3a5f91129675fc6570cd452f7fb6ee89a055c6c0b5e70cbc24c54becfaee110d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Size

64KB
MD5

4882cbe344c426773e398d33839c69e0
SHA1

6c8c1ae6806e8b9286993df2ad91fbb355a507b1
SHA256

3a5f91129675fc6570cd452f7fb6ee89a055c6c0b5e70cbc24c54becfaee110d
SHA512

0d11bbbe3d0fa211d7a4aad120a640b73a8ea249b04038d9351ea4d818ced190a791ac82e882f80cbc1ef8ce6a0ca069d15f84cd20b4577d6a7e4dfde8655672
SSDEEP

192:ObOzawOs81elJHsc45HcRZOgtSWcWaOT2QLrCqwgI6Y04/CFxyNhoy5tm:ObLwOs8AHsc4pMfwIKQLrogv4/CFsrdm

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C18248-DEDB-4625-B56E-A20F536D51DB}	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84143A48-36A9-4f76-9ACD-E537980BC754}\stubpath = "C:\\Windows\\{84143A48-36A9-4f76-9ACD-E537980BC754}.exe"	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6B2A27-B794-4c12-BB4D-242F0289A638}	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34615A2-999B-44e0-A020-C26DAA9180F5}	{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B34615A2-999B-44e0-A020-C26DAA9180F5}\stubpath = "C:\\Windows\\{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe"	{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007CA2ED-0A23-4908-AAA1-79810A68A801}	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C18248-DEDB-4625-B56E-A20F536D51DB}\stubpath = "C:\\Windows\\{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe"	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59467F4-7EA6-4dff-A116-E431F8501BEF}\stubpath = "C:\\Windows\\{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe"	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C6B2A27-B794-4c12-BB4D-242F0289A638}\stubpath = "C:\\Windows\\{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe"	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}\stubpath = "C:\\Windows\\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe"	{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD6F792-340D-4887-BE04-5F39EB673FB3}\stubpath = "C:\\Windows\\{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe"	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{007CA2ED-0A23-4908-AAA1-79810A68A801}\stubpath = "C:\\Windows\\{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe"	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}\stubpath = "C:\\Windows\\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe"	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}\stubpath = "C:\\Windows\\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe"	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}	{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}\stubpath = "C:\\Windows\\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe"	{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}	{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD6F792-340D-4887-BE04-5F39EB673FB3}	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84143A48-36A9-4f76-9ACD-E537980BC754}	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D59467F4-7EA6-4dff-A116-E431F8501BEF}	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
1248	{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
324	{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
1796	{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
2008	{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
File created	C:\Windows\{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
File created	C:\Windows\{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
File created	C:\Windows\{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe	{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
File created	C:\Windows\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe	{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
File created	C:\Windows\{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
File created	C:\Windows\{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
File created	C:\Windows\{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
File created	C:\Windows\{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
File created	C:\Windows\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
File created	C:\Windows\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe	{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
Token: SeIncBasePriorityPrivilege	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
Token: SeIncBasePriorityPrivilege	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
Token: SeIncBasePriorityPrivilege	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
Token: SeIncBasePriorityPrivilege	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
Token: SeIncBasePriorityPrivilege	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
Token: SeIncBasePriorityPrivilege	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
Token: SeIncBasePriorityPrivilege	1248	{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
Token: SeIncBasePriorityPrivilege	324	{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
Token: SeIncBasePriorityPrivilege	1796	{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2540	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2540	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2540	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2540	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	28
PID 2932 wrote to memory of 2600	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2600	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2600	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	29
PID 2932 wrote to memory of 2600	2932	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	29
PID 2540 wrote to memory of 2516	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	30
PID 2540 wrote to memory of 2516	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	30
PID 2540 wrote to memory of 2516	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	30
PID 2540 wrote to memory of 2516	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	30
PID 2540 wrote to memory of 2644	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	31
PID 2540 wrote to memory of 2644	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	31
PID 2540 wrote to memory of 2644	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	31
PID 2540 wrote to memory of 2644	2540	{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe	31
PID 2516 wrote to memory of 2404	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	32
PID 2516 wrote to memory of 2404	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	32
PID 2516 wrote to memory of 2404	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	32
PID 2516 wrote to memory of 2404	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	32
PID 2516 wrote to memory of 2452	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	33
PID 2516 wrote to memory of 2452	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	33
PID 2516 wrote to memory of 2452	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	33
PID 2516 wrote to memory of 2452	2516	{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe	33
PID 2404 wrote to memory of 2744	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	36
PID 2404 wrote to memory of 2744	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	36
PID 2404 wrote to memory of 2744	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	36
PID 2404 wrote to memory of 2744	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	36
PID 2404 wrote to memory of 2776	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	37
PID 2404 wrote to memory of 2776	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	37
PID 2404 wrote to memory of 2776	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	37
PID 2404 wrote to memory of 2776	2404	{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe	37
PID 2744 wrote to memory of 1784	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	38
PID 2744 wrote to memory of 1784	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	38
PID 2744 wrote to memory of 1784	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	38
PID 2744 wrote to memory of 1784	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	38
PID 2744 wrote to memory of 2296	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	39
PID 2744 wrote to memory of 2296	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	39
PID 2744 wrote to memory of 2296	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	39
PID 2744 wrote to memory of 2296	2744	{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe	39
PID 1784 wrote to memory of 1760	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	40
PID 1784 wrote to memory of 1760	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	40
PID 1784 wrote to memory of 1760	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	40
PID 1784 wrote to memory of 1760	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	40
PID 1784 wrote to memory of 288	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	41
PID 1784 wrote to memory of 288	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	41
PID 1784 wrote to memory of 288	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	41
PID 1784 wrote to memory of 288	1784	{84143A48-36A9-4f76-9ACD-E537980BC754}.exe	41
PID 1760 wrote to memory of 1284	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	42
PID 1760 wrote to memory of 1284	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	42
PID 1760 wrote to memory of 1284	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	42
PID 1760 wrote to memory of 1284	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	42
PID 1760 wrote to memory of 1364	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	43
PID 1760 wrote to memory of 1364	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	43
PID 1760 wrote to memory of 1364	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	43
PID 1760 wrote to memory of 1364	1760	{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe	43
PID 1284 wrote to memory of 1248	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	44
PID 1284 wrote to memory of 1248	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	44
PID 1284 wrote to memory of 1248	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	44
PID 1284 wrote to memory of 1248	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	44
PID 1284 wrote to memory of 2260	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	45
PID 1284 wrote to memory of 2260	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	45
PID 1284 wrote to memory of 2260	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	45
PID 1284 wrote to memory of 2260	1284	{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe	45

C:\Users\Admin\AppData\Local\Temp\4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
  C:\Windows\{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
    C:\Windows\{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
      C:\Windows\{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
        
        C:\Windows\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
        
        C:\Windows\{84143A48-36A9-4f76-9ACD-E537980BC754}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
        
        C:\Windows\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
        
        C:\Windows\{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
        
        C:\Windows\{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
        
        C:\Windows\{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
        
        C:\Windows\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe
        
        C:\Windows\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe
        12⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B68AF~1.EXE > nul
        12⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3461~1.EXE > nul
        11⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C6B2~1.EXE > nul
        10⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5946~1.EXE > nul
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{481AF~1.EXE > nul
        8⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84143~1.EXE > nul
        7⤵
        
        PID:288
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47C2B~1.EXE > nul
        6⤵
        
        PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C18~1.EXE > nul
        5⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{007CA~1.EXE > nul
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD6F~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4882CB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{007CA2ED-0A23-4908-AAA1-79810A68A801}.exe

Filesize
64KB

MD5
2cca7aa7a17d5da0c9fbab8dea4651f4

SHA1
46d4097f84de98aa5897d4c680e708faf4759740

SHA256
8fcd620fb9e8297a06308628e4631718e7d50e8232fadb9410a7ed048087c951

SHA512
7c49469e6ffd8f3159979dc21a2d82fe7c819313cf1180a616d620e7c6708518bcadfee6746ef868bbb4689f97ca9ee38d34b298e5208f45eaf40a7b4e5049df

Download Submit
C:\Windows\{47C2B49E-511A-47fb-83C4-55258E1AE7BE}.exe

Filesize
64KB

MD5
b95b8343d80a92c56c774dab4db388b9

SHA1
da72ee92a9176e06ca4d40578a9bd4d5e095a2ac

SHA256
5666b1ea03f18b96afbb62bb5c633891163171b1d77dde355e30691360d0099f

SHA512
6299600cd796f69d26deaec13fa849bc05e9b7479da1f88c298ce11691f100d584eb9c0939181bc6d7b64d61d4db3513ae231de166890335c1dd65ab6da82933

Download Submit
C:\Windows\{481AF134-BFA9-46b3-832B-7A59C2FBB8E3}.exe

Filesize
64KB

MD5
17dcd1d5a3ceeee4708b0de2c80b7412

SHA1
a2b9c190a817fd090184abf17b02475ac2bdd81a

SHA256
29096dd10818c744cd9ebb026f7ec321e00a4d1f269c26ba2262f06c1fe4b71b

SHA512
d577b4b93d13003d456a54481f27df445bfef188db2c63cee0f7feb839a61fc7657cf27f739181a1058fbf24e082de6c001270e558e4091d43b0580cbcd6c7ab

Download Submit
C:\Windows\{4C6B2A27-B794-4c12-BB4D-242F0289A638}.exe

Filesize
64KB

MD5
95b582bdef7afa31df979eb9d66ab871

SHA1
ea206ab20cee9e59d22d3e11a39d232b73c361fa

SHA256
ad05fc44469117b5c539c2666756ef5e5da7058ba5abbd50ab05cc2a58fe234f

SHA512
27ebeebe405f69e5b09517ee509b1310ebfe5380cebdc2cdd26c7af86b04f6fc6d05ee38ffb471a0ccd6a090743e41115e0c893f8dd5f7a2b087e13b9c5dd630

Download Submit
C:\Windows\{5CD6F792-340D-4887-BE04-5F39EB673FB3}.exe

Filesize
64KB

MD5
9f801f7d10316ad9fcce74799cc60101

SHA1
35eb71edbd0121a0949088c3f5153ca6c247ae71

SHA256
3483c1737634ba6a5fb556f5c814ce6a046cbf9e256ee9e1b7a126f684eff5bf

SHA512
f3c7383b0fbacdd6624c180d48dd7c415ee0aea19265518a3c24346335e1ba369a14c9c2223249632860d6f9a401ffdd97f829af9874f19245524e9852e0de1a

Download Submit
C:\Windows\{5E33FCF0-2982-4821-BA55-F21B646ED8C5}.exe

Filesize
64KB

MD5
0637b174b59169edb981b2e6f3e095d2

SHA1
4f5512f43de4a187897f83dd8a8e37025c853c4f

SHA256
1ad0b898943133fc053d270ba7363e72cb2f433b1c1d72f286cb45ed1692cbde

SHA512
297077a28b9a651b3ae14a1832e138743a65f00efcd40a8c5a0e7dc5c8e820974c5f44e29da17aef3431c7a88f1f26d086bc6b26e16d7a416875c62a1ede7299

Download Submit
C:\Windows\{84143A48-36A9-4f76-9ACD-E537980BC754}.exe

Filesize
64KB

MD5
984791a7f3a23311118a13b4960a8c99

SHA1
358e4d39f9f18d83155307034b01a6e849f144a7

SHA256
e7848f4d74b1d026abdf37fafb8ea9bb4e74aaaddf4326d7e7764790642adc3a

SHA512
fd611273534e22dd03714b962ea4c1efe6ad1631301bfc0bd04658607531bf2379dce799d9f2d9a23def8e399d6207247e4ca30de313fc42b7c84ebb76b53164

Download Submit
C:\Windows\{B34615A2-999B-44e0-A020-C26DAA9180F5}.exe

Filesize
64KB

MD5
a97b4800361b7100b2bd68ddbb514711

SHA1
aeda7c7bcbb54273068d7f73c729ee987a3f8f15

SHA256
bc3cc859f0df48069bbbd2ae0894a802f2e2e9e8efcadfe3a23e8bf5078da9a7

SHA512
54d0b5e7405c5c1d1b449e71dadd9d1e12ac9f8abd6078cdd9aad345ddde21b360594e7019bf8dc095a284897887934cb69ecd3abd6cba27c0050b893beac319

Download Submit
C:\Windows\{B68AF69C-D148-44e2-9629-7B5F6C19DA89}.exe

Filesize
64KB

MD5
d20a4487ef0e33184ecadc3c03089d3e

SHA1
2c91550c55fe970ddb7d9fc23a1aad3e3382e659

SHA256
16136ade16096d50649a0e8b5cb361ead2a09733f9f933043c386ecbac58f246

SHA512
0f00e52c27eb78a2c62c5b50398e2899587ab4a57c145f8b3a9a1272fec52b0a9ff3ab1e718d3b99c049e7a26bfc27cba99c4a2d9fe15f42068ef044a1ea2252

Download Submit
C:\Windows\{D59467F4-7EA6-4dff-A116-E431F8501BEF}.exe

Filesize
64KB

MD5
3cc5f260e175b59d165e217baecf0d9a

SHA1
8c95de2d62ea9f646b53e5ed766b7cec807eb0d6

SHA256
b34533ee65362286c57025b2dbf363828fb5667d1ff35807ea4aadf297902ab8

SHA512
1b8b596a3e84e78eb9f785bf8ea3eb5b4c2f29fb303e71b9e07e63f817c8fdcde967175cd50dd52355d920182662626f6aa59feed8705e9dee8e4fd855f8fab2

Download Submit
C:\Windows\{F6C18248-DEDB-4625-B56E-A20F536D51DB}.exe

Filesize
64KB

MD5
6c480778b79b4124347a8159c0db6d8d

SHA1
c68c5c25126f70fa4ada908bd43db4656a901cee

SHA256
8fc7aabbd685b862140cd3384b9dc13fd83192ba57a809fb04f2e8c52c4830ee

SHA512
dfb61d154a33870a6a0549e195d1d94926723475d7b9e7727961c0b0d4a854a75298877d88cbd361ccf8dbf712bb4ec1e1d60632eff62c557d21381a34cc9561

Download Submit
memory/324-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1248-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1248-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1760-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1760-58-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1760-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2008-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2516-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2516-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2540-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2540-13-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2540-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-7-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2932-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads