metasploit | eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d

Analysis

max time kernel
148s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Size

776KB
MD5

f52ef977885850cabe59782db6385a64
SHA1

094690ae6f4ae2ac651385dfb02099f62bea50a1
SHA256

eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d
SHA512

19d3e89cd276580d5b51e5deffc442459b610f30e0629a1f49748d89b4a26bdde6b1ddc5c8a6b779adcfb6f19cae318f668fafef0dca4fbb4330e00cd5920483
SSDEEP

24576:aXytXN4FXT6SdqtURjZnli5kRlM7fDG/:OytX6RTjqtURjZlaGlM7D6

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe

Executes dropped EXE 20 IoCs

pid	Process
676	windows_update.exe
3984	windows_update.exe
2236	windows_update.exe
5048	windows_update.exe
4520	windows_update.exe
2336	windows_update.exe
2076	windows_update.exe
4772	windows_update.exe
4608	windows_update.exe
3324	windows_update.exe
4064	windows_update.exe
5032	windows_update.exe
632	windows_update.exe
4240	windows_update.exe
4512	windows_update.exe
3560	windows_update.exe
4132	windows_update.exe
1460	windows_update.exe
1956	windows_update.exe
5076	windows_update.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File created	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe
File opened for modification	C:\Windows\SysWOW64\windows_update.exe	windows_update.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows_update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjFi]wKeoFlUa`"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LocalServer32	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "GNVKr\x7fnAF{STJPAULIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFiFi]wKejnW@uP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "GNVKr\x7fnCF{STJPAKLIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFhji]wKei\|PITp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFibi]wKeWS_gS`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFj^i]wKeBabV[P"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\AppID = "{00f2b433-44e4-4d88-b2b0-2698a0a91dba}"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Version\ = "1.0"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\duyJ = "pXMblZ~^aTCqd{XBj}}"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\duyJ = "pXMblZ~^aTCqd{XBj}}"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gmosacbe = "TMWmH[bKBQe^v_GyD]h\x7fBBU"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_b"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFiji]wKeycIz[p"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gmosacbe = "TMWmH[bKBQe^v_GyD]h\x7fBBU"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFiri]wKeQl\\zx@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "gNVKr\x7fn@f{STJPAClIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFhFi]wKeVFBLy@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "gNVKr\x7fnAf{STJPARlIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_c"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "gNVKr\x7fn@f{STJPAG\|IBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "wNVKr\x7fnCv{STJPAKLIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\duyJ = "pXMblZ~^aTCqd{XBj}}"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjzi]wKeIYPnT`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LocalServer32\ServerExecutable = "%SystemRoot%\\SysWow64\\rundll32.exe"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFh~i]wKeEuFiEp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjvi]wKeQvWpSP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFifi]wKeNjnuu@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjZi]wKencGvT@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjRi]wKeFgavi`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "GNVKr\x7fn@F{STJPAZLIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFivi]wKeaG}dBP"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjVi]wKevL@hSp"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFhfi]wKeJ@jaQ`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_c"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\LocalServer32\ = "\"%SystemRoot%\\System32\\rundll32.exe\" \"%ProgramFiles%\\Windows Photo Viewer\\PhotoAcq.dll\",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gmosacbe = "TMWmH[bKBQe^v_GyD]h\x7fBBU"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "gNVKr\x7fnAf{STJPARlIBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "GNVKr\x7fn@F{STJPA^\\IBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFjNi]wKeBjQVE@"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\duyJ = "pXMblZ~^aTCqd{XBj}}"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_`"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\VersionIndependentProgID	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_b"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gmosacbe = "TMWmH[bKBQe^v_GyD]h\x7fBBU"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\TypeLib	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\duyJ = "pXMblZ~^aTCqd{XBj}}"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_c"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\cgnhjoWafanN = "znRhUm^B\|FifUNB_VmpKjLbfen\\ntG_`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "gNVKr\x7fnCf{STJPAt\|IBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\VersionIndependentProgID\ = "Microsoft.PhotoAcqHWEventHandler"	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "wNVKr\x7fnAv{STJPAV\|IBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "WNVKr\x7fn@V{STJPA^\\IBvCna"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\KupuXmX = "GNVKr\x7fnCF{STJPAKLIBvCna"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ProgID	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\NkrhhZJa = "LxDkr^MFU_FMlfgXi@i"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ibecT = "GZRaYvHS{EKBFiJi]wKek@Oc^`"	windows_update.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gmosacbe = "TMWmH[bKBQe^v_GyD]h\x7fBBU"	windows_update.exe

NTFS ADS 11 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	windows_update.exe

Runs .reg file with regedit 11 IoCs

pid	Process
2948	regedit.exe
3980	regedit.exe
3796	regedit.exe
3772	regedit.exe
4656	regedit.exe
2604	regedit.exe
3680	regedit.exe
2416	regedit.exe
1812	regedit.exe
3080	regedit.exe
3244	regedit.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: 33	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: 33	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
Token: 33	3984	windows_update.exe
Token: SeIncBasePriorityPrivilege	3984	windows_update.exe
Token: 33	3984	windows_update.exe
Token: SeIncBasePriorityPrivilege	3984	windows_update.exe
Token: 33	5048	windows_update.exe
Token: SeIncBasePriorityPrivilege	5048	windows_update.exe
Token: 33	5048	windows_update.exe
Token: SeIncBasePriorityPrivilege	5048	windows_update.exe
Token: 33	2336	windows_update.exe
Token: SeIncBasePriorityPrivilege	2336	windows_update.exe
Token: 33	2336	windows_update.exe
Token: SeIncBasePriorityPrivilege	2336	windows_update.exe
Token: 33	4772	windows_update.exe
Token: SeIncBasePriorityPrivilege	4772	windows_update.exe
Token: 33	4772	windows_update.exe
Token: SeIncBasePriorityPrivilege	4772	windows_update.exe
Token: 33	3324	windows_update.exe
Token: SeIncBasePriorityPrivilege	3324	windows_update.exe
Token: 33	3324	windows_update.exe
Token: SeIncBasePriorityPrivilege	3324	windows_update.exe
Token: 33	5032	windows_update.exe
Token: SeIncBasePriorityPrivilege	5032	windows_update.exe
Token: 33	5032	windows_update.exe
Token: SeIncBasePriorityPrivilege	5032	windows_update.exe
Token: 33	4240	windows_update.exe
Token: SeIncBasePriorityPrivilege	4240	windows_update.exe
Token: 33	4240	windows_update.exe
Token: SeIncBasePriorityPrivilege	4240	windows_update.exe
Token: 33	3560	windows_update.exe
Token: SeIncBasePriorityPrivilege	3560	windows_update.exe
Token: 33	3560	windows_update.exe
Token: SeIncBasePriorityPrivilege	3560	windows_update.exe
Token: 33	1460	windows_update.exe
Token: SeIncBasePriorityPrivilege	1460	windows_update.exe
Token: 33	1460	windows_update.exe
Token: SeIncBasePriorityPrivilege	1460	windows_update.exe
Token: 33	5076	windows_update.exe
Token: SeIncBasePriorityPrivilege	5076	windows_update.exe
Token: 33	5076	windows_update.exe
Token: SeIncBasePriorityPrivilege	5076	windows_update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2844 wrote to memory of 556	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	88
PID 2844 wrote to memory of 556	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	88
PID 2844 wrote to memory of 556	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	88
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 2068 wrote to memory of 2844	2068	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	87
PID 556 wrote to memory of 3772	556	cmd.exe	89
PID 556 wrote to memory of 3772	556	cmd.exe	89
PID 556 wrote to memory of 3772	556	cmd.exe	89
PID 2844 wrote to memory of 676	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	90
PID 2844 wrote to memory of 676	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	90
PID 2844 wrote to memory of 676	2844	f52ef977885850cabe59782db6385a64_JaffaCakes118.exe	90
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 3984 wrote to memory of 4040	3984	windows_update.exe	92
PID 3984 wrote to memory of 4040	3984	windows_update.exe	92
PID 3984 wrote to memory of 4040	3984	windows_update.exe	92
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 676 wrote to memory of 3984	676	windows_update.exe	91
PID 4040 wrote to memory of 3080	4040	cmd.exe	93
PID 4040 wrote to memory of 3080	4040	cmd.exe	93
PID 4040 wrote to memory of 3080	4040	cmd.exe	93
PID 3984 wrote to memory of 2236	3984	windows_update.exe	100
PID 3984 wrote to memory of 2236	3984	windows_update.exe	100
PID 3984 wrote to memory of 2236	3984	windows_update.exe	100

C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3772
- - C:\Windows\SysWOW64\windows_update.exe
    C:\Windows\system32\windows_update.exe 1444 "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\windows_update.exe
      C:\Windows\system32\windows_update.exe 1444 "C:\Users\Admin\AppData\Local\Temp\f52ef977885850cabe59782db6385a64_JaffaCakes118.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3080
    - - C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1492 "C:\Windows\SysWOW64\windows_update.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1492 "C:\Windows\SysWOW64\windows_update.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3244
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1484 "C:\Windows\SysWOW64\windows_update.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1484 "C:\Windows\SysWOW64\windows_update.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4656
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1508 "C:\Windows\SysWOW64\windows_update.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1508 "C:\Windows\SysWOW64\windows_update.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2604
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1504 "C:\Windows\SysWOW64\windows_update.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1504 "C:\Windows\SysWOW64\windows_update.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3680
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 932 "C:\Windows\SysWOW64\windows_update.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 932 "C:\Windows\SysWOW64\windows_update.exe"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2948
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1548 "C:\Windows\SysWOW64\windows_update.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1548 "C:\Windows\SysWOW64\windows_update.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2416
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1500 "C:\Windows\SysWOW64\windows_update.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1500 "C:\Windows\SysWOW64\windows_update.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3980
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1560 "C:\Windows\SysWOW64\windows_update.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1560 "C:\Windows\SysWOW64\windows_update.exe"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1812
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1584 "C:\Windows\SysWOW64\windows_update.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\windows_update.exe
        
        C:\Windows\system32\windows_update.exe 1584 "C:\Windows\SysWOW64\windows_update.exe"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1020,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:8
1⤵
PID:3884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
757bc6e8fa79f36cebd4d65ada04aad7

SHA1
119793f259af5d12f18e5cf7e54c8f6a1b2ee58b

SHA256
c26b19b3f9c6e9b31a34e735fb6958c2b80702dbc0b5ae8871bca01043b37805

SHA512
082ba480c945bf6728359b8dd36206b8fc89fbe909b7ee34772620d3134d84ff94d2ac09bd41dd2ae9847d76e79cf378cb5cf1e0924a3595bad0d5acd2cf95a4

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
129b5a96eb927a9524cd369e407f3633

SHA1
253b6ad17771dcac278482672c1dd6d9a542ee37

SHA256
4a625efa593fef3127b5c0f61095ada0c4cd1be2a0de6d8cb2e75bb6367d5515

SHA512
19e58fce93e3ed23e156573bfcd390a97962bbd53a1ef9d30bbf758e2322451da261b0b6bfabd1baea62c94e574dd2bdebc9fd0723c56851fff9b1534b7cc42d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
f1ce15a79100d965477aac78cf712e5b

SHA1
01e8833b97eb72565b18f2207e85b34d06205b95

SHA256
1d4e2079af4f037040b5f122b69ab6c0196c741dc5eecf58bb8903a33e040275

SHA512
025603e93a727b198f7df014a36dc4f50e23dcd40d8b6982d00845bc8cb212dd91e3825c43c7c8a1325c2b785856ed1b4aa4bb49fa87b5f2a7546439cc2adaa1

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
9c79da92a782fde58341adb2bb66fb83

SHA1
848e4541eb0c55ba4ef235676381b28303d4e6fd

SHA256
475dcdecb514bfd29f160d2c1fa3a21bf287f0ec9e30ad138b3616f32918d410

SHA512
04ef2c0e9756555c4f6ebd9c0d802ede0b99944af5a18a04726e5503b7d77a380c9a62d8e26595ef5d248284e6c0ff4532f541572ec9d1df851a08723889d9b3

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
319e2b8559b5462a05f45874fde5c9e2

SHA1
32ef7e0dee3b1f60699c859fd2a5308899eba811

SHA256
eb591463568e1f4e8ef251f26a77655c5a91aa9336be055226b695a59e2813ca

SHA512
7b1ff9baff6bb3974e376dfa208c371db273da655bd21bd0dd5ed8a82c0ff62bb06771478bf80a7611c94966d2ec6f930733c8e23a4875601ae1c9d9dcbd2f2c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
b7bedd1f1832d7d6fc8acbce450cadf7

SHA1
8e9eb2e9b22f178bef9872ffb6c18ee1c16d0de0

SHA256
bb99d925ebd57cd3cd87501db33b12eec8a4bee9fce96b157cb9571f918ba19b

SHA512
4ab860e09240100b087bb963a9d71ad7ea18b09cc89e9dda5bf696987cb17b22c8bf8244a7a16a4614ea0baf0c02881d2913c2d14bd7a0375d61b29145953c0b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
141e98df2ecc705edd5726da7c51c05d

SHA1
8f6af71f5ddd6d2213fa7119a1e5713c407e87d6

SHA256
7b8f458080d03782f7a09eac7eb45bedf4a008c09057c09534f467d1d999802f

SHA512
d704e256aa0f6fb6ae4e689bd86fda70781b1d0fc80bcc918548713406f6a89e8100ff8cad2862c2dfedc60ef99315f069927ca251be8a05af52e12f1cf6ce4b

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
9859826c974d0bc1f4f4bd017eb023ff

SHA1
efb48648e80d5e9733eed74c7c328e72a9c64883

SHA256
a5ac407ad2a2f657eca4c5bec54efaec1a491e3eb6012daa051bf93ea4f6d4ce

SHA512
d280c2c09ae064e48404b0b7373c7f39140fa04c603ef7a0e98691bea8bfa5e8238911cc0c24f0db7592d06a1f5f6a2b1779cec66400b8f010062b50a1db9f63

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
b6f588ec3a5419fb66e1cd05c66d59b2

SHA1
b9b314d894bfe2874cd1ea6601585d4f21814313

SHA256
25b30522184e6626682b17c661d108212f65c146f2e5d6e9e7e01a5eb6f6ca34

SHA512
439a86169e7282981496b84c3d1af7429dfac0b6a9a23d69ecb6db6c88c31f9fa1255445d6f70dd2a06b9a637b2204fb5ecf2af2c9ccff719cb38dbda3e4c65d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
105B

MD5
52f89d6b70001f1020a7f59e324dabd9

SHA1
99c05b55082d6da45698803d13bdeafeb56358f6

SHA256
d44be42a7165e9aeff087cc91da241c4f99733cf2742b3487726049b6054f25d

SHA512
b15434d5743a5188a8615f6acb5d98e72c8d3d2d34867cb259909c7215819594aa2bd253d4fd7295e622833b0d3fca1a93c7c829f1067e91feee829168f715ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8a36f3bf3750851d8732b132fa330bb4

SHA1
1cb36be31f3d7d9439aac14af3d7a27f05a980eb

SHA256
5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

SHA512
a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
117efa689c5631c1a1ee316f123182bd

SHA1
f477bf1e9f4db8452bd9fe314cd18715f7045689

SHA256
79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

SHA512
abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
748bce4dacebbbd388af154a1df22078

SHA1
0eeeb108678f819cd437d53b927feedf36aabc64

SHA256
1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

SHA512
d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Windows\SysWOW64\windows_update.exe

Filesize
776KB

MD5
f52ef977885850cabe59782db6385a64

SHA1
094690ae6f4ae2ac651385dfb02099f62bea50a1

SHA256
eb67d9e27db06ea3749c7df09fa5815edd0d430e4da202072fc3c00026349c6d

SHA512
19d3e89cd276580d5b51e5deffc442459b610f30e0629a1f49748d89b4a26bdde6b1ddc5c8a6b779adcfb6f19cae318f668fafef0dca4fbb4330e00cd5920483

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/632-1087-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/632-1096-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/676-264-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/676-280-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2068-134-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2068-0-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2076-675-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2076-689-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2236-401-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2236-415-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2336-422-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2336-421-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2336-550-0x00000000007A0000-0x0000000000834000-memory.dmp

Filesize
592KB

Download
memory/2336-537-0x00000000007A0000-0x0000000000834000-memory.dmp

Filesize
592KB

Download
memory/2336-407-0x00000000007A0000-0x0000000000834000-memory.dmp

Filesize
592KB

Download
memory/2336-425-0x00000000007A0000-0x0000000000834000-memory.dmp

Filesize
592KB

Download
memory/2336-424-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2336-423-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2336-420-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-15-0x0000000002210000-0x00000000022A4000-memory.dmp

Filesize
592KB

Download
memory/2844-132-0x0000000002210000-0x00000000022A4000-memory.dmp

Filesize
592KB

Download
memory/2844-3-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-4-0x0000000002210000-0x00000000022A4000-memory.dmp

Filesize
592KB

Download
memory/2844-9-0x0000000002210000-0x00000000022A4000-memory.dmp

Filesize
592KB

Download
memory/2844-11-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-12-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-10-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-14-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/2844-13-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-146-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-139-0x0000000002230000-0x00000000022C4000-memory.dmp

Filesize
592KB

Download
memory/3984-138-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-277-0x0000000002230000-0x00000000022C4000-memory.dmp

Filesize
592KB

Download
memory/3984-147-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-148-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-149-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-150-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/3984-262-0x0000000002230000-0x00000000022C4000-memory.dmp

Filesize
592KB

Download
memory/3984-151-0x0000000002230000-0x00000000022C4000-memory.dmp

Filesize
592KB

Download
memory/4064-950-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4064-959-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4132-1361-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4132-1370-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4512-1224-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4512-1233-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4520-538-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4520-554-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4608-829-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4608-812-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4772-559-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4772-558-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4772-557-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4772-560-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/4772-544-0x0000000002240000-0x00000000022D4000-memory.dmp

Filesize
592KB

Download
memory/4772-561-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/5048-288-0x0000000002260000-0x00000000022F4000-memory.dmp

Filesize
592KB

Download
memory/5048-399-0x0000000002260000-0x00000000022F4000-memory.dmp

Filesize
592KB

Download
memory/5048-287-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/5048-285-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/5048-414-0x0000000002260000-0x00000000022F4000-memory.dmp

Filesize
592KB

Download
memory/5048-270-0x0000000002260000-0x00000000022F4000-memory.dmp

Filesize
592KB

Download
memory/5048-283-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/5048-286-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download
memory/5048-284-0x0000000000400000-0x000000000061F000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads