metasploit | 648d78489be85b1db3a8d8da1cf966d97f1d592f8586bdaff608c9afac671642

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
Size

185KB
MD5

e16e4bf03f7f05a58f518ea4eaaa1501
SHA1

050413902dbd7516a209e6749bf83802c2d075fc
SHA256

648d78489be85b1db3a8d8da1cf966d97f1d592f8586bdaff608c9afac671642
SHA512

fee88302c5ec0c2f9ca38876698863e1073e4b76b84b308434e13fa90ca33672537567526eabf283a233c34bab18686a0f7a36acc8c993d264de9bf5b1f9fa2e
SSDEEP

3072:EIDI05N6SGLUPSBEul2zBklsDNEnIkrsnn0UMPcSDM+1+IqewHcvBS9a3FA2YQCr:EI805onUP3rzOlshEI10UM7D8IqewHv3

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 20 IoCs

pid	Process
2712	globalpatch.exe
2764	globalpatch.exe
1176	globalpatch.exe
1888	globalpatch.exe
1512	globalpatch.exe
2512	globalpatch.exe
1892	globalpatch.exe
300	globalpatch.exe
1908	globalpatch.exe
2072	globalpatch.exe
976	globalpatch.exe
3064	globalpatch.exe
2724	globalpatch.exe
2856	globalpatch.exe
2516	globalpatch.exe
2684	globalpatch.exe
2744	globalpatch.exe
2836	globalpatch.exe
1512	globalpatch.exe
3036	globalpatch.exe

Loads dropped DLL 64 IoCs

pid	Process
2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
2712	globalpatch.exe
2712	globalpatch.exe
2712	globalpatch.exe
2712	globalpatch.exe
2764	globalpatch.exe
2764	globalpatch.exe
2764	globalpatch.exe
2764	globalpatch.exe
1176	globalpatch.exe
1176	globalpatch.exe
1176	globalpatch.exe
1176	globalpatch.exe
1888	globalpatch.exe
1888	globalpatch.exe
1888	globalpatch.exe
1888	globalpatch.exe
1512	globalpatch.exe
1512	globalpatch.exe
1512	globalpatch.exe
1512	globalpatch.exe
2512	globalpatch.exe
2512	globalpatch.exe
2512	globalpatch.exe
2512	globalpatch.exe
1892	globalpatch.exe
1892	globalpatch.exe
1892	globalpatch.exe
1892	globalpatch.exe
300	globalpatch.exe
300	globalpatch.exe
300	globalpatch.exe
300	globalpatch.exe
1908	globalpatch.exe
1908	globalpatch.exe
1908	globalpatch.exe
1908	globalpatch.exe
2072	globalpatch.exe
2072	globalpatch.exe
2072	globalpatch.exe
2072	globalpatch.exe
976	globalpatch.exe
976	globalpatch.exe
976	globalpatch.exe
976	globalpatch.exe
3064	globalpatch.exe
3064	globalpatch.exe
3064	globalpatch.exe
3064	globalpatch.exe
2724	globalpatch.exe
2724	globalpatch.exe
2724	globalpatch.exe
2724	globalpatch.exe
2856	globalpatch.exe
2856	globalpatch.exe
2856	globalpatch.exe
2856	globalpatch.exe
2516	globalpatch.exe
2516	globalpatch.exe
2516	globalpatch.exe
2516	globalpatch.exe
2684	globalpatch.exe
2684	globalpatch.exe
2684	globalpatch.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File created	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe
File opened for modification	C:\Windows\SysWOW64\globalpatch.exe	globalpatch.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 2712 set thread context of 2764	2712	globalpatch.exe	33
PID 1176 set thread context of 1888	1176	globalpatch.exe	35
PID 1512 set thread context of 2512	1512	globalpatch.exe	37
PID 1892 set thread context of 300	1892	globalpatch.exe	39
PID 1908 set thread context of 2072	1908	globalpatch.exe	41
PID 976 set thread context of 3064	976	globalpatch.exe	43
PID 2724 set thread context of 2856	2724	globalpatch.exe	46
PID 2516 set thread context of 2684	2516	globalpatch.exe	48
PID 2744 set thread context of 2836	2744	globalpatch.exe	50
PID 1512 set thread context of 3036	1512	globalpatch.exe	52

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	globalpatch.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
2712	globalpatch.exe
1176	globalpatch.exe
1512	globalpatch.exe
1892	globalpatch.exe
1908	globalpatch.exe
976	globalpatch.exe
2724	globalpatch.exe
2516	globalpatch.exe
2744	globalpatch.exe
1512	globalpatch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2104	3052	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	31
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2104 wrote to memory of 2712	2104	e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2712 wrote to memory of 2764	2712	globalpatch.exe	33
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 2764 wrote to memory of 1176	2764	globalpatch.exe	34
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1176 wrote to memory of 1888	1176	globalpatch.exe	35
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1888 wrote to memory of 1512	1888	globalpatch.exe	36
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37
PID 1512 wrote to memory of 2512	1512	globalpatch.exe	37

C:\Users\Admin\AppData\Local\Temp\e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\globalpatch.exe
    C:\Windows\system32\globalpatch.exe 440 "C:\Users\Admin\AppData\Local\Temp\e16e4bf03f7f05a58f518ea4eaaa1501_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\globalpatch.exe
      C:\Windows\SysWOW64\globalpatch.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1176
      - C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\system32\globalpatch.exe 576 "C:\Windows\SysWOW64\globalpatch.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\globalpatch.exe
        
        C:\Windows\SysWOW64\globalpatch.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\699c4b9cdebca7aaea5193cae8a50098_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
\Windows\SysWOW64\globalpatch.exe

Filesize
185KB

MD5
e16e4bf03f7f05a58f518ea4eaaa1501

SHA1
050413902dbd7516a209e6749bf83802c2d075fc

SHA256
648d78489be85b1db3a8d8da1cf966d97f1d592f8586bdaff608c9afac671642

SHA512
fee88302c5ec0c2f9ca38876698863e1073e4b76b84b308434e13fa90ca33672537567526eabf283a233c34bab18686a0f7a36acc8c993d264de9bf5b1f9fa2e

Download Submit
memory/300-176-0x0000000001F50000-0x0000000001F9E000-memory.dmp

Filesize
312KB

Download
memory/300-171-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/300-170-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/300-169-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/976-220-0x0000000000270000-0x00000000002BE000-memory.dmp

Filesize
312KB

Download
memory/976-239-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1176-92-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1176-73-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/1176-75-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/1176-74-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/1512-111-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1512-322-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1512-338-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1512-334-0x00000000002F0000-0x000000000033E000-memory.dmp

Filesize
312KB

Download
memory/1512-324-0x00000000002E0000-0x000000000032E000-memory.dmp

Filesize
312KB

Download
memory/1512-110-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1512-109-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1512-134-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1512-133-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1888-104-0x00000000007A0000-0x00000000007EE000-memory.dmp

Filesize
312KB

Download
memory/1888-98-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1888-99-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1888-102-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1892-145-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1892-146-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1892-163-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1908-182-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/1908-181-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/2072-205-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2072-204-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2104-16-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-7-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-10-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2104-5-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2104-64-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2512-135-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2512-140-0x0000000000550000-0x000000000059E000-memory.dmp

Filesize
312KB

Download
memory/2516-289-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2516-274-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2516-271-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2516-276-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2516-275-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2684-292-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2712-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2712-35-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/2712-36-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2712-33-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/2712-34-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/2724-248-0x00000000008B0000-0x00000000008FE000-memory.dmp

Filesize
312KB

Download
memory/2724-262-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2724-258-0x00000000004C0000-0x000000000050E000-memory.dmp

Filesize
312KB

Download
memory/2724-249-0x00000000008B0000-0x00000000008FE000-memory.dmp

Filesize
312KB

Download
memory/2744-298-0x0000000000270000-0x00000000002BE000-memory.dmp

Filesize
312KB

Download
memory/2744-316-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2744-309-0x0000000000280000-0x00000000002CE000-memory.dmp

Filesize
312KB

Download
memory/2744-296-0x0000000000270000-0x00000000002BE000-memory.dmp

Filesize
312KB

Download
memory/2744-297-0x0000000000270000-0x00000000002BE000-memory.dmp

Filesize
312KB

Download
memory/2764-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2764-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-66-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2764-63-0x00000000001C0000-0x000000000020E000-memory.dmp

Filesize
312KB

Download
memory/2764-62-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2836-317-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2836-318-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2856-267-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/2856-266-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/3036-342-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/3052-21-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3052-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3052-8-0x0000000001CF0000-0x0000000001D3E000-memory.dmp

Filesize
312KB

Download
memory/3052-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3064-237-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/3064-236-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/3064-235-0x00000000002D0000-0x000000000031E000-memory.dmp

Filesize
312KB

Download
memory/3064-244-0x0000000002340000-0x000000000238E000-memory.dmp

Filesize
312KB

Download