6f7e7fdff1ab9280412e7b81d1b0377807780af22656c7cfd0db61b0b03debb6

Analysis

max time kernel
3s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Size

264KB
MD5

61fca526f013a4daafad8d6a13ffdf12
SHA1

001bdfdb4f794803fe2851d30d9d6d437b9e4f6c
SHA256

6f7e7fdff1ab9280412e7b81d1b0377807780af22656c7cfd0db61b0b03debb6
SHA512

5a46aacfdfb3352db9d5cdd25fc1b7201ec86957eb9c5983d3e53b693f9e6d7fe28b475367ad13ea22b38e0694ebfeeb8ea44f89aaa5530ff12f77b260c70300
SSDEEP

6144:XCJ3GPtw3RS+BRHtw3RS+BREsoVcAaRJnqBVgtc:XOpiEskCJe

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3328	zaztamsn.exe
3420	zaztamsn.exe
3504	zaztamsn.exe
5664	zaztamsn.exe
5728	zaztamsn.exe

Loads dropped DLL 10 IoCs

pid	Process
2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
3328	zaztamsn.exe
3328	zaztamsn.exe
3420	zaztamsn.exe
3420	zaztamsn.exe
3504	zaztamsn.exe
3504	zaztamsn.exe
5664	zaztamsn.exe
5664	zaztamsn.exe

Installs/modifies Browser Helper Object 2 TTPs 10 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}\ = "yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}\ = "yzztdmsn.dll"	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}\ = "yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}\ = "yzztdmsn.dll"	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4490415F-65F8-B5C5-D8BA-9405FB120544}\ = "yzztdmsn.dll"	zaztamsn.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zaztamsn.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zaztamsn.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\xfztamsn.sys	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File created	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File created	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\xfztamsn.sys	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zaztamsn.exe	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\zaztamsn.exe	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\zaztamsn.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\zaztamsn.exe	zaztamsn.exe
File opened for modification	C:\Windows\SysWOW64\yzztdmsn.dll	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\yzztdmsn.dll	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	zaztamsn.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ = "C:\\Windows\\SysWow64\\yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ = "C:\\Windows\\SysWow64\\yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ = "C:\\Windows\\SysWow64\\yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ThreadingModel = "Apartment"	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ThreadingModel = "Apartment"	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ThreadingModel = "Apartment"	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ = "C:\\Windows\\SysWow64\\yzztdmsn.dll"	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32	zaztamsn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ThreadingModel = "Apartment"	zaztamsn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ = "C:\\Windows\\SysWow64\\yzztdmsn.dll"	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4490415F-65F8-B5C5-D8BA-9405FB120544}\InprocServer32\ThreadingModel = "Apartment"	zaztamsn.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
3328	zaztamsn.exe
3420	zaztamsn.exe
3504	zaztamsn.exe
5664	zaztamsn.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2300	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2300	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2300	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	28
PID 2416 wrote to memory of 2300	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3328	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	30
PID 2416 wrote to memory of 3328	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	30
PID 2416 wrote to memory of 3328	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	30
PID 2416 wrote to memory of 3328	2416	61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe	30
PID 3328 wrote to memory of 3400	3328	zaztamsn.exe	31
PID 3328 wrote to memory of 3400	3328	zaztamsn.exe	31
PID 3328 wrote to memory of 3400	3328	zaztamsn.exe	31
PID 3328 wrote to memory of 3400	3328	zaztamsn.exe	31
PID 3328 wrote to memory of 3420	3328	zaztamsn.exe	32
PID 3328 wrote to memory of 3420	3328	zaztamsn.exe	32
PID 3328 wrote to memory of 3420	3328	zaztamsn.exe	32
PID 3328 wrote to memory of 3420	3328	zaztamsn.exe	32
PID 3420 wrote to memory of 3496	3420	zaztamsn.exe	34
PID 3420 wrote to memory of 3496	3420	zaztamsn.exe	34
PID 3420 wrote to memory of 3496	3420	zaztamsn.exe	34
PID 3420 wrote to memory of 3496	3420	zaztamsn.exe	34
PID 3420 wrote to memory of 3504	3420	zaztamsn.exe	35
PID 3420 wrote to memory of 3504	3420	zaztamsn.exe	35
PID 3420 wrote to memory of 3504	3420	zaztamsn.exe	35
PID 3420 wrote to memory of 3504	3420	zaztamsn.exe	35
PID 3504 wrote to memory of 3584	3504	zaztamsn.exe	37
PID 3504 wrote to memory of 3584	3504	zaztamsn.exe	37
PID 3504 wrote to memory of 3584	3504	zaztamsn.exe	37
PID 3504 wrote to memory of 3584	3504	zaztamsn.exe	37
PID 3504 wrote to memory of 5664	3504	zaztamsn.exe	39
PID 3504 wrote to memory of 5664	3504	zaztamsn.exe	39
PID 3504 wrote to memory of 5664	3504	zaztamsn.exe	39
PID 3504 wrote to memory of 5664	3504	zaztamsn.exe	39
PID 5664 wrote to memory of 5716	5664	zaztamsn.exe	40
PID 5664 wrote to memory of 5716	5664	zaztamsn.exe	40
PID 5664 wrote to memory of 5716	5664	zaztamsn.exe	40
PID 5664 wrote to memory of 5716	5664	zaztamsn.exe	40
PID 5664 wrote to memory of 5728	5664	zaztamsn.exe	41
PID 5664 wrote to memory of 5728	5664	zaztamsn.exe	41
PID 5664 wrote to memory of 5728	5664	zaztamsn.exe	41
PID 5664 wrote to memory of 5728	5664	zaztamsn.exe	41
PID 5728 wrote to memory of 5812	5728	zaztamsn.exe	43
PID 5728 wrote to memory of 5812	5728	zaztamsn.exe	43
PID 5728 wrote to memory of 5812	5728	zaztamsn.exe	43
PID 5728 wrote to memory of 5812	5728	zaztamsn.exe	43

C:\Users\Admin\AppData\Local\Temp\61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61fca526f013a4daafad8d6a13ffdf12_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259429709.bat
  2⤵
  PID:2300
- C:\Windows\SysWOW64\zaztamsn.exe
  C:\Windows\system32\zaztamsn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430146.bat
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\zaztamsn.exe
    C:\Windows\system32\zaztamsn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430193.bat
      4⤵
      PID:3496
  - - C:\Windows\SysWOW64\zaztamsn.exe
      C:\Windows\system32\zaztamsn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259430255.bat
        5⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5664
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431160.bat
        6⤵
        
        PID:5716
      - C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259431253.bat
        7⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        7⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259441815.bat
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        8⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442017.bat
        9⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        9⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259442158.bat
        10⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        10⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259444825.bat
        11⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        11⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259451736.bat
        12⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        12⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259452610.bat
        13⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        13⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259452891.bat
        14⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        14⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259453000.bat
        15⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        15⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259475729.bat
        16⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        16⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482781.bat
        17⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        17⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259505744.bat
        18⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        18⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259518942.bat
        19⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        19⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259527007.bat
        20⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        20⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531344.bat
        21⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        21⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259535805.bat
        22⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        22⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259544151.bat
        23⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        23⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549892.bat
        24⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        24⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259553215.bat
        25⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        25⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259554962.bat
        26⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        26⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259555805.bat
        27⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        27⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259556522.bat
        28⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        28⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259563948.bat
        29⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        29⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259565087.bat
        30⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\zaztamsn.exe
        
        C:\Windows\system32\zaztamsn.exe
        30⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259578955.bat
        31⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259574556.bat
        22⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259566257.bat
        21⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259561545.bat
        20⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259557302.bat
        19⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549034.bat
        18⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259536211.bat
        17⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259513201.bat
        16⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259506555.bat
        15⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483623.bat
        14⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259483795.bat
        13⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482827.bat
        12⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259482344.bat
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259474887.bat
        10⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472703.bat
        9⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472578.bat
        8⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259472313.bat
        7⤵
        
        PID:3816
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259461705.bat
        6⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259461658.bat
        5⤵
        
        PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259461705.bat
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460831.bat
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259460753.bat
  2⤵
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259429709.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259460753.bat

Filesize
225B

MD5
15717626297953d1f7a50a2edc35d818

SHA1
08a23ad8539de218b6509ba0842eefece0e60b43

SHA256
454f5126a2d8e083517295d851629a831588cf831952d903d350a3843154ce34

SHA512
eddc034dd0400c09c4e2001c4ff572e228c22529de24bba5e27509655ce4daf45134768915fca848b26a0f65cce9989ad7556c9b8470cc877fce0024097348ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259460831.bat

Filesize
121B

MD5
634dd1d56ddfc2c9bf1bcf33d18f9cb9

SHA1
8c5e820bff2cb88755ce7b4f500c2cfc6abbb857

SHA256
88467b24e440b2590b48a175d855bc6e984fc53c210bb1d0f6c8d56d90654de3

SHA512
3505cfdfe62f6f4be271be9cf6c563f78f065e80821d94425727b08da97161e66500bd138b83b24d00729431765826b0033b3bb13414d74abba64c939b5d6eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259461705.bat

Filesize
242B

MD5
fcb2573ee04733edb2335223575ae2ae

SHA1
610996e922f5c5f8d7756bd8d758c69afe3cc9b0

SHA256
827b7c2c6ad2a36efa08fb7ec9ea9a66d23c7cadddbaaf6c1f674b5dfa7064d0

SHA512
8c224a79ef0ed97d76b849c66dae2ae3506286b26629ed44790916ccda9cdf1c2f17d95873a23d31719aaa5c9c0ef8318163b12b15c1c3e1f01a3846d7720faf

Download Submit
C:\Windows\SysWOW64\xfztamsn.sys

Filesize
260B

MD5
7eb9fa95e119f8546c65b11d9c94c03f

SHA1
c12ac93618938e171e115e46643690b25b80eeee

SHA256
2ec19d9c809ab8291b9c6e270e6c33c07aa75026d5d190498beb3d78ee654184

SHA512
76fa44ec28e4485eeadfeb44144e3401c75c82ab2107162086c27c2de3368578d6c81af1488131546abd96cef875f31c122bae81ea12584ae8db1fd26ed1b6b5

Download Submit
C:\Windows\SysWOW64\yzztdmsn.dll

Filesize
522KB

MD5
9aa20e6a5c8575b874dd8092831bac4d

SHA1
375b10ee7456f5420047fe6a404dc59bee7f7f45

SHA256
8ccc04d224a5d63f2f5a64cb37225416bc2501253b4f9db0191bf9ddbd6bfa74

SHA512
9f8e75d59eb6a5adfa662a20f4a609e07e1323c6acce8d0962c9f6bf250e24ac7bd38279410720d23a1d6dd388c0b8948c887f86c3810e2d6316d0d57d859c56

Download Submit
C:\Windows\SysWOW64\yzztdmsn.dll

Filesize
165KB

MD5
4d0effa9c19b74f4147eeded2f0b039e

SHA1
bb11400d5beb8219774f900574e6ef6263605013

SHA256
9d3ffd63ccdbefadad37894de3e91e951c18f93561157ea2d5dbb49d09f00b7c

SHA512
afbd83f7dde7746ebd193d5f147b96b31456521149576b223933dc56050157e7fca5c651c7480c05915ab45cb51a7d8266a9f55ae7288e7b71506036c3dbcdc2

Download Submit
C:\Windows\SysWOW64\yzztdmsn.dll

Filesize
522KB

MD5
f87f0c96efb7de4ef1a634ab08ec69f4

SHA1
e058f6cd4e39856ada4ec7d17f0885e8de5d00ab

SHA256
3bd27e56b3ae901ead585c4258f8992fbc0b59d5cc3107d8d0dad7257c85b678

SHA512
56980c8ff101c86788126252844421cc6418ad7c6f6e99240400687ae0527dfbb22ad403d1b73ca1cd6c4db5be70f10c1781afc2b12ec38681ba98be5fc7be9a

Download Submit
\Windows\SysWOW64\zaztamsn.exe

Filesize
264KB

MD5
61fca526f013a4daafad8d6a13ffdf12

SHA1
001bdfdb4f794803fe2851d30d9d6d437b9e4f6c

SHA256
6f7e7fdff1ab9280412e7b81d1b0377807780af22656c7cfd0db61b0b03debb6

SHA512
5a46aacfdfb3352db9d5cdd25fc1b7201ec86957eb9c5983d3e53b693f9e6d7fe28b475367ad13ea22b38e0694ebfeeb8ea44f89aaa5530ff12f77b260c70300

Download Submit
memory/440-16565-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/440-19634-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/440-19635-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/440-16566-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/904-21681-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/904-18600-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2412-8390-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2412-11460-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/2412-9425-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/2416-1028-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2416-2724-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2416-2723-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2416-2466-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2416-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2416-1029-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2664-17583-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2664-16567-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2664-20654-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2948-19311-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2948-18601-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2948-15546-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/2948-15547-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3304-21690-0x00000000002B0000-0x00000000002C9000-memory.dmp

Filesize
100KB

Download
memory/3328-1044-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3328-3075-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3328-3076-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3328-1045-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3328-1043-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3420-3119-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3420-1056-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3420-1057-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3420-3120-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/3504-2090-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/3504-1060-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3504-3133-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4012-19636-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4628-7341-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4628-9263-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/4988-14530-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/4988-17584-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5136-8389-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5136-10443-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5392-4192-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5392-3122-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5452-5227-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5452-4177-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5452-5224-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5452-4166-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5624-5213-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5624-6118-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5664-2093-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5664-2092-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5664-3143-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5664-3144-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6228-6191-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6228-5225-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6292-6316-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6292-5228-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/6292-8386-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/6824-20655-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/6824-20656-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download