88e2ce9606dee00f972a705a939bf3b1fdd5e6870757cd27f820efa00798432c

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
Size

6.1MB
MD5

b6996f1307bf63655e005fbd11665cab
SHA1

de837b07acd5f03db04ffe9b95cb2293dfa5c529
SHA256

88e2ce9606dee00f972a705a939bf3b1fdd5e6870757cd27f820efa00798432c
SHA512

83308f72939312279fec986609ff508a2936847a7339fdfa40a45a7d4494cda8503fb16428d550bef220839d2f4e788e3fe54b755ebb28968de74111ba5db8ab
SSDEEP

98304:8zsVLT0V6JYlrI4REFGsRNxqsMzC+IyK+zxYvM1djrUab1MZpr8hD8PF3admsR2l:8i9JQDENY9V+M3Ug0MNxo00AfW96m

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 11 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2440	netsh.exe
1724	netsh.exe
3052	netsh.exe
2044	netsh.exe
2472	netsh.exe
1064	netsh.exe
2736	netsh.exe
2224	netsh.exe
1188	netsh.exe
2524	netsh.exe
1304	netsh.exe

Executes dropped EXE 45 IoCs

pid	Process
2564	Fbot.exe
2628	Fbot.exe
1192	svchosts.exe
2600	Install.exe
2700	svchosts.exe
1100	ri0t.exe
2588	ri0t.exe
656	dlmanager.exe
1632	dlmanager.exe
1600	svchosts.exe
2772	svchosts.exe
2740	dlmanager.exe
2552	dlmanager.exe
1100	svchosts.exe
1720	svchosts.exe
1744	dlmanager.exe
1984	dlmanager.exe
468	svchosts.exe
1860	svchosts.exe
1416	dlmanager.exe
1028	dlmanager.exe
656	svchosts.exe
2624	svchosts.exe
2460	dlmanager.exe
1780	dlmanager.exe
1164	svchosts.exe
2100	svchosts.exe
2120	dlmanager.exe
756	dlmanager.exe
2632	svchosts.exe
2680	svchosts.exe
2712	dlmanager.exe
2804	dlmanager.exe
1924	svchosts.exe
1864	svchosts.exe
2852	dlmanager.exe
2644	dlmanager.exe
1752	svchosts.exe
2424	svchosts.exe
2720	dlmanager.exe
2900	dlmanager.exe
808	svchosts.exe
2092	dlmanager.exe
2516	svchosts.exe
964	dlmanager.exe

Loads dropped DLL 49 IoCs

pid	Process
2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
2564	Fbot.exe
2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
2628	Fbot.exe
2628	Fbot.exe
1192	svchosts.exe
2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
1100	ri0t.exe
2588	ri0t.exe
2588	ri0t.exe
656	dlmanager.exe
2700	svchosts.exe
2700	svchosts.exe
1632	dlmanager.exe
1632	dlmanager.exe
2772	svchosts.exe
2772	svchosts.exe
2552	dlmanager.exe
2552	dlmanager.exe
1720	svchosts.exe
1720	svchosts.exe
1984	dlmanager.exe
1984	dlmanager.exe
1860	svchosts.exe
1860	svchosts.exe
1028	dlmanager.exe
1028	dlmanager.exe
2624	svchosts.exe
2624	svchosts.exe
1780	dlmanager.exe
1780	dlmanager.exe
2100	svchosts.exe
2100	svchosts.exe
756	dlmanager.exe
756	dlmanager.exe
2680	svchosts.exe
2680	svchosts.exe
2804	dlmanager.exe
2804	dlmanager.exe
1864	svchosts.exe
1864	svchosts.exe
2644	dlmanager.exe
2644	dlmanager.exe
2424	svchosts.exe
2424	svchosts.exe
2900	dlmanager.exe
2900	dlmanager.exe

Drops file in System32 directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	Fbot.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	ri0t.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	Fbot.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	ri0t.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File opened for modification	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\dlmanager.exe	dlmanager.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 2628	2564	Fbot.exe	32
PID 1192 set thread context of 2700	1192	svchosts.exe	35
PID 1100 set thread context of 2588	1100	ri0t.exe	37
PID 656 set thread context of 1632	656	dlmanager.exe	40
PID 1600 set thread context of 2772	1600	svchosts.exe	46
PID 2740 set thread context of 2552	2740	dlmanager.exe	48
PID 1100 set thread context of 1720	1100	svchosts.exe	51
PID 1744 set thread context of 1984	1744	dlmanager.exe	53
PID 468 set thread context of 1860	468	svchosts.exe	56
PID 1416 set thread context of 1028	1416	dlmanager.exe	58
PID 656 set thread context of 2624	656	svchosts.exe	61
PID 2460 set thread context of 1780	2460	dlmanager.exe	63
PID 1164 set thread context of 2100	1164	svchosts.exe	66
PID 2120 set thread context of 756	2120	dlmanager.exe	68
PID 2632 set thread context of 2680	2632	svchosts.exe	71
PID 2712 set thread context of 2804	2712	dlmanager.exe	73
PID 1924 set thread context of 1864	1924	svchosts.exe	76
PID 2852 set thread context of 2644	2852	dlmanager.exe	78
PID 1752 set thread context of 2424	1752	svchosts.exe	81
PID 2720 set thread context of 2900	2720	dlmanager.exe	83
PID 808 set thread context of 2516	808	svchosts.exe	87
PID 2092 set thread context of 964	2092	dlmanager.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 33 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ri0t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ri0t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlmanager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2564	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2564	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2564	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2564	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2564 wrote to memory of 2628	2564	Fbot.exe	32
PID 2628 wrote to memory of 1192	2628	Fbot.exe	34
PID 2628 wrote to memory of 1192	2628	Fbot.exe	34
PID 2628 wrote to memory of 1192	2628	Fbot.exe	34
PID 2628 wrote to memory of 1192	2628	Fbot.exe	34
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2600	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	33
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 1192 wrote to memory of 2700	1192	svchosts.exe	35
PID 2668 wrote to memory of 1100	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	36
PID 2668 wrote to memory of 1100	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	36
PID 2668 wrote to memory of 1100	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	36
PID 2668 wrote to memory of 1100	2668	b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe	36
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 1100 wrote to memory of 2588	1100	ri0t.exe	37
PID 2588 wrote to memory of 1064	2588	ri0t.exe	38
PID 2588 wrote to memory of 1064	2588	ri0t.exe	38
PID 2588 wrote to memory of 1064	2588	ri0t.exe	38
PID 2588 wrote to memory of 1064	2588	ri0t.exe	38
PID 2588 wrote to memory of 656	2588	ri0t.exe	39
PID 2588 wrote to memory of 656	2588	ri0t.exe	39
PID 2588 wrote to memory of 656	2588	ri0t.exe	39
PID 2588 wrote to memory of 656	2588	ri0t.exe	39
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 656 wrote to memory of 1632	656	dlmanager.exe	40
PID 1632 wrote to memory of 2440	1632	dlmanager.exe	41
PID 1632 wrote to memory of 2440	1632	dlmanager.exe	41
PID 1632 wrote to memory of 2440	1632	dlmanager.exe	41
PID 1632 wrote to memory of 2440	1632	dlmanager.exe	41
PID 2600 wrote to memory of 1880	2600	Install.exe	42
PID 2600 wrote to memory of 1880	2600	Install.exe	42
PID 2600 wrote to memory of 1880	2600	Install.exe	42
PID 2600 wrote to memory of 1880	2600	Install.exe	42
PID 1880 wrote to memory of 2972	1880	cmd.exe	44
PID 1880 wrote to memory of 2972	1880	cmd.exe	44
PID 1880 wrote to memory of 2972	1880	cmd.exe	44
PID 1880 wrote to memory of 2972	1880	cmd.exe	44
PID 2700 wrote to memory of 1600	2700	svchosts.exe	45

C:\Users\Admin\AppData\Local\Temp\b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6996f1307bf63655e005fbd11665cab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe
  "C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe
    C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\svchosts.exe
      C:\Windows\system32\svchosts.exe 476 "C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 520 "C:\Windows\SysWOW64\svchosts.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 524 "C:\Windows\SysWOW64\svchosts.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 532 "C:\Windows\SysWOW64\svchosts.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 524 "C:\Windows\SysWOW64\svchosts.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 528 "C:\Windows\SysWOW64\svchosts.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 524 "C:\Windows\SysWOW64\svchosts.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 532 "C:\Windows\SysWOW64\svchosts.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 524 "C:\Windows\SysWOW64\svchosts.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\system32\svchosts.exe 528 "C:\Windows\SysWOW64\svchosts.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\svchosts.exe
        
        C:\Windows\SysWOW64\svchosts.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2516
- C:\Users\Admin\AppData\Local\Temp\tempalbert\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\tempalbert\Install.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windows Vista SP2 Activator v2.0 By CLoNY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\SysWOW64\choice.exe
      CHOICE /C ABCDEFGHIJKLMNOPQRSTUVWXYZ /N /M "Which SLIC would you like to install?"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
- C:\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe
  "C:\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe
    C:\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\netsh.exe
      netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1064
  - - C:\Windows\SysWOW64\dlmanager.exe
      C:\Windows\system32\dlmanager.exe 472 "C:\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
      - C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 544 "C:\Windows\SysWOW64\dlmanager.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        12⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        14⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        16⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        18⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 560 "C:\Windows\SysWOW64\dlmanager.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        20⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        22⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\system32\dlmanager.exe 552 "C:\Windows\SysWOW64\dlmanager.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\dlmanager.exe
        
        C:\Windows\SysWOW64\dlmanager.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe firewall add allowedprogram dlmanager.exe dlmanager ENABLE
        24⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Windows Vista SP2 Activator v2.0 By CLoNY.bat

Filesize
7KB

MD5
86c7acb1ff5bbe271601050d770b0920

SHA1
d80171323e83546c4f407814ec7cf8296f67fa76

SHA256
b6a38a31203672d689fd972cc63b936293dbc9832bd97f62a37ffa6ee55e7169

SHA512
d7006b9f14957617c09b279619358270464d5733fa94001a7809a3595d606e96dd283705ed436947046915c8522cf150cd632370959151bf387c4f5fe3ef3009

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\ACRSYSACRPRDCT.bootmgr

Filesize
428KB

MD5
166622fb0027d4f0fd52364d24578956

SHA1
3634665c143e1524b4d2837e4b3b7cfb9aab05f1

SHA256
60c8d6b55f66558bfc3bbad45db8dcdef12fcc807a824c5ff22eae0469473bbb

SHA512
a265bf6960af88eca418cef9f3dda66fe0b2256677215b515b39db5c148040ad21e4ac1c284965b2ab852a17067b052bbb6a86c3e18e8bc01a203561f6e55b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\LENOVOTP-79.XRM-MS

Filesize
2KB

MD5
4baa251d0af2e67eb5d7e231175e9e94

SHA1
abe28d29811d239567f522b6b99ea85eed911a90

SHA256
166ff1fab4c76ea695b57fb8ff902f962399cefb4b7df31c04ec4e8999b76317

SHA512
1358312aa25f5f1dbc17b44040b1f38194116a19ecb023d5de2d87fa82e820b0652703f313aff6849bfa8d4f5088bbc56e5c5280e762a7c7b9a90cb7058c09db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempalbert\Fbot.exe

Filesize
397KB

MD5
d417cba986dfc878f9616d1e685203fd

SHA1
44202945f13941668ee7969502e0ed5da08c67e3

SHA256
e2003d55f9f2211bedaccb57c1a73e5d82dd64ddeb71c10faa04538c3989b6a4

SHA512
80524f1b95511271352f3d3d5379c9c03b96200dd970489b59e0bbe8d2c12a8e7ce9d376fe6dc2d5969031a746077f3ad8a61af2210f9e3e857bc5798ce01a13

Download Submit
\Users\Admin\AppData\Local\Temp\tempalbert\Install.exe

Filesize
5.4MB

MD5
e6078c3f1bef0f6c0d5525515824b04d

SHA1
b9a0be6c84cb717aea8b0d79588e84812cdde4b7

SHA256
ee1060b8d8d296120306ac54a51856a0a7a45e27efd08eab49829260ca24e9c1

SHA512
32a80606ec853027460aee2b1cdb07590000536f277372c9bf2b5f80540e49fff8484a28921e90b1d34b70e809d4c2525cf79a1fcc5d0842534487307245c863

Download Submit
\Users\Admin\AppData\Local\Temp\tempalbert\ri0t.exe

Filesize
393KB

MD5
2a8425ad65aa5421518d317c86c5e6cf

SHA1
bc14db27c135cc57360140dc10a28cb7b3144b29

SHA256
bd4beb5bf95dca7f31e2a5c518d9f3e9167d22a8ddd20a9ab345e12051b94ca0

SHA512
2beb868b3303705aa9fd2506d43fbeaf6f153a985652c3fffcafebcd591a33c505aa10f3c644485a35298a41226d241a23e1ffe9b990c998f90a0a495f72e221

Download Submit
memory/1632-273-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2552-300-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2588-83-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2588-104-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2588-79-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2588-77-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2600-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2628-100-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2628-37-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2628-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-32-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2628-34-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2628-38-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2700-272-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2772-299-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads