05bbe75c2e13f4e9267f6217a0d91acab003fc7f1eb1a92d81b10bd3cf448f9e

Analysis

max time kernel
101s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js
Size

283KB
MD5

1268348828883dbc98a1a584dec8ded8
SHA1

7fd4ed93d6a549baf7402f7fd5e736faf2ae40f4
SHA256

05bbe75c2e13f4e9267f6217a0d91acab003fc7f1eb1a92d81b10bd3cf448f9e
SHA512

8d7df58ab9cb6ca13c1e3317cf51ec7ae67e7389e0464794dab8edaabd1b6454d73b8c27796335693f2aa6453a4dfed1261685f10d180a793781ae35adde2dcb
SSDEEP

6144:AFM0/rWK/2tG3ZL1hsI5y7XFeLAPlRpQEWpbTMp4Jc3L:AX/d/2QtT5y7XnlRpQHFTMaJGL

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 64 IoCs

Processes:

2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe2e4cd28716d.exe

pid	Process
3452	2e4cd28716d.exe
4224	2e4cd28716d.exe
3952	2e4cd28716d.exe
4852	2e4cd28716d.exe
312	2e4cd28716d.exe
1604	2e4cd28716d.exe
3636	2e4cd28716d.exe
4572	2e4cd28716d.exe
3624	2e4cd28716d.exe
4228	2e4cd28716d.exe
1936	2e4cd28716d.exe
4592	2e4cd28716d.exe
3028	2e4cd28716d.exe
1484	2e4cd28716d.exe
4116	2e4cd28716d.exe
3964	2e4cd28716d.exe
1636	2e4cd28716d.exe
1504	2e4cd28716d.exe
4824	2e4cd28716d.exe
4856	2e4cd28716d.exe
812	2e4cd28716d.exe
4908	2e4cd28716d.exe
1492	2e4cd28716d.exe
1948	2e4cd28716d.exe
4256	2e4cd28716d.exe
2716	2e4cd28716d.exe
3852	2e4cd28716d.exe
4484	2e4cd28716d.exe
3008	2e4cd28716d.exe
2436	2e4cd28716d.exe
3164	2e4cd28716d.exe
932	2e4cd28716d.exe
4028	2e4cd28716d.exe
3332	2e4cd28716d.exe
1044	2e4cd28716d.exe
1408	2e4cd28716d.exe
5016	2e4cd28716d.exe
4092	2e4cd28716d.exe
2740	2e4cd28716d.exe
4364	2e4cd28716d.exe
2308	2e4cd28716d.exe
1940	2e4cd28716d.exe
4016	2e4cd28716d.exe
2160	2e4cd28716d.exe
4368	2e4cd28716d.exe
4800	2e4cd28716d.exe
4600	2e4cd28716d.exe
1820	2e4cd28716d.exe
1900	2e4cd28716d.exe
3040	2e4cd28716d.exe
4124	2e4cd28716d.exe
3888	2e4cd28716d.exe
2820	2e4cd28716d.exe
4008	2e4cd28716d.exe
2168	2e4cd28716d.exe
3340	2e4cd28716d.exe
3136	2e4cd28716d.exe
1140	2e4cd28716d.exe
3900	2e4cd28716d.exe
1760	2e4cd28716d.exe
5116	2e4cd28716d.exe
4036	2e4cd28716d.exe
1264	2e4cd28716d.exe
2696	2e4cd28716d.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2e4cd28716d.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e4cd28716d.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

wscript.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000_Classes\Local Settings	wscript.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
5040	WINWORD.EXE
5040	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2e4cd28716d.exe

pid	Process
3452	2e4cd28716d.exe
3452	2e4cd28716d.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE2e4cd28716d.exe

pid	Process
5040	WINWORD.EXE
3452	2e4cd28716d.exe
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE
5040	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.exe2e4cd28716d.exe

description	pid	Process	procid_target
PID 4020 wrote to memory of 5040	4020	wscript.exe	83
PID 4020 wrote to memory of 5040	4020	wscript.exe	83
PID 4020 wrote to memory of 3452	4020	wscript.exe	85
PID 4020 wrote to memory of 3452	4020	wscript.exe	85
PID 4020 wrote to memory of 3452	4020	wscript.exe	85
PID 3452 wrote to memory of 4224	3452	2e4cd28716d.exe	88
PID 3452 wrote to memory of 4224	3452	2e4cd28716d.exe	88
PID 3452 wrote to memory of 4224	3452	2e4cd28716d.exe	88
PID 3452 wrote to memory of 3952	3452	2e4cd28716d.exe	89
PID 3452 wrote to memory of 3952	3452	2e4cd28716d.exe	89
PID 3452 wrote to memory of 3952	3452	2e4cd28716d.exe	89
PID 3452 wrote to memory of 4852	3452	2e4cd28716d.exe	90
PID 3452 wrote to memory of 4852	3452	2e4cd28716d.exe	90
PID 3452 wrote to memory of 4852	3452	2e4cd28716d.exe	90
PID 3452 wrote to memory of 312	3452	2e4cd28716d.exe	91
PID 3452 wrote to memory of 312	3452	2e4cd28716d.exe	91
PID 3452 wrote to memory of 312	3452	2e4cd28716d.exe	91
PID 3452 wrote to memory of 1604	3452	2e4cd28716d.exe	92
PID 3452 wrote to memory of 1604	3452	2e4cd28716d.exe	92
PID 3452 wrote to memory of 1604	3452	2e4cd28716d.exe	92
PID 3452 wrote to memory of 3636	3452	2e4cd28716d.exe	93
PID 3452 wrote to memory of 3636	3452	2e4cd28716d.exe	93
PID 3452 wrote to memory of 3636	3452	2e4cd28716d.exe	93
PID 3452 wrote to memory of 4572	3452	2e4cd28716d.exe	94
PID 3452 wrote to memory of 4572	3452	2e4cd28716d.exe	94
PID 3452 wrote to memory of 4572	3452	2e4cd28716d.exe	94
PID 3452 wrote to memory of 3624	3452	2e4cd28716d.exe	95
PID 3452 wrote to memory of 3624	3452	2e4cd28716d.exe	95
PID 3452 wrote to memory of 3624	3452	2e4cd28716d.exe	95
PID 3452 wrote to memory of 4228	3452	2e4cd28716d.exe	96
PID 3452 wrote to memory of 4228	3452	2e4cd28716d.exe	96
PID 3452 wrote to memory of 4228	3452	2e4cd28716d.exe	96
PID 3452 wrote to memory of 1936	3452	2e4cd28716d.exe	97
PID 3452 wrote to memory of 1936	3452	2e4cd28716d.exe	97
PID 3452 wrote to memory of 1936	3452	2e4cd28716d.exe	97
PID 3452 wrote to memory of 4592	3452	2e4cd28716d.exe	98
PID 3452 wrote to memory of 4592	3452	2e4cd28716d.exe	98
PID 3452 wrote to memory of 4592	3452	2e4cd28716d.exe	98
PID 3452 wrote to memory of 3028	3452	2e4cd28716d.exe	99
PID 3452 wrote to memory of 3028	3452	2e4cd28716d.exe	99
PID 3452 wrote to memory of 3028	3452	2e4cd28716d.exe	99
PID 3452 wrote to memory of 1484	3452	2e4cd28716d.exe	100
PID 3452 wrote to memory of 1484	3452	2e4cd28716d.exe	100
PID 3452 wrote to memory of 1484	3452	2e4cd28716d.exe	100
PID 3452 wrote to memory of 4116	3452	2e4cd28716d.exe	101
PID 3452 wrote to memory of 4116	3452	2e4cd28716d.exe	101
PID 3452 wrote to memory of 4116	3452	2e4cd28716d.exe	101
PID 3452 wrote to memory of 3964	3452	2e4cd28716d.exe	102
PID 3452 wrote to memory of 3964	3452	2e4cd28716d.exe	102
PID 3452 wrote to memory of 3964	3452	2e4cd28716d.exe	102
PID 3452 wrote to memory of 1636	3452	2e4cd28716d.exe	103
PID 3452 wrote to memory of 1636	3452	2e4cd28716d.exe	103
PID 3452 wrote to memory of 1636	3452	2e4cd28716d.exe	103
PID 3452 wrote to memory of 1504	3452	2e4cd28716d.exe	104
PID 3452 wrote to memory of 1504	3452	2e4cd28716d.exe	104
PID 3452 wrote to memory of 1504	3452	2e4cd28716d.exe	104
PID 3452 wrote to memory of 4824	3452	2e4cd28716d.exe	105
PID 3452 wrote to memory of 4824	3452	2e4cd28716d.exe	105
PID 3452 wrote to memory of 4824	3452	2e4cd28716d.exe	105
PID 3452 wrote to memory of 4856	3452	2e4cd28716d.exe	106
PID 3452 wrote to memory of 4856	3452	2e4cd28716d.exe	106
PID 3452 wrote to memory of 4856	3452	2e4cd28716d.exe	106
PID 3452 wrote to memory of 812	3452	2e4cd28716d.exe	107
PID 3452 wrote to memory of 812	3452	2e4cd28716d.exe	107

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
  "C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4224
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4852
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:312
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4228
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4116
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4856
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:812
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4256
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3852
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4484
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:932
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:5016
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4092
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4364
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3040
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4124
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4008
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1140
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:3900
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:4036
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:1264
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4700
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4768
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4816
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4516
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4692
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:3200
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4120
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:3120
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:4216
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1800
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
    3⤵
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe

Filesize
152KB

MD5
347684b6130a16aace57a364658c8435

SHA1
9f6a1ceb820319d56f047b0c1213f7359dc6b7da

SHA256
4bc47e12fdaadd5d9da37ee13c5c173bf61a013823f5c49065cd5d43f2ddef94

SHA512
0596c6f6b80bba6bf4a1874019faf3198a3d9d0dcf1c79bcaa76a5324adf3ee8ce03bc627d77bbe6b565f86caab8ba9df826d894704d13243bfef32005d4f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx

Filesize
22KB

MD5
24a09f3f72fe19cc920e86645626f197

SHA1
e9cee70b03d0938b8590b01ea89325f65ec90971

SHA256
37073e6c5503ebe0b3101f42f98c56892e1db686e5592255faf443ee6066dce6

SHA512
c59049f19d5eb81283c1848c8145f7a22c1386a40af9d31f3641fecb6d762f75660492f58797514d1053ea87e53635307cdd75366f87ba18f019523967cf27e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
684B

MD5
edda796fa8309a78204eeb7d05f1889f

SHA1
ed15d819882b3eebf9a6c5787c7d59698b7da05d

SHA256
7da2e5e4399a2b71601b60a19283e010bb9cf7db3a5b95b9f98315f0ba215472

SHA512
4300fa9234d0cfb4ae4f6741d20d99ece0027974554e32bd7e426509a2f7a24b298795d1fff720aa5d6b4b8abd930416e04ec0a3cc9c02bc0939ed7d985b5a2a

Download Submit
memory/5040-29-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-22-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-23-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-28-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-17-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-30-0x00007FFAC88F0000-0x00007FFAC8900000-memory.dmp

Filesize
64KB

Download
memory/5040-27-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-32-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-31-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-34-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-37-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-36-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-35-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-33-0x00007FFAC88F0000-0x00007FFAC8900000-memory.dmp

Filesize
64KB

Download
memory/5040-25-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-19-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-21-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-20-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-18-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-24-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-14-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-15-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-12-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-127-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-128-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-129-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download
memory/5040-149-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-151-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-152-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-150-0x00007FFACB250000-0x00007FFACB260000-memory.dmp

Filesize
64KB

Download
memory/5040-153-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp

Filesize
2.0MB

Download