7126b9d0de680355966b9a425760499207c227177b7addea9239b84d0f9d6d96

Analysis

max time kernel
150s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
Size

1.2MB
MD5

a1dded515ea0cc09854ed0193105aaea
SHA1

da49ac5f84edc4fb63ba23f61c0abfbd922b0776
SHA256

7126b9d0de680355966b9a425760499207c227177b7addea9239b84d0f9d6d96
SHA512

ce554f165c554c27b79fd12801c7e1219c418c4120492def34064da04aecb4c346e94577ff8d6678d1184c2a0867e59d579b65c68efd1d7fd7c5a747aa0d2aa0
SSDEEP

24576:6NA3R5drXfdrDoOJxEDIijCJnQtu1h6LId7nT1RMwan3vcXB+hX:z51rDbJfijC91h6LIdzTXM7yB4

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 53 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	slrggadcf.pif

Executes dropped EXE 54 IoCs

pid	Process
1416	slrggadcf.pif
4828	RegSvcs.exe
1840	slrggadcf.pif
3164	RegSvcs.exe
1572	slrggadcf.pif
2792	RegSvcs.exe
1492	slrggadcf.pif
2496	RegSvcs.exe
1240	slrggadcf.pif
4408	RegSvcs.exe
740	slrggadcf.pif
32	RegSvcs.exe
4388	slrggadcf.pif
3592	RegSvcs.exe
3196	slrggadcf.pif
3812	RegSvcs.exe
4200	slrggadcf.pif
3696	RegSvcs.exe
4732	slrggadcf.pif
4048	RegSvcs.exe
3336	slrggadcf.pif
3672	RegSvcs.exe
1724	slrggadcf.pif
1572	RegSvcs.exe
1096	slrggadcf.pif
4384	RegSvcs.exe
1172	slrggadcf.pif
4184	RegSvcs.exe
2352	slrggadcf.pif
4008	RegSvcs.exe
4644	slrggadcf.pif
2600	RegSvcs.exe
1976	slrggadcf.pif
4832	RegSvcs.exe
4724	slrggadcf.pif
4876	RegSvcs.exe
716	slrggadcf.pif
4552	RegSvcs.exe
5024	slrggadcf.pif
2520	RegSvcs.exe
3944	slrggadcf.pif
1812	RegSvcs.exe
1568	slrggadcf.pif
2624	RegSvcs.exe
2756	slrggadcf.pif
1196	RegSvcs.exe
4368	slrggadcf.pif
4116	RegSvcs.exe
2524	slrggadcf.pif
4356	RegSvcs.exe
1100	slrggadcf.pif
4172	RegSvcs.exe
4220	slrggadcf.pif
4752	RegSvcs.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\SLRGGA~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\48501850\\kcvevw.dul"	slrggadcf.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	slrggadcf.pif

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1416	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1840	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1572	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1492	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
1240	slrggadcf.pif
740	slrggadcf.pif
740	slrggadcf.pif
740	slrggadcf.pif
740	slrggadcf.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1416	1488	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	85
PID 1488 wrote to memory of 1416	1488	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	85
PID 1488 wrote to memory of 1416	1488	a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe	85
PID 1416 wrote to memory of 4828	1416	slrggadcf.pif	87
PID 1416 wrote to memory of 4828	1416	slrggadcf.pif	87
PID 1416 wrote to memory of 4828	1416	slrggadcf.pif	87
PID 1416 wrote to memory of 2556	1416	slrggadcf.pif	88
PID 1416 wrote to memory of 2556	1416	slrggadcf.pif	88
PID 1416 wrote to memory of 2556	1416	slrggadcf.pif	88
PID 2556 wrote to memory of 1840	2556	WScript.exe	89
PID 2556 wrote to memory of 1840	2556	WScript.exe	89
PID 2556 wrote to memory of 1840	2556	WScript.exe	89
PID 1840 wrote to memory of 3164	1840	slrggadcf.pif	90
PID 1840 wrote to memory of 3164	1840	slrggadcf.pif	90
PID 1840 wrote to memory of 3164	1840	slrggadcf.pif	90
PID 1840 wrote to memory of 4028	1840	slrggadcf.pif	91
PID 1840 wrote to memory of 4028	1840	slrggadcf.pif	91
PID 1840 wrote to memory of 4028	1840	slrggadcf.pif	91
PID 4028 wrote to memory of 1572	4028	WScript.exe	92
PID 4028 wrote to memory of 1572	4028	WScript.exe	92
PID 4028 wrote to memory of 1572	4028	WScript.exe	92
PID 1572 wrote to memory of 2792	1572	slrggadcf.pif	93
PID 1572 wrote to memory of 2792	1572	slrggadcf.pif	93
PID 1572 wrote to memory of 2792	1572	slrggadcf.pif	93
PID 1572 wrote to memory of 1824	1572	slrggadcf.pif	94
PID 1572 wrote to memory of 1824	1572	slrggadcf.pif	94
PID 1572 wrote to memory of 1824	1572	slrggadcf.pif	94
PID 1824 wrote to memory of 1492	1824	WScript.exe	95
PID 1824 wrote to memory of 1492	1824	WScript.exe	95
PID 1824 wrote to memory of 1492	1824	WScript.exe	95
PID 1492 wrote to memory of 2496	1492	slrggadcf.pif	96
PID 1492 wrote to memory of 2496	1492	slrggadcf.pif	96
PID 1492 wrote to memory of 2496	1492	slrggadcf.pif	96
PID 1492 wrote to memory of 1096	1492	slrggadcf.pif	97
PID 1492 wrote to memory of 1096	1492	slrggadcf.pif	97
PID 1492 wrote to memory of 1096	1492	slrggadcf.pif	97
PID 1096 wrote to memory of 1240	1096	WScript.exe	98
PID 1096 wrote to memory of 1240	1096	WScript.exe	98
PID 1096 wrote to memory of 1240	1096	WScript.exe	98
PID 1240 wrote to memory of 4408	1240	slrggadcf.pif	99
PID 1240 wrote to memory of 4408	1240	slrggadcf.pif	99
PID 1240 wrote to memory of 4408	1240	slrggadcf.pif	99
PID 1240 wrote to memory of 2484	1240	slrggadcf.pif	100
PID 1240 wrote to memory of 2484	1240	slrggadcf.pif	100
PID 1240 wrote to memory of 2484	1240	slrggadcf.pif	100
PID 2484 wrote to memory of 740	2484	WScript.exe	101
PID 2484 wrote to memory of 740	2484	WScript.exe	101
PID 2484 wrote to memory of 740	2484	WScript.exe	101
PID 740 wrote to memory of 32	740	slrggadcf.pif	104
PID 740 wrote to memory of 32	740	slrggadcf.pif	104
PID 740 wrote to memory of 32	740	slrggadcf.pif	104
PID 740 wrote to memory of 464	740	slrggadcf.pif	105
PID 740 wrote to memory of 464	740	slrggadcf.pif	105
PID 740 wrote to memory of 464	740	slrggadcf.pif	105
PID 464 wrote to memory of 4388	464	WScript.exe	106
PID 464 wrote to memory of 4388	464	WScript.exe	106
PID 464 wrote to memory of 4388	464	WScript.exe	106
PID 4388 wrote to memory of 3592	4388	slrggadcf.pif	107
PID 4388 wrote to memory of 3592	4388	slrggadcf.pif	107
PID 4388 wrote to memory of 3592	4388	slrggadcf.pif	107
PID 4388 wrote to memory of 1708	4388	slrggadcf.pif	108
PID 4388 wrote to memory of 1708	4388	slrggadcf.pif	108
PID 4388 wrote to memory of 1708	4388	slrggadcf.pif	108
PID 1708 wrote to memory of 3196	1708	WScript.exe	109

C:\Users\Admin\AppData\Local\Temp\a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1dded515ea0cc09854ed0193105aaea_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
  "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:4828
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
      "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:3164
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        7⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        9⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        9⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        11⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        13⤵
        Executes dropped EXE
        
        PID:32
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        15⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        15⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        17⤵
        Executes dropped EXE
        
        PID:3812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        17⤵
        Checks computer location settings
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        19⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        19⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        21⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        21⤵
        Checks computer location settings
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        23⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        23⤵
        Checks computer location settings
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        25⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        25⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        27⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        27⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        29⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        29⤵
        Checks computer location settings
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        31⤵
        Executes dropped EXE
        
        PID:4008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        31⤵
        Checks computer location settings
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        33⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        33⤵
        Checks computer location settings
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        35⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        35⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        37⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        37⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        39⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        39⤵
        Checks computer location settings
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        41⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        41⤵
        Checks computer location settings
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        43⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        43⤵
        Checks computer location settings
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        45⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        45⤵
        Checks computer location settings
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        47⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        47⤵
        Checks computer location settings
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        49⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        49⤵
        Checks computer location settings
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        51⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        51⤵
        Checks computer location settings
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        53⤵
        Executes dropped EXE
        
        PID:4172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs"
        53⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif
        
        "C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif" kcvevw.dul
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        55⤵
        Executes dropped EXE
        
        PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48501850\nwftmxwla.mp3

Filesize
263KB

MD5
4ae4051b656ac4a759e5f3c634d38eda

SHA1
b5a22b1fe0879f15c8082620b0f001e2af586ef6

SHA256
19e4af354a8e6f1661dbfdf6ce6c720bd49cf2320beba0e84d4aedbd1afcfb9e

SHA512
4078cc5921213b2d43b243ff4a0a2c5fc5601a25d066602ec27d555b7db13063debebc6a8342f76eb7080b728ac826083f4111d42e65307bb814739f648c07ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\48501850\run.vbs

Filesize
92B

MD5
11318ab760f12a623a3f5fc0ecdcda66

SHA1
2c1c31aa4f672adbb523e9c561c15dd17aee784a

SHA256
a59ee97faff340bb0cb551d903c7b20495419eb1b82561b85953ee14f3c9acf1

SHA512
1dc0597512352bec0d86a34f3ed6b100425f01d5bf7801b71f48e56f19bae418e9f688fba1057c5eec3861cad57689e6e14dc869c4097ebf6b44e0f21ad89828

Download Submit
C:\Users\Admin\AppData\Local\Temp\48501850\slrggadcf.pif

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit