3a5f91129675fc6570cd452f7fb6ee89a055c6c0b5e70cbc24c54becfaee110d

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Size

64KB
MD5

4882cbe344c426773e398d33839c69e0
SHA1

6c8c1ae6806e8b9286993df2ad91fbb355a507b1
SHA256

3a5f91129675fc6570cd452f7fb6ee89a055c6c0b5e70cbc24c54becfaee110d
SHA512

0d11bbbe3d0fa211d7a4aad120a640b73a8ea249b04038d9351ea4d818ced190a791ac82e882f80cbc1ef8ce6a0ca069d15f84cd20b4577d6a7e4dfde8655672
SSDEEP

192:ObOzawOs81elJHsc45HcRZOgtSWcWaOT2QLrCqwgI6Y04/CFxyNhoy5tm:ObLwOs8AHsc4pMfwIKQLrogv4/CFsrdm

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}	{13C67545-3286-4798-A510-9792E53B9A15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}\stubpath = "C:\\Windows\\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe"	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0406B69-051D-46da-B215-1DC275D2F5D9}\stubpath = "C:\\Windows\\{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe"	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}\stubpath = "C:\\Windows\\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe"	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}\stubpath = "C:\\Windows\\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe"	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}\stubpath = "C:\\Windows\\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe"	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13C67545-3286-4798-A510-9792E53B9A15}\stubpath = "C:\\Windows\\{13C67545-3286-4798-A510-9792E53B9A15}.exe"	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}\stubpath = "C:\\Windows\\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe"	{13C67545-3286-4798-A510-9792E53B9A15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}\stubpath = "C:\\Windows\\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe"	{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0A2277F-002E-43c7-9A52-F0D02A011992}	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0A2277F-002E-43c7-9A52-F0D02A011992}\stubpath = "C:\\Windows\\{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe"	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}\stubpath = "C:\\Windows\\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe"	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{974FB997-982F-428e-ADA4-3263A3A4BEA9}\stubpath = "C:\\Windows\\{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe"	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0406B69-051D-46da-B215-1DC275D2F5D9}	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13C67545-3286-4798-A510-9792E53B9A15}	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}\stubpath = "C:\\Windows\\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe"	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}	{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{974FB997-982F-428e-ADA4-3263A3A4BEA9}	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe

Executes dropped EXE 12 IoCs

pid	Process
1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe
1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
3120	{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
2396	{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
File created	C:\Windows\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
File created	C:\Windows\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
File created	C:\Windows\{13C67545-3286-4798-A510-9792E53B9A15}.exe	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
File created	C:\Windows\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe	{13C67545-3286-4798-A510-9792E53B9A15}.exe
File created	C:\Windows\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
File created	C:\Windows\{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
File created	C:\Windows\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
File created	C:\Windows\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
File created	C:\Windows\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe	{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
File created	C:\Windows\{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
File created	C:\Windows\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
Token: SeIncBasePriorityPrivilege	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
Token: SeIncBasePriorityPrivilege	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
Token: SeIncBasePriorityPrivilege	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
Token: SeIncBasePriorityPrivilege	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
Token: SeIncBasePriorityPrivilege	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
Token: SeIncBasePriorityPrivilege	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
Token: SeIncBasePriorityPrivilege	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
Token: SeIncBasePriorityPrivilege	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe
Token: SeIncBasePriorityPrivilege	1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
Token: SeIncBasePriorityPrivilege	3120	{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 1724	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	97
PID 4496 wrote to memory of 1724	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	97
PID 4496 wrote to memory of 1724	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	97
PID 4496 wrote to memory of 1056	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	98
PID 4496 wrote to memory of 1056	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	98
PID 4496 wrote to memory of 1056	4496	4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe	98
PID 1724 wrote to memory of 212	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	99
PID 1724 wrote to memory of 212	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	99
PID 1724 wrote to memory of 212	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	99
PID 1724 wrote to memory of 1152	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	100
PID 1724 wrote to memory of 1152	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	100
PID 1724 wrote to memory of 1152	1724	{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe	100
PID 212 wrote to memory of 1652	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	103
PID 212 wrote to memory of 1652	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	103
PID 212 wrote to memory of 1652	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	103
PID 212 wrote to memory of 4656	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	104
PID 212 wrote to memory of 4656	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	104
PID 212 wrote to memory of 4656	212	{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe	104
PID 1652 wrote to memory of 4260	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	105
PID 1652 wrote to memory of 4260	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	105
PID 1652 wrote to memory of 4260	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	105
PID 1652 wrote to memory of 4240	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	106
PID 1652 wrote to memory of 4240	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	106
PID 1652 wrote to memory of 4240	1652	{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe	106
PID 4260 wrote to memory of 2644	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	107
PID 4260 wrote to memory of 2644	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	107
PID 4260 wrote to memory of 2644	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	107
PID 4260 wrote to memory of 4512	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	108
PID 4260 wrote to memory of 4512	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	108
PID 4260 wrote to memory of 4512	4260	{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe	108
PID 2644 wrote to memory of 3336	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	114
PID 2644 wrote to memory of 3336	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	114
PID 2644 wrote to memory of 3336	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	114
PID 2644 wrote to memory of 4380	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	115
PID 2644 wrote to memory of 4380	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	115
PID 2644 wrote to memory of 4380	2644	{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe	115
PID 3336 wrote to memory of 2024	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	116
PID 3336 wrote to memory of 2024	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	116
PID 3336 wrote to memory of 2024	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	116
PID 3336 wrote to memory of 2032	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	117
PID 3336 wrote to memory of 2032	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	117
PID 3336 wrote to memory of 2032	3336	{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe	117
PID 2024 wrote to memory of 4980	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	122
PID 2024 wrote to memory of 4980	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	122
PID 2024 wrote to memory of 4980	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	122
PID 2024 wrote to memory of 1716	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	123
PID 2024 wrote to memory of 1716	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	123
PID 2024 wrote to memory of 1716	2024	{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe	123
PID 4980 wrote to memory of 2460	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	127
PID 4980 wrote to memory of 2460	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	127
PID 4980 wrote to memory of 2460	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	127
PID 4980 wrote to memory of 4396	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	128
PID 4980 wrote to memory of 4396	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	128
PID 4980 wrote to memory of 4396	4980	{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe	128
PID 2460 wrote to memory of 1800	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	129
PID 2460 wrote to memory of 1800	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	129
PID 2460 wrote to memory of 1800	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	129
PID 2460 wrote to memory of 5000	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	130
PID 2460 wrote to memory of 5000	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	130
PID 2460 wrote to memory of 5000	2460	{13C67545-3286-4798-A510-9792E53B9A15}.exe	130
PID 1800 wrote to memory of 3120	1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe	133
PID 1800 wrote to memory of 3120	1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe	133
PID 1800 wrote to memory of 3120	1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe	133
PID 1800 wrote to memory of 4588	1800	{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe	134

C:\Users\Admin\AppData\Local\Temp\4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4882cbe344c426773e398d33839c69e0_JaffaCakes118.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
  C:\Windows\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
    C:\Windows\{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
      C:\Windows\{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
        
        C:\Windows\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\Windows\{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
        
        C:\Windows\{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
        
        C:\Windows\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
        
        C:\Windows\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
        
        C:\Windows\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\{13C67545-3286-4798-A510-9792E53B9A15}.exe
        
        C:\Windows\{13C67545-3286-4798-A510-9792E53B9A15}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
        
        C:\Windows\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
        
        C:\Windows\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe
        
        C:\Windows\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe
        13⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCFA6~1.EXE > nul
        13⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15EC6~1.EXE > nul
        12⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13C67~1.EXE > nul
        11⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCC87~1.EXE > nul
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F511F~1.EXE > nul
        9⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BFC3~1.EXE > nul
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{974FB~1.EXE > nul
        7⤵
        
        PID:4380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A445~1.EXE > nul
        6⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0A22~1.EXE > nul
        5⤵
        
        PID:4240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0406~1.EXE > nul
      4⤵
      PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FEC7~1.EXE > nul
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4882CB~1.EXE > nul
  2⤵
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13C67545-3286-4798-A510-9792E53B9A15}.exe

Filesize
64KB

MD5
4597ff33f4f249f86ac59cfcd5379186

SHA1
a9be1b1b36264ae6f2324ae92353d0c1b5cf8bd7

SHA256
e73b66e4174e4e1a5e7520944eeb5e89c8d6d8116aa96b5745d7c7e6c1eeee23

SHA512
0f66caab8e99928e50f15bf0c396b90f9284b817ce0eb82e11366ab697596bd91427ea53ec93c70e5fa2dd15b8fdfda2739cf4c9900ee989f85707d335f484c8

Download Submit
C:\Windows\{15EC6272-6B3C-4a9a-92AE-9CBE149F0F90}.exe

Filesize
64KB

MD5
20cdb761a298a87140b8032ac29e57e5

SHA1
f5a00a0cbd64840609fe2510dd4b1a520489795d

SHA256
3c5ab2e345ae263d5206f4299ebebf915750173490a0cf09bbc475d6f0469d36

SHA512
eba3e07e9b898b12bda74a22a221b14b6ebd886d94c6987fa3d4b64afa1a418e08014112f0d72928700147b38e75e4f87897664da5d76cc4e6b9f140e4e9ebce

Download Submit
C:\Windows\{18EC0012-F144-4b89-82D8-FD3D1CDEC55C}.exe

Filesize
64KB

MD5
1c9bf2ac2b394b56d421399987b96759

SHA1
a20dfcc7d048e3e9ebe015885d4cc16b80108649

SHA256
066796e29c22c720926b1cc3bf6c204cb896f5816831ad41c61c2b142b68c34c

SHA512
a88822bf562921fee59fbe8a43866c321d7c929c707683157bff3e3427d9ee392d6db12633f15c71e3c6ad8de4d83a0ca3a485a1b52ea882d4b9deedcab9cdae

Download Submit
C:\Windows\{2FEC7EF4-2ECB-4caf-A717-1C17CAAEA33E}.exe

Filesize
64KB

MD5
8436bdc9c43165055ad67f0068e66c76

SHA1
7ece6502aacc9c9dd0bc6e0f20f59cc4cf53a9cc

SHA256
96b03b6688ba94d0429faaf48a1243a8c7cb92a4f88e114abab3fca004c2f2a8

SHA512
4adda6594e17355669817b5ce6334ed8adfb3154f38655428728f52178328bedae423db83a78aabaec694a676cb5f813cac77c3b47a46d65683e6d27a39f9d95

Download Submit
C:\Windows\{8A445D51-D130-42fc-B6C1-4FA8EC6C4723}.exe

Filesize
64KB

MD5
9fd92844d29366f0502ab159a54f8bd0

SHA1
493908d34864b3da975a52cffc6715f41ddb2cf1

SHA256
8e65470e227987b4ceeed6c866f3473461e0da4623df17e4fbda991ebccc6a7b

SHA512
e200096bef9669f220086edac70ba0b09fe963d9ae8f3c4c281235bdfb7d7b94e43e64b6533707f2999da01ff36f0f38c24103990f2e305fd6aa0e3e463869d9

Download Submit
C:\Windows\{8BFC3410-D3B0-4e8b-8F2D-10CB630ABF7C}.exe

Filesize
64KB

MD5
521bb5d0e12d2cc8bd17222793552285

SHA1
0805ea6019407883ffb789736cd5f48fa752e1cb

SHA256
c82bafb71b670b16549c853c69b2a474fe67c6039f98882d5e62a3ee72a1fb14

SHA512
a89310161443febec17afbb6def3669fedae2f1dd3661b3dfc2af39bf8dd765f830ef5536f9a41610f6f930a92319a6a9af48f6b6047076956baa2b9feed7893

Download Submit
C:\Windows\{974FB997-982F-428e-ADA4-3263A3A4BEA9}.exe

Filesize
64KB

MD5
1819da0b84c82e151a1a6e4003daeaab

SHA1
26c610fbd69c6647df92f8a0d73bdfff7329e4bf

SHA256
a2fd2b16546d1c6bb32db3c495d82db0a0950375f264330672277fed33596759

SHA512
579dca0042b5a4b2c94ce64a7dfb13bc5dc3b823c306503d8e77146ee090cea1283fb1d75c207c0cd0012118e73a9ad9deae8e20c4e776f7e58e19b276c79134

Download Submit
C:\Windows\{A0406B69-051D-46da-B215-1DC275D2F5D9}.exe

Filesize
64KB

MD5
a1eebb323a67f10cf708860c6ddf7e66

SHA1
d876385ec8f3ff6ed93f7d480abc5612c88c374e

SHA256
5d459dd1ab69c5d42dd71f300cad02fb6f9565c1ecf7d91b8709aa1a9b0ab35b

SHA512
d1c162a953d7943ea73438923639bbbed5d394f8693812e41bb067a4a06b13a776c9a13dcd3a53a12aa8d7c37235e2edc4abdef8329a5cefbd8b5db9590aeeda

Download Submit
C:\Windows\{BCC87FA5-F96D-433c-AD39-2FC8EC0E5F60}.exe

Filesize
64KB

MD5
e40101ceed239ca377c08c7a45784f52

SHA1
a418bd91f8ce9927fe43380232f4f8bd1fa6d239

SHA256
8ba8358ea0991002ed1872113d92e8bdb8fe05626a16054d29e1ba44d3cf402a

SHA512
53c636999c4c2206dd4c2acda9575bbd479f7e6a3a28bf955565be5c93c4662e1880c02af561872b62355e72ce43e65010539a66aee6d84f96622cd03f419770

Download Submit
C:\Windows\{DCFA6D9D-D72F-41a9-832F-0BCAC6CD5DF8}.exe

Filesize
64KB

MD5
64b88909e43763cf62140b01ffe29310

SHA1
2a25a751dda0741f58289971e5060d32c17e89a1

SHA256
c4c67018593d29d6e100f58d182e34ff27501763e2539a6b8cb1ccd73b5ccfca

SHA512
1cb4308710bbce12438ffd44ff74ece09e3346b2af963c55069312fc22af54a38eccd6aad1482f3804e6b7b39a3dff42bf651679b15ea5abaa360129db477be3

Download Submit
C:\Windows\{E0A2277F-002E-43c7-9A52-F0D02A011992}.exe

Filesize
64KB

MD5
2b6137eb5c3d18530c163952ca48d5b2

SHA1
5d31de9d59254666a8b3e32338f292e864e1a638

SHA256
49321d880c3dd6d6be7a0aae1169da0379b77f95c708336c377d69aa2f217469

SHA512
4905cf323a04f282da52603457d6f10dce6b369b32f1807e08a028b3547bfcf021f0d03cbb685d96bfbffd3a94ca1bb635e2ce646a297875275cdf6ea6fda783

Download Submit
C:\Windows\{F511F9EF-77C1-49a5-A6CC-5ADD286BE46E}.exe

Filesize
64KB

MD5
c1fc17eadf59aca95cc6fda69134b488

SHA1
3584fe8d0e88acf005bf944e8b8cef14ee3619be

SHA256
03120aae89a284bc024292e886cf7f6385a8f70ec1e644b172cfc690a0d9eb3a

SHA512
53b80a2f1dfde0fa813f2c8ca2ca485c5dac435c2f2a38cdde5ff01955f9973b1a7368a3305eab9c16b681b349717d79db06b4156d5f75219c6cc03bcbbad267

Download Submit
memory/212-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/212-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1724-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1724-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1800-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1800-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2396-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2460-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2644-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2644-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3120-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3120-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4260-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4260-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4496-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4496-3-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4980-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4980-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads