3bb489de34df3c2bbe7684a562f3eae17e5c66b1b82c13011bf250768eb79603

Analysis

max time kernel
7s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Size

1.1MB
MD5

edbe0b538e2c8428fd5bfecb066f9921
SHA1

706d1dd3a31e11c578a38db05dd50a2c49ffc4cd
SHA256

3bb489de34df3c2bbe7684a562f3eae17e5c66b1b82c13011bf250768eb79603
SHA512

b3e98dc74119bf7e34dc6049a6e00ed44d83700822749396a1eff5e3f0c032cdc85f9eb5092bca163758d95e907b737aad42256e12a069e3a29a98ded179e18b
SSDEEP

3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score

10^/10

defense_evasion persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4764 created 672	4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd	7

Adds policy Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Windows\\Caches\\RYD2Iwd5J2Dm8eLqWFdOMqDL.exe\" O"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\5utpapi8.default-release\\storage\\permanent\\chrome\\idb\\2823318777ntouromlalnodry--naod.files\\Y9oeJmThBH6vPZvC9GegfTumwt8WH1DK5kli5BRySO.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\BrowserMetrics\\2eoFvaXtlz63vRzwc4I7UpPp4.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\nmmhkkegccagdldgiimedpiccmgmieda\\1.0.0.6_0\\_locales\\el\\9UoOSN87qSVrcTyl9GZTFxe2N2WWDNRCwrPVMSB1RTv4nhpx4ifux3di4Cq0CE6L.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 8 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = " "	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = " "	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Executes dropped EXE 2 IoCs

pid	Process
4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
1400	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Impair Defenses: Safe Mode Boot 1 TTPs 42 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PCI Configuration	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WudfPf	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{9DA2B80F-F89F-4A49-A5C2-511B085B9E8A}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Ahcache.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\EventLog	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HelpSvc	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dxgkrnl.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Primary disk	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PNP Filter	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SpbCx.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\volmgrx.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmms	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CoreMessagingRegistrar	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TBS	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AudioSrv	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\RpcEptMapper	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SWPRV	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SystemEventsBroker	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BasicDisplay.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Filter	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\KeyIso	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{F2E7DD72-6468-4E36-B6F1-6488F42C1B52}	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sacsvr	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\uefi.sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\BrokerInfrastructure	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Netlogon	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\NgcSvc	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\AppMgmt	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\DcomLaunch	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\HdAudAddService.Sys	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\YDz2UNMbdKogIGpfTjKFqDRxtQrzhATOuzFiWa20V03k2515JuljePDBt3ka.exe\" O 2>NUL"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\.DEFAULT	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\kok\\q93ow5ClJtl36UCZJr5bLTOKBn1fMYAL7m4.exe\" O 2>NUL"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\\TempState\\U2lRD6KEUBejpAXdIQcmMiXqRlT4az5HlHTGsp6TJ3XqlNAtnsn7EBqe900NjlkuzlOHWkE.exe\" O"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\input\\es-AR\\Ye3nlVe96qxPuasXwSDj1rFsA0Q27cvGZFgVe7Ah8vyjXgx7WueUtjBAjhvfcwdX.exe\" O 2>NUL"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OneNote\\16.0\\BM0TXWim8H15dcvyX0H7wEMcFVtGclzPYOtMFkkAR3uD9iqXU9cbuoarpk.exe\" O"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Office\\OTele\\7NTnRjjA7Z7Iz0soqsID6A4ghgJPRBZwoi6WZ4kIBMgN5dyC.exe\" O 2>NUL"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Default\\Pictures\\DoEEkz28efk7NeVy4vYWDFiUg0RObMlpA5kgKwHMNXek2uPzLGdqC5.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Java\\Deployment\\cache\\6.0\\58\\QdPEh9wuG.exe\" O"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\PlayReady\\Internet Explorer\\Desktop\\MZ8Hx42VypiuPlzXuUvKWjHwYQcmoWjnmels3.exe\" O 2>NUL"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.Search_cw5n1h2txyewy\\LocalState\\ConstraintIndex\\kjoN3cW0buv58H.exe\" O 2>NUL"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Package Cache\\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\\HhyE4PF9PtbFIscNuUSZruMakKuBhh9XFq5D.exe\" O"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\Windows\\Projects\\8lam1vulijAIroKHXumlM5DOCeevqS0QNqkCDy1rmGTjXU.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Applications\\Manifest Resources\\kefjledonklijopmnomlcbpllchaibag\\Icons\\EKgM4X5OHGGGLbmxmFIDQpLiuCmt8b7McDymzFJNFNC49VWBgYHQPivXZcIwT.exe\" O 2>NUL"	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004e46e762650bdb01	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FF393560-C2A7-11CF-BFF4-444553540000} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a588ed63650bdb01	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000c84df263650bdb01	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\A7f8EQvx2oDkZvawcjs.exe\" O 2>NUL"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\tg\\sB4301mJJpv5LPisW9kcj1JJSxnUCLyCrU7D6mNSIYfGqlX4NsCrw83mADDzVzdAFWn.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\\AppData\\l47PgQ77fUzhX5s5kuQmO290YXv4CApSsWVubUqBXorVpG3adzcf.exe\" O 2>NUL"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Command Processor	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.BioEnrollment_cw5n1h2txyewy\\Settings\\ZxYjZAXuMKWVXcOi6Ia3BFD3ZvWG2MsX1uCDv.exe\" O"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Command Processor	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Command Processor\AutoRun = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OneNote\\aJA7qRO4GQ3qRFhmWwaYPdSgnSty.exe\" O 2>NUL"	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1400	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
1400	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	4220	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Token: SeRestorePrivilege	4220	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Token: SeShutdownPrivilege	4220	edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
Token: SeDebugPrivilege	4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Token: SeRestorePrivilege	4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Token: SeDebugPrivilege	1400	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
Token: SeRestorePrivilege	1400	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2028	LogonUI.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4764	4520	gpscript.exe	84
PID 4520 wrote to memory of 4764	4520	gpscript.exe	84
PID 4764 wrote to memory of 1400	4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd	89
PID 4764 wrote to memory of 1400	4764	f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd	89

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672
- C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\SystemAppData\f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\SystemAppData\f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd" 2
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

C:\Users\Admin\AppData\Local\Temp\edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edbe0b538e2c8428fd5bfecb066f9921_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3992055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system32\gpscript.exe
gpscript.exe /Shutdown
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\SystemAppData\f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\SystemAppData\f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd" 1
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds policy Run key to start application
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\8lam1vulijAIroKHXumlM5DOCeevqS0QNqkCDy1rmGTjXU.exe

Filesize
1.5MB

MD5
4b9e93b35b02db568d41a94a6ba2a1f0

SHA1
d9ce440677cb7cf6cc03654ccfc56f382585f1e5

SHA256
c4da33a43ae5e5867c8c5cc890abb6eb66a0fa24a68259282a6a1584aff26bd0

SHA512
b3faf10b22abddd1c2b53b0a995f917b741091b36367637e23c3c30d559ef816331e3e94622ba10d0da28b055a471b59ae00007842dad2af186a2535b984a4c0

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\DzKQNWy0Uga0nvkproJ1TMFwbnNJeMCVfztlglFYS9345pI1wNlc.exe

Filesize
2.5MB

MD5
2767f54f31c0fbc4f03f28b73d985955

SHA1
f83c52090be03408f51c93441fcc6c8a3769dd72

SHA256
abb55fb5f2ebedacf3d663cc882852c546e2697933effd992a19f983fa21f901

SHA512
5ffca6c1f724c0592987aa608efc57fe5b70b7827d11cbfcf603e375586a3e60ebed20bc71d8653acb694febad07a49b7af7bc7a6857294b108998574e4d934d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\2eoFvaXtlz63vRzwc4I7UpPp4.exe

Filesize
1.2MB

MD5
761a53ea5481284c3acd9f0f94789f43

SHA1
98f90ef02f262fd6feffe06ebcf79e2000dd4f73

SHA256
97960a11e61e57a1ec338fc47f8dfad562bb7c8e984c8ab6bed9cc2ac95d0b14

SHA512
9bfe086cb153f2034c1d7332a0f1eda944c79df9bc42fe1636c59af141a3b31fd84840a1f245e03273863ca077e253e6b5095c16cfa1b083ca18964be297b710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\smWhMMa8HEJhvBETfYSuQOMRIdOKth8F0SWNAPJRiVYHSmSnT0Q7U9fen2jWTT8NCyAHr.exe

Filesize
1.3MB

MD5
4c208e7701466d9e37d12424ee56c08c

SHA1
c87eb0220a6c69e55fc0065ae9aabcdc8de05d9d

SHA256
dfeac1da02565cf8b07c2738d0d745faebe5a835924b9aa911937c483b3384ee

SHA512
a722689c56d53a3760928fa90bdd37a80118b8b5f8a610c1a4ef992d70800ac3a687d2758e562b3c8df9b15822d2cbc0ca780a73c1e8c1a054b3503c3dee9471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\W4nRRXOZSQGrHsIsrsl.exe

Filesize
2.0MB

MD5
55b5d54e09bd3dd0d968a31c4bdd31ec

SHA1
aa64e71ffacdc32324cd0f9cdc872504ba2b4b6f

SHA256
80530f268dbda8d7a149244e8e467ec87637a5a4b0b013ef0b125f1edfa0759a

SHA512
e2da11098f2725f69d05c028c43f04edf8049f6a2f4e1713607ef50a84cd96a6aa402e9f7722db6b69db6089f01e773904acc7f1a6370d8ab3fe272f709cb667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\YDz2UNMbdKogIGpfTjKFqDRxtQrzhATOuzFiWa20V03k2515JuljePDBt3ka.exe

Filesize
1.9MB

MD5
6fdc0e4466ed0360b889173356a9e357

SHA1
a36e3ee77871c3c5f555f5985eefa52fa33750ee

SHA256
9dcaade639726ae9e85bfcf0ea8a51e49f2d319a58c9829b560c2acb98d18863

SHA512
b8e4b3d50a1d923a5361b11e918a61d303c8ff5e58a558b2ab17583ee8c53f045a7cc9bc25b56fdc3d771a66ac48e54e1d3685c1f79c9b548821739daab2d7ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\SystemAppData\f46wgN2LCmI1VifpkG4NP3xXAJOkfIt7539uY9piTLqatWlijauavj.cmd

Filesize
2.1MB

MD5
4011d3494f754cd64ce39f3d11adc5c1

SHA1
36a25a604cfae788ef50a8b5ebe51823a881870c

SHA256
47ade4a5f7f972137718eaf5ec3f3901fa24742478b175f94d90030719bf2fb9

SHA512
a9c57e439ee9278be86fc671ada71e6189c3eab82e2f271034a1b482439852f068b7818c01a51a4ad66f7526a98f929909c20228bb7e7daf3f034ccd491868e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\7mlfwlHyq2kfE1.exe

Filesize
3.3MB

MD5
9c0900f4ed6b72e4980e9c4cb87fc13e

SHA1
ec1eca59eb9b02b59267e2aad5fb0b92a4cb5881

SHA256
7f8f488eaa8302bf3f14a9f54c9ab57b30ca45e237e3aa426703109ee38f1dcc

SHA512
a4049ffaba0078d01061c5c1435ac87cfa90bcc56635c682c34e0b013e6c1838d3b024f432c65f8c6ffaf267a43b604c8f8a91a89abd29a71994acb056dac8d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\l47PgQ77fUzhX5s5kuQmO290YXv4CApSsWVubUqBXorVpG3adzcf.exe

Filesize
2.1MB

MD5
8d17bad5e5f58f04f8d53852213536ce

SHA1
f3f1ca14a4ed2308306daaa609742a72a08c74e1

SHA256
d31b3ef5cc17abe64a6fc262e4a6e80de6125fd1cf3d83a928889c58c145c727

SHA512
29df5a838aaf0baeb6789fcc4061c5aaa595b40d0890ccba77fac83ae7af5e76d5537b7582ddd83286ae7e745c6614e00cfeee44ce36310d1128dc660a3fef07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\A7f8EQvx2oDkZvawcjs.exe

Filesize
2.3MB

MD5
ce55c7218e9901d924d32f577bd70357

SHA1
5312346fe2743fc7f55dc6e291f78cf1868eb563

SHA256
c4496e0e9bbb8b3663e30f7ce7e0336e519a9f863a2791c642078e2d49e1380d

SHA512
356ae1f913a32f75bc22791ab4a8402cab3ab014685ba2092cf592acef7a767c3c798db67bb7cd2fa1add5e705b9fbf5247f1c7544cb1aeed2ad6b0676e4bae7

Download Submit
C:\Users\Default\Pictures\DoEEkz28efk7NeVy4vYWDFiUg0RObMlpA5kgKwHMNXek2uPzLGdqC5.exe

Filesize
1.4MB

MD5
f8f3754afaa0aeb96c451fa847ab00c5

SHA1
b02bb72e0eb12f309f08811efa8ebda29cac2f54

SHA256
a912499231ec27cd2f5b3bf874e4376c4793a78f6cf1a3bdcb47332c9574e683

SHA512
b57f6bc9d4b3e24e54302b85a71d1e1bcc76da62f24073d724f2c2c72ea3afab47614bb901ed6e15af6b81e81089bc16480c9c8c289eb35ae28879067290660a

Download Submit
memory/4220-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4220-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4764-582-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads