50cd2bd36f33ef5c39ded6f3229eaf465998996f65310b5774dcbf4fb0b9dbaa

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe
Size

2.0MB
MD5

9ab586cecb3a5464abd24e04161e55aa
SHA1

f72e7caeccecdae86bcbe3a738d10a8aa36c9b40
SHA256

50cd2bd36f33ef5c39ded6f3229eaf465998996f65310b5774dcbf4fb0b9dbaa
SHA512

5eedaeb66a7a72b33bca6090a1f9b303d22fc46299ac857197efbb6edb3184f68bcd7d9cae7bf4a0f17019bbe05c7e4170f245367a1eee6d17330a5a8576eb36
SSDEEP

49152:GZV+NYQ4mRe7nGpK90HYA1qM6g+geS1LICzwqY4G:GZm1PRe7G4aH1MCY

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4072 attrib.exe
1032 attrib.exe

pid	process
4072	attrib.exe
1032	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

SearchFilterHost.exe

pid process

732 SearchFilterHost.exe

pid	process
732	SearchFilterHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Stored = "C:\\Users\\Admin\\AppData\\Roaming\\SearchFilterHost.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3160	taskkill.exe
1996	taskkill.exe
1480	taskkill.exe
4076	taskkill.exe
4444	taskkill.exe
4396	taskkill.exe
4720	taskkill.exe
4528	taskkill.exe
5016	taskkill.exe
2716	taskkill.exe
4488	taskkill.exe
1072	taskkill.exe
2792	taskkill.exe
2716	taskkill.exe
4488	taskkill.exe
1544	taskkill.exe
2580	taskkill.exe
4696	taskkill.exe
2412	taskkill.exe
3336	taskkill.exe
2476	taskkill.exe
4284	taskkill.exe
2308	taskkill.exe
264	taskkill.exe
5064	taskkill.exe
4832	taskkill.exe
2020	taskkill.exe
1428	taskkill.exe
4656	taskkill.exe
264	taskkill.exe
3256	taskkill.exe
2464	taskkill.exe
3268	taskkill.exe
1460	taskkill.exe
3132	taskkill.exe
3020	taskkill.exe
3904	taskkill.exe
1592	taskkill.exe
760	taskkill.exe
1960	taskkill.exe
4412	taskkill.exe
2740	taskkill.exe
3180	taskkill.exe
4912	taskkill.exe
1768	taskkill.exe
4744	taskkill.exe
1104	taskkill.exe
5108	taskkill.exe
3052	taskkill.exe
3696	taskkill.exe
872	taskkill.exe
1224	taskkill.exe
4036	taskkill.exe
4688	taskkill.exe
4732	taskkill.exe
4608	taskkill.exe
4672	taskkill.exe
2340	taskkill.exe
3520	taskkill.exe
4540	taskkill.exe
2280	taskkill.exe
3260	taskkill.exe
1160	taskkill.exe
3616	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4544 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SearchFilterHost.exe

pid process

732 SearchFilterHost.exe
732 SearchFilterHost.exe

pid	process
4544	reg.exe

pid	process
732	SearchFilterHost.exe
732	SearchFilterHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	4732	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	3252	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	4700	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	3160	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	4720	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchFilterHost.exe

pid process

732 SearchFilterHost.exe

pid	process
732	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 3204	3944	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 3944 wrote to memory of 3204	3944	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 3944 wrote to memory of 3204	3944	9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe	cmd.exe
PID 3204 wrote to memory of 4072	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 4072	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 4072	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 1032	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 1032	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 1032	3204	cmd.exe	attrib.exe
PID 3204 wrote to memory of 4544	3204	cmd.exe	reg.exe
PID 3204 wrote to memory of 4544	3204	cmd.exe	reg.exe
PID 3204 wrote to memory of 4544	3204	cmd.exe	reg.exe
PID 3204 wrote to memory of 732	3204	cmd.exe	SearchFilterHost.exe
PID 3204 wrote to memory of 732	3204	cmd.exe	SearchFilterHost.exe
PID 3204 wrote to memory of 732	3204	cmd.exe	SearchFilterHost.exe
PID 3204 wrote to memory of 3180	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 3180	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 3180	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5016	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5016	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5016	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4488	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4488	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4488	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2716	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2716	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2716	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4540	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4540	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4540	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4656	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4656	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4656	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5108	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5108	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 5108	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4076	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4076	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4076	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2280	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2280	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2280	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 776	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 776	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 776	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4912	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4912	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4912	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 1768	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 1768	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 1768	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2308	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2308	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2308	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4732	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4732	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4732	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 264	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 264	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 264	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2476	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2476	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 2476	3204	cmd.exe	taskkill.exe
PID 3204 wrote to memory of 4608	3204	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4072 attrib.exe
1032 attrib.exe

pid	process
4072	attrib.exe
1032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9ab586cecb3a5464abd24e04161e55aa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\stmgr.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4072
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h +r "C:\Users\Admin\AppData\Roaming\settings.dat"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Microsoft Stored" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4544
- - C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe
    "C:\Users\Admin\AppData\Roaming\SearchFilterHost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3180
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:4832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1460
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:4744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:4036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:4284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:4688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:3132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:3256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:2740
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:3020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rundll32.exe
    3⤵
    - Kills process with taskkill
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
264B

MD5
c022a3eebd6f670fabb8c7d16e64bb42

SHA1
18319221b13b29615798c03704416b90d388dedf

SHA256
9bf6bffbee25604ff43ba7d0bdee9c30d0fbbd1d8e02987b678551574f2a90ff

SHA512
822a0ee31487765e3e250b3bd6bcfe10a36fc2b4ff7ea4fa458cffdf948fba8251722c221a29aff155a4f69bd15811d033caff957e41d773a1f97aee060ff8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SJP.dat

Filesize
5.8MB

MD5
3d8fd988b92d630074b323a0a4dcee91

SHA1
6218115b123823f504f090decedbb1be0d7cd52a

SHA256
27d696583bb3fab2acffed2b8cf701e0d76ead5197e117cee603fdeb9a0aa48d

SHA512
9f5813efc5845f282ab9c41b1094f3b06a7822a2b37ceca593c9f896d8d30fe94ccb651a569c47b899c3f08648fade9864182ec83b61e2657346be8f7fbeafd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\settings.dat

Filesize
2KB

MD5
eb494b1f02010d3543a09c2be3669d5c

SHA1
33341912b50607203561ad716bb80fc87a46105b

SHA256
34bacf4f22e644149e8bf0b66c178230f49f95f25fceb9228563cf5f54ccb6b1

SHA512
b52e24f4cc0b646387042a577a99c7fd595c9f73d28908b02395fb7fef2e6067701e7766c918592e9ed46d1546018849e6d474c1c68c6852bb94c2117656cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\stmgr.cmd

Filesize
2KB

MD5
83e488da8485829e6f71e239c17ec895

SHA1
7a7f01f249cdeaca51df86210de4b8227797bbeb

SHA256
6df6e3e9beec30042dd7e14cd1cd517205e6cbcb0d9b88604f5821e18f11a815

SHA512
7fcf42ff4c8ad77db9dafa459a097dbd6a5ad314343c7407334f3c6c46a3fb2c5858ad9cef05532af0bb1b89a7564b100eff27ff848c4345fa5c13cb056847f8

Download Submit
memory/732-18-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/732-19-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download