a9c4cea64ecebdb1de9326876b2051bb1e3d25d8199d5d8830d21daae7a36fb8

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 03:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe
Size

2.8MB
MD5

a970c591be6af64b82d8285bfd648f58
SHA1

ba8ab2bf06b68a720b18708a3ced9d518f9abc78
SHA256

a9c4cea64ecebdb1de9326876b2051bb1e3d25d8199d5d8830d21daae7a36fb8
SHA512

32946e50f0ad97536ee984619a5c64924b38d2f1c0f7cb013c96a6d7a35b4d2ef651719f50105bc6256c9d4ca29803ab8bf1ff87b9139da17e8470c2eaa4fc17
SSDEEP

49152:7bSr72mlm51EiRwGn7GPF7BmXF9Hqvb9V7i/Fm6sqqrhf5+NrtzEy87NU5FXXzNm:zsoq7F

Score

10^/10

collection credential_access defense_evasion discovery persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\sdra64.exe,"	6_ldry3no.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	1your_exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	opeDBE2.exe

Executes dropped EXE 23 IoCs

pid	Process
1776	teste1_p.exe
3696	q1.exe
3960	miragge.exe
3340	fFollower.exe
2740	avto.exe
5068	6_ldry3no.exe
3812	4_pinnew.exe
2736	2_load.exe
2000	1your_exe.exe
316	opeDBE2.exe
3480	1275673347.exe
3740	svchosty.exe
4596	svchosty.exe
4360	svchosty.exe
4524	svchosty.exe
2892	svchosty.exe
2760	svchosty.exe
4496	fFollower.exe
4492	svchosty.exe
2428	svchosty.exe
444	svchosty.exe
3456	svchosty.exe
2328	fFollower.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4_pinnew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\opeDBE2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\opeDBE2.exe "	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	6_ldry3no.exe
File created	C:\Windows\SysWOW64\sdra64.exe	6_ldry3no.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
3864	3960	WerFault.exe	96
4356	3696	WerFault.exe	95
1500	1776	WerFault.exe	93
4140	2740	WerFault.exe	99
4984	444	WerFault.exe	127
1592	3740	WerFault.exe	116
2284	4596	WerFault.exe	117
4808	4360	WerFault.exe	118
1124	2892	WerFault.exe	120
2384	2760	WerFault.exe	121
4896	4492	WerFault.exe	125
2896	2428	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1your_exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6_ldry3no.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2_load.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teste1_p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miragge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4_pinnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1275673347.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opeDBE2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5068	6_ldry3no.exe
5068	6_ldry3no.exe
5068	6_ldry3no.exe
5068	6_ldry3no.exe
3812	4_pinnew.exe
3812	4_pinnew.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	6_ldry3no.exe
Token: SeDebugPrivilege	3812	4_pinnew.exe
Token: SeIncBasePriorityPrivilege	2000	1your_exe.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3480	1275673347.exe
3340	fFollower.exe
4496	fFollower.exe
2328	fFollower.exe
2328	fFollower.exe
2328	fFollower.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1776	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	93
PID 2992 wrote to memory of 1776	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	93
PID 2992 wrote to memory of 1776	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	93
PID 2992 wrote to memory of 3696	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	95
PID 2992 wrote to memory of 3696	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	95
PID 2992 wrote to memory of 3696	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	95
PID 2992 wrote to memory of 3960	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	96
PID 2992 wrote to memory of 3960	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	96
PID 2992 wrote to memory of 3960	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	96
PID 2992 wrote to memory of 3340	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	97
PID 2992 wrote to memory of 3340	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	97
PID 2992 wrote to memory of 3340	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	97
PID 2992 wrote to memory of 2740	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	99
PID 2992 wrote to memory of 2740	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	99
PID 2992 wrote to memory of 2740	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	99
PID 2992 wrote to memory of 5068	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	100
PID 2992 wrote to memory of 5068	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	100
PID 2992 wrote to memory of 5068	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	100
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 2992 wrote to memory of 3812	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	103
PID 2992 wrote to memory of 3812	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	103
PID 2992 wrote to memory of 3812	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	103
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 2992 wrote to memory of 2736	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	105
PID 2992 wrote to memory of 2736	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	105
PID 2992 wrote to memory of 2736	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	105
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 2992 wrote to memory of 2000	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	107
PID 2992 wrote to memory of 2000	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	107
PID 2992 wrote to memory of 2000	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	107
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 2992 wrote to memory of 316	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	111
PID 2992 wrote to memory of 316	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	111
PID 2992 wrote to memory of 316	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	111
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5
PID 2992 wrote to memory of 3480	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	122
PID 2992 wrote to memory of 3480	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	122
PID 2992 wrote to memory of 3480	2992	a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe	122
PID 5068 wrote to memory of 612	5068	6_ldry3no.exe	5

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4_pinnew.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a970c591be6af64b82d8285bfd648f58_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\teste1_p.exe
  "C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 540
    3⤵
    - Program crash
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\q1.exe
  "C:\Users\Admin\AppData\Local\Temp\q1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 540
    3⤵
    - Program crash
    PID:4356
- C:\Users\Admin\AppData\Local\Temp\miragge.exe
  "C:\Users\Admin\AppData\Local\Temp\miragge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 372
    3⤵
    - Program crash
    PID:3864
- C:\Users\Admin\AppData\Local\Temp\fFollower.exe
  "C:\Users\Admin\AppData\Local\Temp\fFollower.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\fFollower.exe
    C:\Users\Admin\AppData\Local\Temp\fFollower.exe /install /silent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4496
- C:\Users\Admin\AppData\Local\Temp\avto.exe
  "C:\Users\Admin\AppData\Local\Temp\avto.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 540
    3⤵
    - Program crash
    PID:4140
- C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe
  "C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe
  "C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\2_load.exe
  "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\1your_exe.exe
  "C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1YOUR_~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\opeDBE2.exe
  "C:\Users\Admin\AppData\Local\Temp\opeDBE2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\svchosty.exe
    "C:\Users\Admin\AppData\Local\Temp\svchosty.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\svchosty.exe
      C:\Users\Admin\AppData\Local\Temp\svchosty.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchosty.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 584
        12⤵
        Program crash
        
        PID:4984
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 580
        11⤵
        Program crash
        
        PID:2896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 584
        10⤵
        Program crash
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 580
        9⤵
        Program crash
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 504
        8⤵
        Program crash
        
        PID:1124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 556
        6⤵
        Program crash
        
        PID:4808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 552
        5⤵
        Program crash
        
        PID:2284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 548
      4⤵
      Program crash
      PID:1592
- C:\Users\Admin\AppData\Local\Temp\1275673347.exe
  "C:\Users\Admin\AppData\Local\Temp\1275673347.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3960 -ip 3960
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3696 -ip 3696
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1776 -ip 1776
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2740 -ip 2740
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2736 -ip 2736
1⤵
PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3480 -ip 3480
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 444 -ip 444
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\fFollower.exe
C:\Users\Admin\AppData\Local\Temp\fFollower.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3740 -ip 3740
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4596 -ip 4596
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4360 -ip 4360
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2892 -ip 2892
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2760 -ip 2760
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4492 -ip 4492
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2428 -ip 2428
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\wzdcjrp[1].htm

Filesize
125B

MD5
45a9a2084a44d18bd0f446d6855908e4

SHA1
2b00aab2d6fd2e8fe429facce198d7093559adf1

SHA256
2ef87fbd5f3ec904bc116f3654421f4c53dc5438bbf36fa029dc8af8813f9646

SHA512
5e5d0c962cfa6faffafd32e10d1e38d90e12c184ab77d72907108b98bf73bdee685300c44ffae937203c7f74ecb8110794b542a4c3ba4831c9b3bafc77dc4d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1275673347.exe

Filesize
96KB

MD5
481317e395c99048099d7cac6cee51f6

SHA1
2acdfe506b32c1fbfd8ee2b04745b23c44b74e78

SHA256
7488cc79107e3b1a60669ad8e63aadc796202b1856aab4d540bbe4fbd8741c79

SHA512
7bbdf30ae0c3455685262f668ad70675fdda99703395a9d4aacfec20687886bf833c1fd045bcf395eb28d0d2387d5ab8f1e981f644c5a51441efd8993a023424

Download Submit
C:\Users\Admin\AppData\Local\Temp\1your_exe.exe

Filesize
22KB

MD5
e167b560b55f79b3a5e03270e93d3cfd

SHA1
3b027a5edcac28170e4abb9fae48328f7a441b9d

SHA256
0407fe93dda5e53b82e450b81ec682d3a64d5b031ee8ca73261443e0c7e9bcf9

SHA512
bef5683cd9187dfd3bcca865698a69c2eb9fa4760139f15a16eadc47487ad90171acdd8da48cbc62858eb79ee66909f363c51bcedda4ac5813322fb052b5a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_load.exe

Filesize
13KB

MD5
21202ea609c5764bf6f24a7c8344a394

SHA1
ce937acd57b5c0a0efa039fc246624cd310ba841

SHA256
14c2265eba1e05758b6f64f20953310cfd0791ae25674c4b1425775edc8e1df3

SHA512
9fb2875a1f8497d959413803d49e82503d0a356bce9d3419fc40e03d3ee55f05f24327b25b40626ab8a8535ab21963cbde13fcb05d096fe67ba69c6349296eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe

Filesize
38KB

MD5
4f4285d6e5169fb72e11bb98d53c7243

SHA1
ce1b58617d4eedab42386484c5f7b6f72d33dc53

SHA256
5c7574c3bb7c489a47325ab11c787ab763a67c700d12439d75b49d1a84e88041

SHA512
eab548f9344b9107fdda1140e477bec562b77788764a2aae68e5761d842891552f2e66a7ddd21ec0c2b66f6b000d87e93b80f19af602d1d2003373196d0540c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe

Filesize
82KB

MD5
53de5be5e645ba76ad8411eaa74744c1

SHA1
0d94a6a0293820c4e90fcdb6007146e74a24f0ef

SHA256
799dccbddbf417014c3aeca48371d9df76389bb6cf2880a08be582d7f65178d4

SHA512
710f05537267b3ce2b16db2408f8241fb09fb56ac2c85f6ab1592bd32d646c6bb9161a34f194ae7d2b1895a3fca88593f431a9a74c18d1ad1b86c0e97e1bc10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avto.exe

Filesize
288KB

MD5
9ee0b6e663e779957d1d7bde833a16b9

SHA1
06f64375d3c2d1c5f245ef0d05f8e1a9693a9370

SHA256
93ec99341172ff4cec39dd36ecc07f95256966dd16f310de8722ea51c1af3c78

SHA512
abb05a9d620d9bc36e9923783c76b83b0a5d52cde0299d2c4cb6fb060bfdb977deff499af643cc17cc6bd73eaccbb8118a021c2b7bf30dbe7e8a23aa1fb675ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\fFollower.exe

Filesize
406KB

MD5
06c859d93ff64a10e2ff5fbf66551674

SHA1
91bb34d719ac399f71801e932357c11f2022ae57

SHA256
5793c4702a132ff09bcd9fb6f2ff460e7cc08af41a756f08e22fec8a39ba05e0

SHA512
18ef5abd1fa1c8dc019de915513eea3ead7d1e829a57efdf49a839fe58f0cf35fe7ff67b10dabf975c1ae7cc1e6502a963845108a55414d0ef59b3e9534be506

Download Submit
C:\Users\Admin\AppData\Local\Temp\miragge.exe

Filesize
131KB

MD5
eb5ef99e16e408979d0d4a2aa7bc107f

SHA1
3847fc4f39f06311991c20c2a6cf0a9178fd5b40

SHA256
e1c529aa3a5fcc7c7e97d1d21390d575e194952f88bff45aeb250446749e1d89

SHA512
22e8ef2f5c65c092ff0e7af493f3d6130cc78aea2e826677e6f8f34b2d8b29411438dd541e51ec880cef5942c81c60c50f412a20988a5f16f4cb8fbbd89662cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeDBE2.exe

Filesize
403KB

MD5
76a912b04174bbd59c9bf93ed5846efc

SHA1
0142a71e613d8a1f88c0bff9be4704b3df7e0c76

SHA256
fdabec00116dfe7ee8e1019623186432f7f315911cd902b68cc77f887544848c

SHA512
17a8e66f78c21698afff883c3d79ef34c044e139b13b89c25577975bcd8e4e93c51dc79846069a4eec28fa7405d05cfb1bc7c8a6f39e47e9ed83782938e9e754

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1.exe

Filesize
287KB

MD5
95e44a25c33c5d8242e6085fbc02b7a4

SHA1
9770f29496bc4c8da7c499bc6b220891a16c004e

SHA256
3fdd52e7c0f0ec6e43f3e920a2368b4dadf845a8c314640b6f38975e2cf055dd

SHA512
222c976d30f2d51abbcf048ac45439c90e5a945a90b2996890c4a919630ff75c7c1f9712656c08d21e91dfa890dc310a08a5b0632ec3bf86a11ce9e56f861140

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosty.exe

Filesize
291KB

MD5
0f58fd041d61178c3aeb038e9aa8ab3e

SHA1
fdd93eefdb61854b7bfa97eb73b835ee32ee3ff9

SHA256
af07bcb366b3c768550f3a2043b2b1828d1ce1b1d0d41733b33f04302a9620db

SHA512
13ecaa1a2ae5fd58a1c204cf4988ef82ddfb48e27ed093fda25ecca64e928c1bc97e5d3a165ec6594e6202d60ca7c853dfe3fcd7c32aa467d7f9a64c28f065ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste1_p.exe

Filesize
349KB

MD5
b305d3991789bf36aaed61c8ff026b3f

SHA1
e001e7dd0f0ae06bdfa90f0fb3e604d3d78a2eeb

SHA256
1aafa2d2ded9af080af38ec664c6974c1319cbeddee6aa367623c727962e0266

SHA512
9accfe156468dd9f84c3c4138f351fb513f0a4e8e1d48c56706d2057f549adc556f0cb6e4ccc741c51b7583afda20d659b53c71941aed11db8828355137197de

Download Submit
memory/612-107-0x0000000026010000-0x0000000026027000-memory.dmp

Filesize
92KB

Download
memory/612-125-0x0000000026050000-0x0000000026067000-memory.dmp

Filesize
92KB

Download
memory/612-172-0x0000000026110000-0x0000000026127000-memory.dmp

Filesize
92KB

Download
memory/612-71-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/612-116-0x0000000026030000-0x0000000026047000-memory.dmp

Filesize
92KB

Download
memory/612-178-0x0000000026130000-0x0000000026147000-memory.dmp

Filesize
92KB

Download
memory/612-78-0x0000000025FD0000-0x0000000025FE7000-memory.dmp

Filesize
92KB

Download
memory/612-166-0x00000000260F0000-0x0000000026107000-memory.dmp

Filesize
92KB

Download
memory/612-138-0x0000000026070000-0x0000000026087000-memory.dmp

Filesize
92KB

Download
memory/612-152-0x00000000260B0000-0x00000000260C7000-memory.dmp

Filesize
92KB

Download
memory/612-157-0x00000000260D0000-0x00000000260E7000-memory.dmp

Filesize
92KB

Download
memory/612-92-0x0000000025FF0000-0x0000000026007000-memory.dmp

Filesize
92KB

Download
memory/612-147-0x0000000026090000-0x00000000260A7000-memory.dmp

Filesize
92KB

Download
memory/1776-21-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1776-580-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1776-29-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1776-52-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1776-42-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2736-171-0x0000000000400000-0x000000000090F000-memory.dmp

Filesize
5.1MB

Download
memory/2992-1-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2992-146-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2992-2-0x0000000000400000-0x00000000006D2000-memory.dmp

Filesize
2.8MB

Download
memory/2992-0-0x000000000065E000-0x00000000006D0000-memory.dmp

Filesize
456KB

Download
memory/3340-917-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3340-294-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3696-53-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3696-581-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3696-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3696-23-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5068-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download