48869cd996b2db6e73b5f2f0e1e989648055d7e4dfd8e85cb0a5541f1c22f6f7

Analysis

max time kernel
140s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe
Size

4.8MB
MD5

18a77f70f308e9b14a7c64e1145f6b0f
SHA1

c389bd6473bc6516794d73a7e255e94b5f43f8f6
SHA256

48869cd996b2db6e73b5f2f0e1e989648055d7e4dfd8e85cb0a5541f1c22f6f7
SHA512

733bc81ec68a4e53169317f5581ca3a99391355affeab23f86d2526e2ff36fdaa5378bdb7b2d2d219423f34c933d326a2efd39d1e26053793334a0ef2c95e012
SSDEEP

98304:9R5kNiF/AQgu2Uw7PGUcyGlQ+xsNBvuPY53:9fPguRw7eUcyGlQ1Bvu03

Score

10^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\Arquivos de programas\\msnmsg.exe\""	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe:*:Enabled:System"	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3880	netsh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\zeroinfect.txt	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	\??\c:\Windows\Menu Iniciar\Programas\Iniciar\msnmsg.exe	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Kills process with taskkill 43 IoCs

evasion

pid	Process
864	taskkill.exe
4160	taskkill.exe
4600	taskkill.exe
2700	taskkill.exe
4728	taskkill.exe
2528	taskkill.exe
2668	taskkill.exe
1624	taskkill.exe
1404	taskkill.exe
2900	taskkill.exe
4380	taskkill.exe
884	taskkill.exe
3804	taskkill.exe
3792	taskkill.exe
4148	taskkill.exe
4112	taskkill.exe
4764	taskkill.exe
4812	taskkill.exe
4952	taskkill.exe
4836	taskkill.exe
4272	taskkill.exe
4424	taskkill.exe
4376	taskkill.exe
5088	taskkill.exe
2076	taskkill.exe
1008	taskkill.exe
1884	taskkill.exe
3396	taskkill.exe
3004	taskkill.exe
2996	taskkill.exe
4756	taskkill.exe
1724	taskkill.exe
2688	taskkill.exe
4912	taskkill.exe
4240	taskkill.exe
4092	taskkill.exe
2260	taskkill.exe
5044	taskkill.exe
3944	taskkill.exe
4576	taskkill.exe
4128	taskkill.exe
212	taskkill.exe
4748	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4300	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	884	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4300	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	83
PID 4772 wrote to memory of 4300	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	83
PID 4772 wrote to memory of 4300	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	83
PID 4772 wrote to memory of 4812	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	84
PID 4772 wrote to memory of 4812	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	84
PID 4772 wrote to memory of 4812	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	84
PID 4772 wrote to memory of 4240	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	85
PID 4772 wrote to memory of 4240	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	85
PID 4772 wrote to memory of 4240	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	85
PID 4772 wrote to memory of 4764	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	86
PID 4772 wrote to memory of 4764	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	86
PID 4772 wrote to memory of 4764	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	86
PID 4772 wrote to memory of 4380	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	87
PID 4772 wrote to memory of 4380	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	87
PID 4772 wrote to memory of 4380	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	87
PID 4772 wrote to memory of 3004	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	88
PID 4772 wrote to memory of 3004	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	88
PID 4772 wrote to memory of 3004	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	88
PID 4772 wrote to memory of 2668	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	89
PID 4772 wrote to memory of 2668	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	89
PID 4772 wrote to memory of 2668	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	89
PID 4772 wrote to memory of 3396	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	90
PID 4772 wrote to memory of 3396	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	90
PID 4772 wrote to memory of 3396	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	90
PID 4772 wrote to memory of 3944	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	91
PID 4772 wrote to memory of 3944	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	91
PID 4772 wrote to memory of 3944	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	91
PID 4772 wrote to memory of 4112	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	92
PID 4772 wrote to memory of 4112	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	92
PID 4772 wrote to memory of 4112	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	92
PID 4772 wrote to memory of 4148	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	93
PID 4772 wrote to memory of 4148	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	93
PID 4772 wrote to memory of 4148	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	93
PID 4772 wrote to memory of 4576	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	95
PID 4772 wrote to memory of 4576	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	95
PID 4772 wrote to memory of 4576	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	95
PID 4772 wrote to memory of 4748	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	96
PID 4772 wrote to memory of 4748	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	96
PID 4772 wrote to memory of 4748	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	96
PID 4772 wrote to memory of 212	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	97
PID 4772 wrote to memory of 212	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	97
PID 4772 wrote to memory of 212	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	97
PID 4772 wrote to memory of 1884	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	98
PID 4772 wrote to memory of 1884	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	98
PID 4772 wrote to memory of 1884	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	98
PID 4772 wrote to memory of 5044	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	99
PID 4772 wrote to memory of 5044	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	99
PID 4772 wrote to memory of 5044	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	99
PID 4772 wrote to memory of 3792	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	100
PID 4772 wrote to memory of 3792	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	100
PID 4772 wrote to memory of 3792	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	100
PID 4772 wrote to memory of 1008	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	102
PID 4772 wrote to memory of 1008	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	102
PID 4772 wrote to memory of 1008	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	102
PID 4772 wrote to memory of 2076	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	103
PID 4772 wrote to memory of 2076	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	103
PID 4772 wrote to memory of 2076	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	103
PID 4772 wrote to memory of 2900	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	104
PID 4772 wrote to memory of 2900	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	104
PID 4772 wrote to memory of 2900	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	104
PID 4772 wrote to memory of 3804	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	105
PID 4772 wrote to memory of 3804	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	105
PID 4772 wrote to memory of 3804	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	105
PID 4772 wrote to memory of 5088	4772	18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe	106

C:\Users\Admin\AppData\Local\Temp\18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18a77f70f308e9b14a7c64e1145f6b0f_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn startt /tr c:\start.bat /sc onstart /ru system
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im spybotSD.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im nod32krn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im nod32kui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KAVPF.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Kav.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im gcasServ.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im zlclient.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgemc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgupsvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgamsvr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im avgcc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashdisp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashmaisv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ashwebsv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im aswupdsv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccsetmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im cccproxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccapp.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ccevtmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcdetect.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcregwiz.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McTskshd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcupdmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcupdui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfAgent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfConsole.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfService.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfTray.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MpfWizard.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mvtx.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcappins.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcinfo.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcinsupd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McShield.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im naiavfin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im oasclnt.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode mode = disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4772-0-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4772-2-0x0000000000400000-0x00000000008C7000-memory.dmp

Filesize
4.8MB

Download
memory/4772-4-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4772-5-0x0000000000400000-0x00000000008C7000-memory.dmp

Filesize
4.8MB

Download
memory/4772-6-0x0000000000400000-0x00000000008C7000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads