b4420920593ccd0a26d9a99b8a8d027a1232a09148b074a983bfa1e850dd3ff2

Analysis

max time kernel
16s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
Size

7.1MB
MD5

dcc6b52d7842b93ca9ca99adb1bb6aca
SHA1

61b6684ecc133f98e62226838177fbb867211385
SHA256

b4420920593ccd0a26d9a99b8a8d027a1232a09148b074a983bfa1e850dd3ff2
SHA512

2f13eda67d438cb3e13fb47a83a1bcc2ecccdac640dc9646ef0462d311e56c27544bfe7ce1fb324eec93611d01b9fc38c43cad824712bb25a970b29b4b9fb425
SSDEEP

196608:DL4WstqqyuOsO/4MhiLX3HUP8zNvvn21IKXKlyOzw:DkWfHuOsOgMhij3dzhenVT

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	update.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	MSI8989.tmp

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Packet.dll	update.exe
File created	C:\Windows\system32\wpcap.dll	update.exe
File created	C:\Windows\system32\Packet.dll	update.exe
File created	C:\Windows\SysWOW64\pthreadVC.dll	update.exe
File created	C:\Windows\SysWOW64\wpcap.dll	update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	update.exe
File created	C:\Program Files\WinPcap\LICENSE	update.exe
File created	C:\Program Files\WinPcap\uninstall.exe	update.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8794.tmp	msiexec.exe
File created	C:\Windows\sysupdate.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8679.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{40360E66-1CE1-4EB2-A89A-697A94459BA9}	msiexec.exe
File opened for modification	C:\Windows\Installer\e578472.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8989.tmp	msiexec.exe
File created	C:\Windows\Installer\e578472.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI862A.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1224	MSI8989.tmp
984	instsrv.exe
4080	update.exe

Loads dropped DLL 10 IoCs

pid	Process
3308	MsiExec.exe
3308	MsiExec.exe
3308	MsiExec.exe
3308	MsiExec.exe
3308	MsiExec.exe
4080	update.exe
4080	update.exe
4080	update.exe
4080	update.exe
4080	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4728	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI8989.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234bd-107.dat	nsis_installer_1
behavioral2/files/0x00070000000234bd-107.dat	nsis_installer_2

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

pid	Process
716	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	msiexec.exe
4596	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4728	msiexec.exe
Token: SeSecurityPrivilege	4596	msiexec.exe
Token: SeCreateTokenPrivilege	4728	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4728	msiexec.exe
Token: SeLockMemoryPrivilege	4728	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4728	msiexec.exe
Token: SeMachineAccountPrivilege	4728	msiexec.exe
Token: SeTcbPrivilege	4728	msiexec.exe
Token: SeSecurityPrivilege	4728	msiexec.exe
Token: SeTakeOwnershipPrivilege	4728	msiexec.exe
Token: SeLoadDriverPrivilege	4728	msiexec.exe
Token: SeSystemProfilePrivilege	4728	msiexec.exe
Token: SeSystemtimePrivilege	4728	msiexec.exe
Token: SeProfSingleProcessPrivilege	4728	msiexec.exe
Token: SeIncBasePriorityPrivilege	4728	msiexec.exe
Token: SeCreatePagefilePrivilege	4728	msiexec.exe
Token: SeCreatePermanentPrivilege	4728	msiexec.exe
Token: SeBackupPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4728	msiexec.exe
Token: SeShutdownPrivilege	4728	msiexec.exe
Token: SeDebugPrivilege	4728	msiexec.exe
Token: SeAuditPrivilege	4728	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4728	msiexec.exe
Token: SeChangeNotifyPrivilege	4728	msiexec.exe
Token: SeRemoteShutdownPrivilege	4728	msiexec.exe
Token: SeUndockPrivilege	4728	msiexec.exe
Token: SeSyncAgentPrivilege	4728	msiexec.exe
Token: SeEnableDelegationPrivilege	4728	msiexec.exe
Token: SeManageVolumePrivilege	4728	msiexec.exe
Token: SeImpersonatePrivilege	4728	msiexec.exe
Token: SeCreateGlobalPrivilege	4728	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeRestorePrivilege	4596	msiexec.exe
Token: SeTakeOwnershipPrivilege	4596	msiexec.exe
Token: SeShutdownPrivilege	4596	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4728	msiexec.exe
4728	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4904	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3308	4596	msiexec.exe	85
PID 4596 wrote to memory of 3308	4596	msiexec.exe	85
PID 4596 wrote to memory of 3308	4596	msiexec.exe	85
PID 4596 wrote to memory of 1224	4596	msiexec.exe	89
PID 4596 wrote to memory of 1224	4596	msiexec.exe	89
PID 4596 wrote to memory of 1224	4596	msiexec.exe	89
PID 1224 wrote to memory of 2520	1224	MSI8989.tmp	90
PID 1224 wrote to memory of 2520	1224	MSI8989.tmp	90
PID 1224 wrote to memory of 2520	1224	MSI8989.tmp	90
PID 2520 wrote to memory of 984	2520	cmd.exe	92
PID 2520 wrote to memory of 984	2520	cmd.exe	92
PID 2520 wrote to memory of 984	2520	cmd.exe	92
PID 2520 wrote to memory of 716	2520	cmd.exe	93
PID 2520 wrote to memory of 716	2520	cmd.exe	93
PID 2520 wrote to memory of 716	2520	cmd.exe	93
PID 2520 wrote to memory of 4080	2520	cmd.exe	94
PID 2520 wrote to memory of 4080	2520	cmd.exe	94
PID 2520 wrote to memory of 4080	2520	cmd.exe	94
PID 4080 wrote to memory of 404	4080	update.exe	95
PID 4080 wrote to memory of 404	4080	update.exe	95
PID 4080 wrote to memory of 404	4080	update.exe	95
PID 404 wrote to memory of 876	404	net.exe	97
PID 404 wrote to memory of 876	404	net.exe	97
PID 404 wrote to memory of 876	404	net.exe	97
PID 4080 wrote to memory of 540	4080	update.exe	98
PID 4080 wrote to memory of 540	4080	update.exe	98
PID 4080 wrote to memory of 540	4080	update.exe	98
PID 540 wrote to memory of 2632	540	net.exe	100
PID 540 wrote to memory of 2632	540	net.exe	100
PID 540 wrote to memory of 2632	540	net.exe	100
PID 3308 wrote to memory of 3576	3308	MsiExec.exe	101
PID 3308 wrote to memory of 3576	3308	MsiExec.exe	101
PID 3308 wrote to memory of 3576	3308	MsiExec.exe	101
PID 3308 wrote to memory of 3156	3308	MsiExec.exe	103
PID 3308 wrote to memory of 3156	3308	MsiExec.exe	103
PID 3308 wrote to memory of 3156	3308	MsiExec.exe	103
PID 3308 wrote to memory of 2132	3308	MsiExec.exe	105
PID 3308 wrote to memory of 2132	3308	MsiExec.exe	105
PID 3308 wrote to memory of 2132	3308	MsiExec.exe	105
PID 3308 wrote to memory of 4136	3308	MsiExec.exe	107
PID 3308 wrote to memory of 4136	3308	MsiExec.exe	107
PID 3308 wrote to memory of 4136	3308	MsiExec.exe	107
PID 3308 wrote to memory of 1416	3308	MsiExec.exe	111
PID 3308 wrote to memory of 1416	3308	MsiExec.exe	111
PID 3308 wrote to memory of 1416	3308	MsiExec.exe	111
PID 3308 wrote to memory of 1160	3308	MsiExec.exe	113
PID 3308 wrote to memory of 1160	3308	MsiExec.exe	113
PID 3308 wrote to memory of 1160	3308	MsiExec.exe	113
PID 3308 wrote to memory of 3212	3308	MsiExec.exe	115
PID 3308 wrote to memory of 3212	3308	MsiExec.exe	115
PID 3308 wrote to memory of 3212	3308	MsiExec.exe	115
PID 3308 wrote to memory of 4256	3308	MsiExec.exe	119
PID 3308 wrote to memory of 4256	3308	MsiExec.exe	119
PID 3308 wrote to memory of 4256	3308	MsiExec.exe	119
PID 3308 wrote to memory of 1100	3308	MsiExec.exe	121
PID 3308 wrote to memory of 1100	3308	MsiExec.exe	121
PID 3308 wrote to memory of 1100	3308	MsiExec.exe	121
PID 3308 wrote to memory of 5040	3308	MsiExec.exe	123
PID 3308 wrote to memory of 5040	3308	MsiExec.exe	123
PID 3308 wrote to memory of 5040	3308	MsiExec.exe	123
PID 3308 wrote to memory of 716	3308	MsiExec.exe	125
PID 3308 wrote to memory of 716	3308	MsiExec.exe	125
PID 3308 wrote to memory of 716	3308	MsiExec.exe	125
PID 3308 wrote to memory of 1240	3308	MsiExec.exe	127

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\dcc6b52d7842b93ca9ca99adb1bb6aca_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4728

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0A67B6F53A3639C5C766B1E2569893F0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3576
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1160
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3212
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4256
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5040
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:716
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1240
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1300
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4332
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3228
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4152
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2376
- C:\Windows\Installer\MSI8989.tmp
  "C:\Windows\Installer\MSI8989.tmp" /HideWindow "C:\Msupdate\service.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Msupdate\service.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - \??\c:\Msupdate\instsrv.exe
      c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:984
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s 1.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:716
  - - C:\Msupdate\update.exe
      update.exe /S
      4⤵
      Drops file in Drivers directory
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\net.exe
        
        net stop npf
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:876
    - - C:\Windows\SysWOW64\net.exe
        
        net start npf
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578475.rbs

Filesize
13KB

MD5
714b3f24cca1309cf1a2527128560a24

SHA1
e5b8557056dbeb6b68535a5d25bf2e7027dfaf7f

SHA256
93f84d718573d612cd18a927f7ad8c4d27adb409309464f1685110922ec2be31

SHA512
85659b263282fcfa31d5b91be6331ee7dc2a9409abe69a4d94b27f803a1da16c5f200fd5fe318013a7083067e7118a57f42ae6ad8b3fe2c9f32cceb17f755572

Download Submit
C:\Msupdate\1.reg

Filesize
416B

MD5
8dacf3ded9159fb1f5b065215e1fd8aa

SHA1
0c43e91b996ca72b75a02de3f85a695ded7a4a5e

SHA256
1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5

SHA512
a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

Download Submit
C:\Msupdate\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\Msupdate\service.bat

Filesize
88B

MD5
b10428f1774d2caa81092891a980f9e7

SHA1
6fb6df8cb4d293c0e0264c83d97f016fbb0da926

SHA256
884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c

SHA512
9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

Download Submit
C:\Msupdate\update.exe

Filesize
422KB

MD5
c6f1d4a6cccd04e4b15a96942372d5f7

SHA1
2f79839fe5cb740f21b29dae3181f43c1ae9de9c

SHA256
89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e

SHA512
1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw8B3A.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw8B3A.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Windows\Installer\MSI84C0.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Windows\Installer\MSI8679.tmp

Filesize
380KB

MD5
3eb31b9a689d506f3b1d3738d28ab640

SHA1
1681fe3bbdcbe617a034b092ea77249dd4c3e986

SHA256
3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

SHA512
2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Download Submit
C:\Windows\Installer\MSI8989.tmp

Filesize
17KB

MD5
73c578ca2383a2e7f4687cdee410aefe

SHA1
431b7de3091245b3affbf1911da17a6964b813dc

SHA256
67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1

SHA512
915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

Download Submit
\??\c:\Msupdate\srvany.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads