Resubmissions
19-09-2024 23:39
240919-3ndh3sxfjj 1019-09-2024 23:29
240919-3gn18swhmd 519-09-2024 23:28
240919-3ggl6awhlc 519-09-2024 20:38
240919-zeqkhazclq 1019-09-2024 20:35
240919-zc3r2szbnp 1019-09-2024 20:30
240919-zajldszamq 5Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 20:35
General
-
Target
ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe
-
Size
212KB
-
MD5
ec2453dbb46e27680ce11ee4d08137e0
-
SHA1
2831bdbbfc67cb405a2231ca7195f4040ee20d60
-
SHA256
0214d1d58efc92256a064dd0a0d0a58c66f576eb260812dbd4905fdde0011dc6
-
SHA512
1f2941be38a9fa7aaec3ad8e64b2c90074d6f4d2fad60a4377597ca422c29c4a49881b1cea598eacb3e41bda25cab616dbf659db99ad728afa89282e75495519
-
SSDEEP
3072:YLca+56U04VjKkXzpicDlsc3w5zaLjBet8AbWF:fjKkXzpicDGc0kBkA
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ec2453dbb46e27680ce11ee4d08137e0_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb082946f8,0x7ffb08294708,0x7ffb082947183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5620 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CC63.tmp\CC64.tmp\CC65.vbs //Nologo4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\CC63.tmp\mbr.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CC63.tmp\tools.cmd" "5⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f6⤵
- Sets desktop wallpaper using registry
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\CC63.tmp\jeffpopup.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\CC63.tmp\bobcreep.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\CC63.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\CC63.tmp\gdifuncs.exe"5⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
-
-
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\CC44.tmp\CC45.tmp\CC46.vbs //Nologo4⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,9070559982466120977,59390079917889263,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6204 /prefetch:23⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 41.txt2⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b0 0x39c1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fe943e767a6ee2b697faade5e8c0f3a7
SHA107e62ddad560aaebfde544eb929d65e06e62fe34
SHA256f130d8cef9411d78d8f1af07dced053c71c696fa0d9965253b210424a06aebfe
SHA512ca6096713617368fd33dc188c804875f6b5686d3e7fe5ee3a4f55684188dbf10c29e3dc7af82738ae4633f2dd6791c06c8c70f937db43dd8d2e1175c54ef3d23
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
3KB
MD5e87e8a9a8b3a596a2652f5644f08fcdc
SHA100e5f8017ea76efacd255738d3b2f7607ed1f324
SHA256e2132d745949a640902f393214762a06056454fdd41dc50fd319e2c3faec45de
SHA5126b10ce24c824330219effd06fa2bf445b2a7a3a189e1a6bf834051fc182e9bd826f6977e8589a0ec5cb22a59c857008ea45b41aeff1c6a4259494e892a429d37
-
Filesize
1KB
MD5f56038aeae16b1535ec0bb419b970d4a
SHA19744b9a389052e6aa00efa13a8cd7e605c009a7b
SHA256f4a74acb2cb9ca5709d22a6e95583eee0b722cbc9b1baefc3f72756bb4ccd22d
SHA5124cf4b729d496db97ab66eae27183e6bb414a9063aae7e541924591526a0e5d5c3856745a1b095f2dce1975e71eb8ff7adcb7119761fc93608280d1c8544c802a
-
Filesize
862B
MD59ebef7b167f3202bd6d957faf3651ac9
SHA1b5dd285abb72c15ec877d669a2d335ca729a4ec8
SHA2560cc24e8c69609f4598330eefb59d9d4230f93f48583d0ab8dd66aaa3a83f4e73
SHA512126e1d8b7963fd754bf52795bd1ec23cda1775c9da59634027f982639040087a0cdcfc16d7dd650034c57e62f5d178e370d61ecfe0c19302fde00152863073ed
-
Filesize
7KB
MD54baf566d9bb9ff604984a866c3760e80
SHA127c57d8a0366f6535bb2ae1d9f4cdbdaef4303fd
SHA2561db545179a27ff3c4dafe7df7e92fcf1de64c6a1eb1f49f361242abcb5c2ee9c
SHA51298c6e422398e82d926bc1e8a06ceb575198eb296e6c7c40cd08671da2d4134f8f5c8bc3b11ab297d2bf81e33b266c78d61559f6e15886e6107ac7daffa90aa18
-
Filesize
7KB
MD5aadd0f953f642df6023f8134b1669d65
SHA1311e2cd30110c24a635550e6ec6fe51ef29070e0
SHA256885527e2fde05584bc152c9a02916c652fa9a19c2ad3ec460f95fa4fe046ff8c
SHA512b30438e625ef696f363c5fd3c9c4879f4d3ef4ae887646e846cfc6ef6c93f0541da3c6fc717ff5d5fed3f1e8706a5fee6996acced0a936fec8d4983f3805134a
-
Filesize
5KB
MD55bc1c06e466df9e6b4f29c57ccee2ea9
SHA1b3bbc74288cbcd6d57f22646ea8f8f0a6ed0b087
SHA256bf4a0231ebda97840f621eb7dec9e71a4f06fd7df6544cf09f8277665a7d4746
SHA5129ff6baab39ac9b6a563bcd8a9910ead45420ea8f5c998a2d9c89d0b3980b7939e904f56da559e153cebce226fb0a21fbff67f78c92f5d2544e74793cc05cc018
-
Filesize
6KB
MD507ce8588529b2b980b013670cb6ca345
SHA1dae47a1a003e9beb08049ede054b981eedf5300a
SHA256b936870d223ce04f775280ec415d7cd1ee167a87ec89752fba66b23245750182
SHA512f9c08a94e6d1f2d1930545b9dfe5fd7ea83c057594de8c7714a7258d28fed255b30811402533007c10c310cbc343919166447982cb30481ad72e59b47d98125f
-
Filesize
6KB
MD5ecf425fded85aa533207459540a841ca
SHA16d3bbfaf5baf55d85db30b5b7cc764bac3beb99c
SHA2567e5e91525f640ca0279008d5d023e2863ba3e51f642091cf3fa942346d5a92ce
SHA512e08790c60e25c51fef54f01ad43ea42e24b162c65c5d106dceef23ce5a1d3dcab7fce72171dba846c554bf59ef2bcec0ea9a7952a1a5c7b922c76a6e09801476
-
Filesize
6KB
MD5770607fb2d92b6ec64d8481c86b2c005
SHA1da2564b8e0c9c170881e88f43cb307823891bd27
SHA256fec0b7bf5feff7fa362ebd87efab4e61528fbd4eb3dc0f92472346beebe8ee26
SHA51205d3ffd0914fdbfbc732f3fb5af3f1527ecff875fd0265b91831754eb0766ac3997e882e8ceca161eb2fc51a3e61317964effd90c6ebd4ef04522b9607d98d77
-
Filesize
1KB
MD5dd4a28c3ab816fec7946a8ec11664340
SHA1e0d0880db00d3ad459b111c73f9ab8c84d8d1cd2
SHA256eb261db23acdd25d468491734b858faa0de17f47b991200548081b84d63e5b02
SHA51213e8b7e51094fa5559d51ba65983d199987e7347bc59189df8996f13c035658f35405c93aff3270bfc2dd692706bbb2eaff51db3e78bbd05de967a0104b93fa1
-
Filesize
538B
MD5b7a82eed6df7a7d3faf1fce23da58cd5
SHA17b0500c9d61aa9695400b9ffbf6ff616e4ec093a
SHA2568672835c27ad82bbb16a218cbd7594819c328b73c99818fc3375753b6fd93f68
SHA512693f07a396916ca7301ea81d03aef2f08fee406c8a8ba5b54ace36d305c5e9d3625d99a62103e301a8d2bdc3ca94d3972c5f43d369674db7b3f0094988e94239
-
Filesize
1KB
MD5d218a1f992f9def33202b6d299a149f3
SHA1d568b1939f97ff31fe56c5c77a8a742bb1a311b5
SHA2560b189b070b0208e8133abc8ec7ac9f03667b2eaabe9f7211dc2d186cf286bfb5
SHA5122f7a35d0534df8252be69e36fc74f9a4d5e89009a8520c46790587da6ba78e2f0384291a44db855e74973d004ed2145847684f5a166b9b6d5e6bdf8f1c76384a
-
Filesize
1KB
MD5e8da0c9cf40b3a3cee1c8c15ddac0f8f
SHA15ee2635de9cbdc0c09196368dbaf56ac2e8aa350
SHA256a43a1ebf6d279324e228df901b154834a2be2f7fb5daa6664de5854bfdcef172
SHA512fbf7941f44e37b3c8911cc20fd2e223659d950c8e72e69699eda8f284c669c6ee81806160c07db8baa055e0725f62c6016c6ce0e9be1bef7fa3f32b84ab619bc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54bd88d0cf6daac105caf6f7d5825c6b6
SHA18263b6ae1001234ab3818dd9532efd79b96d642a
SHA2563d1f7c720d95ece041988e1b58645d2b10ab938cbcba50b936b98d80fc4bdd22
SHA5121b56e671dbce1aeda0b2c46a6e5d526d74d0a0119db944eefae6df1ff029027219467f1a009f2d4475d80936dc70270123055a6feac849181faa8be656b7bf26
-
Filesize
10KB
MD5daca0d88a821ad4affa1b588a26717df
SHA169e0f9312d04c7be35d8c3251a814301a4d7991c
SHA256dfb6692bad42c832f9d8598185e2fddd35958164416f642e9e3598a09be29914
SHA5126efd5ed579af1fc2f75a498d232a82fd3271d43525eec394264864882c35bf9cd575d9553cedf0e132988a37984a6726ee6fc5449088ef9bbe453f64a1544b25
-
Filesize
2KB
MD5a0679dce64fcf875f4208b823d4b85c0
SHA185abe3673db82bfe5b2c207dc98648e32afffea0
SHA25685a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA5121e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6
-
Filesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
Filesize
92KB
MD5219cd85d93a4ed65a481f353a3de5376
SHA1a38ab77caf5417765d5595b2fcd859c6354bf079
SHA25600c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9
-
Filesize
5.0MB
MD5c47c6a5111193af2c9337634b773d2d3
SHA1036604921b67bbad60c7823482e5e6cb268ded14
SHA2567c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA51256698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262
-
Filesize
780KB
MD54151b988c9d5c550ccb6c3b49bf551d4
SHA110ff979be4a5bbacaf208bdbb8236b940208eed1
SHA2565ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d
-
Filesize
1.3MB
MD574be3afd732dc010c8266326cc32127b
SHA1a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA25603fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA51268fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5
-
Filesize
2KB
MD5288bebe9f904e6fabe4de67bd7897445
SHA10587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA5127db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c
-
Filesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a
-
Filesize
15.0MB
MD58f5a2b3154aba26acf5440fd3034326c
SHA1b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA51201c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
-
Filesize
864KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
