Overview
overview
10Static
static
321f13b750f...18.exe
windows7-x64
1021f13b750f...18.exe
windows10-2004-x64
7$1/$OUTDIR...er.exe
windows7-x64
7$1/$OUTDIR...er.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
31816850460.js
windows7-x64
31816850460.js
windows10-2004-x64
3211632070006.html
windows7-x64
1211632070006.html
windows10-2004-x64
1about.html
windows7-x64
1about.html
windows10-2004-x64
1api.js
windows7-x64
3api.js
windows10-2004-x64
3begin_pass...2.html
windows7-x64
1begin_pass...2.html
windows10-2004-x64
1begin_pass...8.html
windows7-x64
1begin_pass...8.html
windows10-2004-x64
1frame3.html
windows7-x64
1frame3.html
windows10-2004-x64
1gerenxinwe...6.html
windows7-x64
1gerenxinwe...6.html
windows10-2004-x64
1index1259653512.html
windows7-x64
1index1259653512.html
windows10-2004-x64
1jquery.pla...f95.js
windows7-x64
3jquery.pla...f95.js
windows10-2004-x64
3login390722190.html
windows7-x64
1login390722190.html
windows10-2004-x64
1lvyouhuodong.html
windows7-x64
1lvyouhuodong.html
windows10-2004-x64
1Analysis
-
max time kernel
119s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$1/$OUTDIR/sftp_plugin/tc_sftp_uninstaller.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$1/$OUTDIR/sftp_plugin/tc_sftp_uninstaller.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
1816850460.js
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
1816850460.js
Resource
win10v2004-20240419-en
Behavioral task
behavioral11
Sample
211632070006.html
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
211632070006.html
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
about.html
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
about.html
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
api.js
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
api.js
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
begin_password_reset1581078162.html
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
begin_password_reset1581078162.html
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
begin_password_reset727114948.html
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
begin_password_reset727114948.html
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
frame3.html
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
frame3.html
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
gerenxinwen1732464246.html
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
gerenxinwen1732464246.html
Resource
win10v2004-20240419-en
Behavioral task
behavioral25
Sample
index1259653512.html
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
index1259653512.html
Resource
win10v2004-20240419-en
Behavioral task
behavioral27
Sample
jquery.placeholder-fd5cdc5d60cadb4e97cb85609e889f95.js
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
jquery.placeholder-fd5cdc5d60cadb4e97cb85609e889f95.js
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
login390722190.html
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
login390722190.html
Resource
win10v2004-20240419-en
Behavioral task
behavioral31
Sample
lvyouhuodong.html
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
lvyouhuodong.html
Resource
win10v2004-20240419-en
General
-
Target
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe
-
Size
284KB
-
MD5
21f13b750f2c71bb815816866eee55b9
-
SHA1
2a025f153c032eecb4043e938a3eb9752263c08c
-
SHA256
5201de522308ace02a374a6fffe2ae81187d7267f12a553e9c3c4e3bad4c2558
-
SHA512
16aad710c2e96350ca41b911f40713479df96d73c2affc0c0cc02e40fc12c814d89a9a6220d85f3b52197a4c168c6f3e5004cece9205699c016b109457a49faf
-
SSDEEP
6144:wW+7+eMX3wKOtPPIFBr/7ZDbASO9Mgn9OSue/nxcVmCd1dSTLqLljzJzbGuMbm5U:wR0wtYFBrZDOezS1x6pbO2jFn9qm5U
Malware Config
Extracted
C:\Users\Admin\Downloads\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 1544 956 mshta.exe 1546 956 mshta.exe 1548 956 mshta.exe -
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exepid process 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCCA2.bmp" 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exedescription pid process target process PID 2944 set thread context of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2244 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exepid process 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exepid process 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2308 WMIC.exe Token: SeSecurityPrivilege 2308 WMIC.exe Token: SeTakeOwnershipPrivilege 2308 WMIC.exe Token: SeLoadDriverPrivilege 2308 WMIC.exe Token: SeSystemProfilePrivilege 2308 WMIC.exe Token: SeSystemtimePrivilege 2308 WMIC.exe Token: SeProfSingleProcessPrivilege 2308 WMIC.exe Token: SeIncBasePriorityPrivilege 2308 WMIC.exe Token: SeCreatePagefilePrivilege 2308 WMIC.exe Token: SeBackupPrivilege 2308 WMIC.exe Token: SeRestorePrivilege 2308 WMIC.exe Token: SeShutdownPrivilege 2308 WMIC.exe Token: SeDebugPrivilege 2308 WMIC.exe Token: SeSystemEnvironmentPrivilege 2308 WMIC.exe Token: SeRemoteShutdownPrivilege 2308 WMIC.exe Token: SeUndockPrivilege 2308 WMIC.exe Token: SeManageVolumePrivilege 2308 WMIC.exe Token: 33 2308 WMIC.exe Token: 34 2308 WMIC.exe Token: 35 2308 WMIC.exe Token: SeIncreaseQuotaPrivilege 2308 WMIC.exe Token: SeSecurityPrivilege 2308 WMIC.exe Token: SeTakeOwnershipPrivilege 2308 WMIC.exe Token: SeLoadDriverPrivilege 2308 WMIC.exe Token: SeSystemProfilePrivilege 2308 WMIC.exe Token: SeSystemtimePrivilege 2308 WMIC.exe Token: SeProfSingleProcessPrivilege 2308 WMIC.exe Token: SeIncBasePriorityPrivilege 2308 WMIC.exe Token: SeCreatePagefilePrivilege 2308 WMIC.exe Token: SeBackupPrivilege 2308 WMIC.exe Token: SeRestorePrivilege 2308 WMIC.exe Token: SeShutdownPrivilege 2308 WMIC.exe Token: SeDebugPrivilege 2308 WMIC.exe Token: SeSystemEnvironmentPrivilege 2308 WMIC.exe Token: SeRemoteShutdownPrivilege 2308 WMIC.exe Token: SeUndockPrivilege 2308 WMIC.exe Token: SeManageVolumePrivilege 2308 WMIC.exe Token: 33 2308 WMIC.exe Token: 34 2308 WMIC.exe Token: 35 2308 WMIC.exe Token: SeBackupPrivilege 2808 vssvc.exe Token: SeRestorePrivilege 2808 vssvc.exe Token: SeAuditPrivilege 2808 vssvc.exe Token: SeDebugPrivilege 2244 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 956 mshta.exe 956 mshta.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe21f13b750f2c71bb815816866eee55b9_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2944 wrote to memory of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe PID 2944 wrote to memory of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe PID 2944 wrote to memory of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe PID 2944 wrote to memory of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe PID 2944 wrote to memory of 2708 2944 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe PID 2708 wrote to memory of 2304 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 2304 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 2304 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 2304 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2304 wrote to memory of 2308 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 2308 2304 cmd.exe WMIC.exe PID 2304 wrote to memory of 2308 2304 cmd.exe WMIC.exe PID 2708 wrote to memory of 956 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe mshta.exe PID 2708 wrote to memory of 956 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe mshta.exe PID 2708 wrote to memory of 956 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe mshta.exe PID 2708 wrote to memory of 956 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe mshta.exe PID 2708 wrote to memory of 1616 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 1616 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 1616 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 2708 wrote to memory of 1616 2708 21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe cmd.exe PID 1616 wrote to memory of 2244 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 2244 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 2244 1616 cmd.exe taskkill.exe PID 1616 wrote to memory of 3040 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 3040 1616 cmd.exe PING.EXE PID 1616 wrote to memory of 3040 1616 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "21f13b750f2c71bb815816866eee55b9_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Downloads\README.htaFilesize
61KB
MD5b2da1ee8e42a053dcd19a6f6cf8dbe89
SHA17a0f8386a136ca6bfbaef30cfe7a60490ef41be5
SHA2566ea1c41212cccefef3a63d1bf0fbbb24e6504e9efb27bc88ba4e5442d9f1321c
SHA512d57b8ce10714c87816a383df75af569a0ffb1da79688f94a400d84be4297a66c137b9646f771742a3cf301a26e2396f9382657feedba005750bab5aa5fa082a6
-
\Users\Admin\AppData\Local\Temp\nsy1D14.tmp\System.dllFilesize
11KB
MD53e6bf00b3ac976122f982ae2aadb1c51
SHA1caab188f7fdc84d3fdcb2922edeeb5ed576bd31d
SHA2564ff9b2678d698677c5d9732678f9cf53f17290e09d053691aac4cc6e6f595cbe
SHA5121286f05e6a7e6b691f6e479638e7179897598e171b52eb3a3dc0e830415251069d29416b6d1ffc6d7dce8da5625e1479be06db9b7179e7776659c5c1ad6aa706
-
memory/2708-361-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-399-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-31-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-405-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-37-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-41-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-40-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-27-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-352-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-355-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-358-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-417-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-29-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-379-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-370-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-373-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-376-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-367-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-382-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-385-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-388-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-391-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-394-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-397-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2708-364-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2944-30-0x00000000004E0000-0x00000000004E3000-memory.dmpFilesize
12KB
-
memory/2944-25-0x00000000004E0000-0x00000000004E3000-memory.dmpFilesize
12KB