Token: SeIncBasePriorityPrivilege 1528 wmic.exe Token: SeCreatePagefilePrivilege 1528 wmic.exe Token: SeBackupPrivilege 1528 wmic.exe Token: SeRestorePrivilege 1528 wmic.exe Token: SeShutdownPrivilege 1528 wmic.exe Token: SeDebugPrivilege 1528 wmic.exe Token: SeSystemEnvironmentPrivilege 1528 wmic.exe Token: SeRemoteShutdownPrivilege 1528 wmic.exe Token: SeUndockPrivilege 1528 wmic.exe Token: SeManageVolumePrivilege 1528 wmic.exe Token: 33 1528 wmic.exe Token: 34 1528 wmic.exe Token: 35 1528 wmic.exe Token: SeIncreaseQuotaPrivilege 2020 wmic.exe Token: SeSecurityPrivilege 2020 wmic.exe Token: SeTakeOwnershipPrivilege 2020 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exeFile.exe1430557336.exedescription pid process target process PID 3028 wrote to memory of 2464 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe File.exe PID 3028 wrote to memory of 2464 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe File.exe PID 3028 wrote to memory of 2464 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe File.exe PID 3028 wrote to memory of 2464 3028 03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe File.exe PID 2464 wrote to memory of 2780 2464 File.exe 1430557336.exe PID 2464 wrote to memory of 2780 2464 File.exe 1430557336.exe PID 2464 wrote to memory of 2780 2464 File.exe 1430557336.exe PID 2464 wrote to memory of 2780 2464 File.exe 1430557336.exe PID 2780 wrote to memory of 2836 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2836 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2836 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2836 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 1528 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 1528 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 1528 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 1528 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2020 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2020 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2020 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2020 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2840 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2840 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2840 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2840 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2272 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2272 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2272 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 2272 2780 1430557336.exe wmic.exe PID 2780 wrote to memory of 1348 2780 1430557336.exe WerFault.exe PID 2780 wrote to memory of 1348 2780 1430557336.exe WerFault.exe PID 2780 wrote to memory of 1348 2780 1430557336.exe WerFault.exe PID 2780 wrote to memory of 1348 2780 1430557336.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03c98422dc76b44642c9915cac8689e2_JaffaCakes118.exe"1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\1430557336.exeC:\Users\Admin\AppData\Local\Temp\1430557336.exe 0^4^6^2^5^5^1^4^8^5^4 L0xDQjgsMiwvLhwvT09AS0RDOSgbK05BTlVKTUpFPDgsICs+R05PSEA1LTA4MzEeKj5IQDUrHC9MTE0/UEJQV0RAPS8tMDAbLk89TVJFTllTTUc8ZGxvbDorKXFtcS1APU5HLVBJTig8T0wmREpGSxotPkdIP0NEQD1pbC8rU0lCbHVLICs+LzhJVEk6QE4gKz4wOCgwHCc/Lz0pKx4qPzM5JSwcL0AvOygsHytITUtEUT1SWktRRU48P1k5Gi1LTU5ATT5QX0FPSjw4HytITUtEUT1SWklAST04HC9BUkNaUFFINRsrRVQ/XT5IQ0hBSUE9HClGSk5TWzpNS1dPP1A4LR8rTEM9TkdTTVBaVE5EOBwvUkc7LRsuQEssOSArTFNJT0hJPVpTRUg9TUhASEk5QkFVTkY7GypIT1dNUU5QQ0tAOHNubWAcL04/UlBNTUVGQltVTz9QWj9AVUs4LiArQkc/QFc5KRsrSU9ZQlRJQElBPltFSj1QVEtTQTw4YmFobWMbKkNLT0lITz0+XURLPC0wMCo0LigvLTMtMCgbK1RFR0M4LDMvKDAyOTMqMRsqQ0tPSUhPPT5dT0RMQTUwKzIrLC4sMCktKjUuODYsMSVLTBwnUD09SWl4ZGdrXR0tYjUqKikjUmhqXGpzcydIUiYxLS0hJj1wbGZjUmBhR2FvITJiLzEyKTIyIyNHSFBHSiAtYidkZGdlJ0FjXmZuJSM+ZHJrZ2MgLWUwKiksLi4tLywpMC8tJk9hYltwZCAxYi0uMy4vMB4qUFFINWNwdGwfMVwgMWIdLWJnYW4sKywwNGIpZW5iaSMtYVFxZk9lbWE+bXJpa2tZX0lhaltlYG1eYF1raG91HzBhLDMvKDAyOTMqLyAtZS0sLiw1MjM1KywkLl4sMDMsLzQ0Mi8tHS5iNi8zNDQtMDExMTVZU0RwSD43NVp1Y29ITWFzSEEtXUlAQXZHdy9zR1NRMUdpLGpLdFFvSjtqYFhlLi5OQHdISVA+SkVAbmhVa2xkVENJNFtFZm1JLUJDTFcxclJOUWpTZWdoTnUyYl9CQXFIPiw=3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get serialnumber4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version4⤵PID:2840
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic /output:C:\Users\Admin\AppData\Local\Temp\81714257548.txt bios get version4⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 3684⤵
- Loads dropped DLL
- Program crash
PID:1348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
764KB
MD5463a2719b716b51902f7be46d2044f14
SHA159f9bbcf88bd944e844baa225634f5733844cffb
SHA2565713fb5b1bb776da9d0dacf6c3943a133d26791df67da136805b2c8bbcc8171c
SHA5124e2694e497b6c0aa1246eec0588cc83639385f76bbbaac9034b98759672b86fa2f5ef91e73163edfb99ed964a268ccc956cbb6e7fc13a563a67b1f2233d3359f
-
Filesize
66B
MD59025468f85256136f923096b01375964
SHA17fcd174999661594fa5f88890ffb195e9858cc52
SHA256d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA51292cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51
-
Filesize
558KB
MD5adf590c9241589e963b0c7c96d9eb839
SHA165b942dd5cdfc2be6b0bc24371383951a98c117c
SHA256fe31629b3787114cc555f90b21c3a58da8a3380a5b6e0347496bf8f52b063e64
SHA512a3132fa50dbbba4bf08fee8c35705292e951b1f21bd372e70a438d6cbae030cae66843639cee32a36055edfab00d717dad5a4770134a2a79099659b3b4faad9d
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
126KB
MD509c0a8445c727b6cdee796a9a58b5482
SHA1e654bd7418601f7205b2632c8bf32c29295384f9
SHA256e363e4886f4a87644efc9a2515c0a98c054f50b02fc5fb58b540e041ad0d70d3
SHA5123a43a904ea11bc1b70580da33196073e6f3a53841342ff755845f4eff94f4009b1fd496a57b2a38f36bb9dadbb87af92ca8ab9222547d780db081dc0a6ae0b85
-
Filesize
40KB
MD55f13dbc378792f23e598079fc1e4422b
SHA15813c05802f15930aa860b8363af2b58426c8adf
SHA2566e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA5129270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5