metasploit | eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Size

776KB
MD5

f52ef977885850cabe59782db6385a64
SHA1

094690ae6f4ae2ac651385dfb02099f62bea50a1
SHA256

eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d
SHA512

19d3e89cd276580d5b51e5deffc442459b610f30e0629a1f49748d89b4a26bdde6b1ddc5c8a6b779adcfb6f19cae318f668fafef0dca4fbb4330e00cd5920483
SSDEEP

24576:aXytXN4FXT6SdqtURjZnli5kRlM7fDG/:OytX6RTjqtURjZlaGlM7D6

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe

Executes dropped EXE 20 IoCs

pid	Process
532	windows_update.exe
1836	windows_update.exe
2224	windows_update.exe
2560	windows_update.exe
640	windows_update.exe
1972	windows_update.exe
1752	windows_update.exe
1692	windows_update.exe
2536	windows_update.exe
2900	windows_update.exe
2852	windows_update.exe
1604	windows_update.exe
2116	windows_update.exe
1780	windows_update.exe
3028	windows_update.exe
892	windows_update.exe
2268	windows_update.exe
2988	windows_update.exe
1032	windows_update.exe
2868	windows_update.exe

Loads dropped DLL 64 IoCs

pid	Process
2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
532	windows_update.exe
532	windows_update.exe
532	windows_update.exe
532	windows_update.exe
1836	windows_update.exe
1836	windows_update.exe
1836	windows_update.exe
1836	windows_update.exe
2224	windows_update.exe
2224	windows_update.exe
2224	windows_update.exe
2224	windows_update.exe
2560	windows_update.exe
2560	windows_update.exe
2560	windows_update.exe
2560	windows_update.exe
640	windows_update.exe
640	windows_update.exe
640	windows_update.exe
640	windows_update.exe
1972	windows_update.exe
1972	windows_update.exe
1972	windows_update.exe
1972	windows_update.exe
1752	windows_update.exe
1752	windows_update.exe
1752	windows_update.exe
1752	windows_update.exe
1692	windows_update.exe
1692	windows_update.exe
1692	windows_update.exe
1692	windows_update.exe
2536	windows_update.exe
2536	windows_update.exe
2536	windows_update.exe
2536	windows_update.exe
2900	windows_update.exe
2900	windows_update.exe
2900	windows_update.exe
2900	windows_update.exe
2852	windows_update.exe
2852	windows_update.exe
2852	windows_update.exe
2852	windows_update.exe
1604	windows_update.exe
1604	windows_update.exe
1604	windows_update.exe
1604	windows_update.exe
2116	windows_update.exe
2116	windows_update.exe
2116	windows_update.exe
2116	windows_update.exe
1780	windows_update.exe
1780	windows_update.exe
1780	windows_update.exe
1780	windows_update.exe
3028	windows_update.exe
3028	windows_update.exe
3028	windows_update.exe
3028	windows_update.exe
892	windows_update.exe
892	windows_update.exe
892	windows_update.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cgNVKr\x7fn@f{STJPAZ\\IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`wNVKr\x7fnCv{STJPAK\\IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cWNVKr\x7fn@V{STJPA^lIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cGNVKr\x7fn@F{STJPAZ\\IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFj~i]wKePu[\x7fi`"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Version	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_bGNVKr\x7fnAF{STJPAULIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_bwNVKr\x7fnAv{STJPAULIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFiBi]wKeaD}z]p"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjFi]wKeKW`uJP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Version\ = "9.4"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFivi]wKewOfCX@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFiji]wKe^KF`\|@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjZi]wKePXq`L@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjzi]wKe\|w~_fp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,5511"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFibi]wKehITLU@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`wNVKr\x7fnCv{STJPAOlIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cwNVKr\x7fn@v{STJPAZ\\IBvCnaGZ"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ProgID	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFh~i]wKebuWB@p"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFhzi]wKeuvyF]P"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cGNVKr\x7fn@F{STJPA^lIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjBi]wKedlFoI@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook.OlkDateControlClass"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cWNVKr\x7fn@V{STJPAR\|IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFi^i]wKe\x7fqQ]QP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFj^i]wKeQSDCKp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`wNVKr\x7fnCv{STJPAK\\IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_bgNVKr\x7fnAf{STJPAQLIBvCnaGZ"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocHandler32	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFhvi]wKeAqSfL`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`GNVKr\x7fnCF{STJPAC\|IBvCnaGZ"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Control	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFini]wKerIc@sP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`WNVKr\x7fnCV{STJPAFLIBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Stwxlyuq = "D]h\x7fBBUznRhUm^B\|FifUNB_VmpKjLbfe"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ProgID\ = "Outlook.OlkDateControl.1"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFhfi]wKemhe{vP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjJi]wKe\x7fPJU[`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_`gNVKr\x7fnCf{STJPAK\\IBvCnaGZ"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFhri]wKef[JSPp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFiRi]wKedgUyZ`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFizi]wKeUwhtd@"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\VersionIndependentProgID	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_cwNVKr\x7fn@v{STJPAZ\\IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFifi]wKeDKqlZP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFjVi]wKed_[@]p"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cqmvCjs = "RaYvHS{EKBFhni]wKebVzs\|P"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\zynefqbswXw = "pXMblZ~^aTCqd{XBj}}LxDkr^MFU_F"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Typelib	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\BmbAvva = "n\\ntG_bgNVKr\x7fnAf{STJPAR\|IBvCnaGZ"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wzKur = "MlfgXi@iTMWmH[bKBQe^v_Gy"	windows_update.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File created	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe

Runs .reg file with regedit 11 IoCs

pid	Process
2540	regedit.exe
2888	regedit.exe
600	regedit.exe
1220	regedit.exe
1744	regedit.exe
2244	regedit.exe
924	regedit.exe
2236	regedit.exe
1076	regedit.exe
2468	regedit.exe
2788	regedit.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: 33	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: 33	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: 33	1836	windows_update.exe
Token: SeIncBasePriorityPrivilege	1836	windows_update.exe
Token: 33	1836	windows_update.exe
Token: SeIncBasePriorityPrivilege	1836	windows_update.exe
Token: 33	2560	windows_update.exe
Token: SeIncBasePriorityPrivilege	2560	windows_update.exe
Token: 33	2560	windows_update.exe
Token: SeIncBasePriorityPrivilege	2560	windows_update.exe
Token: 33	1972	windows_update.exe
Token: SeIncBasePriorityPrivilege	1972	windows_update.exe
Token: 33	1972	windows_update.exe
Token: SeIncBasePriorityPrivilege	1972	windows_update.exe
Token: 33	1692	windows_update.exe
Token: SeIncBasePriorityPrivilege	1692	windows_update.exe
Token: 33	1692	windows_update.exe
Token: SeIncBasePriorityPrivilege	1692	windows_update.exe
Token: 33	2900	windows_update.exe
Token: SeIncBasePriorityPrivilege	2900	windows_update.exe
Token: 33	2900	windows_update.exe
Token: SeIncBasePriorityPrivilege	2900	windows_update.exe
Token: 33	1604	windows_update.exe
Token: SeIncBasePriorityPrivilege	1604	windows_update.exe
Token: 33	1604	windows_update.exe
Token: SeIncBasePriorityPrivilege	1604	windows_update.exe
Token: 33	1780	windows_update.exe
Token: SeIncBasePriorityPrivilege	1780	windows_update.exe
Token: 33	1780	windows_update.exe
Token: SeIncBasePriorityPrivilege	1780	windows_update.exe
Token: 33	892	windows_update.exe
Token: SeIncBasePriorityPrivilege	892	windows_update.exe
Token: 33	892	windows_update.exe
Token: SeIncBasePriorityPrivilege	892	windows_update.exe
Token: 33	2988	windows_update.exe
Token: SeIncBasePriorityPrivilege	2988	windows_update.exe
Token: 33	2988	windows_update.exe
Token: SeIncBasePriorityPrivilege	2988	windows_update.exe
Token: 33	2868	windows_update.exe
Token: SeIncBasePriorityPrivilege	2868	windows_update.exe
Token: 33	2868	windows_update.exe
Token: SeIncBasePriorityPrivilege	2868	windows_update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2084	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2084	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2084	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	32
PID 2132 wrote to memory of 2084	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	32
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2132	2568	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	31
PID 2084 wrote to memory of 2888	2084	cmd.exe	33
PID 2084 wrote to memory of 2888	2084	cmd.exe	33
PID 2084 wrote to memory of 2888	2084	cmd.exe	33
PID 2084 wrote to memory of 2888	2084	cmd.exe	33
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 2132 wrote to memory of 532	2132	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	34
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35
PID 532 wrote to memory of 1836	532	windows_update.exe	35

C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2888
- - C:\Windows\SysWOW64\windows_update.exe
    C:\Windows\system32\windows_update.exe 732 "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\SysWOW64\windows_update.exe
      C:\Windows\system32\windows_update.exe 732 "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2236
    - - C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
      - C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 804 "C:\Windows\SysWOW64\windows_update.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:600
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 824 "C:\Windows\SysWOW64\windows_update.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 824 "C:\Windows\SysWOW64\windows_update.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1220
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 836 "C:\Windows\SysWOW64\windows_update.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 836 "C:\Windows\SysWOW64\windows_update.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1076
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 852 "C:\Windows\SysWOW64\windows_update.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 852 "C:\Windows\SysWOW64\windows_update.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2468
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 860 "C:\Windows\SysWOW64\windows_update.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 860 "C:\Windows\SysWOW64\windows_update.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2788
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 876 "C:\Windows\SysWOW64\windows_update.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 876 "C:\Windows\SysWOW64\windows_update.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1744
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 884 "C:\Windows\SysWOW64\windows_update.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 884 "C:\Windows\SysWOW64\windows_update.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2244
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 896 "C:\Windows\SysWOW64\windows_update.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 896 "C:\Windows\SysWOW64\windows_update.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:924
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 908 "C:\Windows\SysWOW64\windows_update.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 908 "C:\Windows\SysWOW64\windows_update.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
3ecd369b63e1979a9b035b104ee4a528

SHA1
df8df4eaa3ca167b7a69a7d92a1b60b1c196fb3e

SHA256
df41f386ce3511d28f2a8d6549bc4acecf85fdf54054e4b1dc58202f1c6ab4e0

SHA512
5ac60e926a2a1ed7cd8987c96e7c6f326d27132e49ebe9ae668601d0a4d6732fde4ff7804c83fec315454d5194910be62ad8008a68ec060e14dd098eb70f088c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
2f3f9b00fa92103050d0a099410b42ec

SHA1
e646045fa7d8b645b93973a4a8fae8ff13890458

SHA256
82514066cf186f7a7aa95e14bf1c30515b712d7dde46db63fe4c28aa1d506709

SHA512
e935799914e13a6a95591b9b8ff7a49612040997d2ccd4486194b68df4b6c31f1a92cb3f8ad9155c736c47452516dd8d15540389c231ba9fda27c4f026ba6df6

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
3613abd174b08cdc8b3ef21edb4c8929

SHA1
989e2ad2e846d970c0f8143e661464e13097a258

SHA256
af4a66b314d21c84e89ffd7491000eb8d07d7dcc464772fe40aff246e1005f09

SHA512
19b5d02c7ae114a624bdf6cb31038602ef717e7e597d1b72e9cdad3e05280779145d7c09b195d087408a618027049d4bbf94f122044e7d5340cfd3eaa743bf55

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
0eadf9574165fc15daeff1c304311cf4

SHA1
98173fb0166d6f648dac18e9ebc939d7d4153057

SHA256
a1afa388591d2687dc157350258f65451636b808cc4048e82854b8b20c22b499

SHA512
77b6525eaccb4f89cb5bd42eb668fa873e8e65aeae8a91fcf8385fb151b627747ce2ca8fa65cbed63d469a82499f33019dbfb01d09d76641780d5ba426ab9af9

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
44d9cd120526c453952c05e474336d75

SHA1
18505b739f3633498a59746ac84a6c2fbdb88bab

SHA256
48064e9cd0b35746a4efefdbee2184c88aeb028a23be8fed7ee88ba57413193e

SHA512
0bbb88d73c9b1fa1b4c2dcc7d1f6bf70f56a198437b16d2fc9248bf06ff2508aba5195a5a34a68590de364b60219e859724ef05254201f501d1cad9f38fe9abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\windows_update.exe

Filesize
776KB

MD5
f52ef977885850cabe59782db6385a64

SHA1
094690ae6f4ae2ac651385dfb02099f62bea50a1

SHA256
eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d

SHA512
19d3e89cd276580d5b51e5deffc442459b610f30e0629a1f49748d89b4a26bdde6b1ddc5c8a6b779adcfb6f19cae318f668fafef0dca4fbb4330e00cd5920483

Download Submit
memory/532-340-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/532-152-0x0000000000B00000-0x0000000000D1F000-memory.dmp

Filesize
2.1MB

Download
memory/532-293-0x0000000000B00000-0x0000000000D1F000-memory.dmp

Filesize
2.1MB

Download
memory/532-292-0x0000000000B00000-0x0000000000D1F000-memory.dmp

Filesize
2.1MB

Download
memory/532-291-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/532-156-0x0000000002450000-0x000000000266F000-memory.dmp

Filesize
2.1MB

Download
memory/532-141-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/532-147-0x0000000000B00000-0x0000000000D1F000-memory.dmp

Filesize
2.1MB

Download
memory/532-151-0x0000000000B00000-0x0000000000D1F000-memory.dmp

Filesize
2.1MB

Download
memory/640-612-0x0000000000C20000-0x0000000000E3F000-memory.dmp

Filesize
2.1MB

Download
memory/640-463-0x0000000000C20000-0x0000000000E3F000-memory.dmp

Filesize
2.1MB

Download
memory/640-464-0x0000000000C20000-0x0000000000E3F000-memory.dmp

Filesize
2.1MB

Download
memory/640-465-0x0000000002560000-0x000000000277F000-memory.dmp

Filesize
2.1MB

Download
memory/640-610-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/640-611-0x0000000000C20000-0x0000000000E3F000-memory.dmp

Filesize
2.1MB

Download
memory/640-639-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/640-613-0x0000000000C20000-0x0000000000E3F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-634-0x0000000000C80000-0x0000000000E9F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-648-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-633-0x0000000000C80000-0x0000000000E9F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-632-0x0000000000C80000-0x0000000000E9F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-777-0x00000000035A0000-0x00000000037BF000-memory.dmp

Filesize
2.1MB

Download
memory/1692-640-0x00000000023D0000-0x0000000002464000-memory.dmp

Filesize
592KB

Download
memory/1692-652-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-651-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-650-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1692-649-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1752-626-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1752-774-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1752-788-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1752-771-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1752-772-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1752-773-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1752-624-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1752-627-0x0000000000D90000-0x0000000000FAF000-memory.dmp

Filesize
2.1MB

Download
memory/1836-289-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/1836-168-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-172-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-173-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/1836-169-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-170-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-328-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/1836-171-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-294-0x0000000000BB0000-0x0000000000DCF000-memory.dmp

Filesize
2.1MB

Download
memory/1836-155-0x0000000000BB0000-0x0000000000DCF000-memory.dmp

Filesize
2.1MB

Download
memory/1836-157-0x0000000000BB0000-0x0000000000DCF000-memory.dmp

Filesize
2.1MB

Download
memory/1836-161-0x0000000000AC0000-0x0000000000B54000-memory.dmp

Filesize
592KB

Download
memory/1836-296-0x0000000000BB0000-0x0000000000DCF000-memory.dmp

Filesize
2.1MB

Download
memory/1836-153-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1836-154-0x0000000000BB0000-0x0000000000DCF000-memory.dmp

Filesize
2.1MB

Download
memory/1972-616-0x0000000000EB0000-0x00000000010CF000-memory.dmp

Filesize
2.1MB

Download
memory/1972-615-0x0000000000EB0000-0x00000000010CF000-memory.dmp

Filesize
2.1MB

Download
memory/1972-636-0x0000000000A50000-0x0000000000AE4000-memory.dmp

Filesize
592KB

Download
memory/1972-619-0x0000000003770000-0x000000000398F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-614-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-608-0x0000000000A50000-0x0000000000AE4000-memory.dmp

Filesize
592KB

Download
memory/1972-488-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-468-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-476-0x0000000000EB0000-0x00000000010CF000-memory.dmp

Filesize
2.1MB

Download
memory/1972-475-0x0000000000EB0000-0x00000000010CF000-memory.dmp

Filesize
2.1MB

Download
memory/1972-489-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-491-0x0000000000A50000-0x0000000000AE4000-memory.dmp

Filesize
592KB

Download
memory/1972-477-0x0000000000A50000-0x0000000000AE4000-memory.dmp

Filesize
592KB

Download
memory/1972-487-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-486-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/1972-485-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-12-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-9-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-158-0x0000000000620000-0x00000000006B4000-memory.dmp

Filesize
592KB

Download
memory/2132-137-0x0000000003110000-0x000000000332F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-15-0x0000000000620000-0x00000000006B4000-memory.dmp

Filesize
592KB

Download
memory/2132-11-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-13-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-10-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-2-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-14-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2132-3-0x000000000057F000-0x0000000000580000-memory.dmp

Filesize
4KB

Download
memory/2132-4-0x0000000000620000-0x00000000006B4000-memory.dmp

Filesize
592KB

Download
memory/2224-454-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-451-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2224-490-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2224-310-0x0000000002590000-0x00000000027AF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-309-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-452-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-453-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-302-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2224-304-0x0000000000DC0000-0x0000000000FDF000-memory.dmp

Filesize
2.1MB

Download
memory/2536-918-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2536-1050-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-472-0x0000000002640000-0x00000000026D4000-memory.dmp

Filesize
592KB

Download
memory/2560-331-0x0000000002640000-0x00000000026D4000-memory.dmp

Filesize
592KB

Download
memory/2560-323-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-311-0x0000000000A80000-0x0000000000C9F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-312-0x0000000000A80000-0x0000000000C9F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-313-0x0000000000A80000-0x0000000000C9F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-324-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-329-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-456-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-449-0x0000000002640000-0x00000000026D4000-memory.dmp

Filesize
592KB

Download
memory/2560-314-0x0000000002640000-0x00000000026D4000-memory.dmp

Filesize
592KB

Download
memory/2560-322-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2560-330-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2568-159-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2568-0-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2568-1-0x0000000001FF0000-0x000000000220F000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads