d0772a8be491a0176211e41812314a98e61ebd0cfeecc6636c6b691b8f8a2b4d

Analysis

max time kernel
15s
max time network
20s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 17:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

f8e9313f9c993e3ff4754c28725d7a5f_JaffaCakes118.msi
Size

17.8MB
MD5

f8e9313f9c993e3ff4754c28725d7a5f
SHA1

e56349d04381300475e1576ee4bde081e39141af
SHA256

d0772a8be491a0176211e41812314a98e61ebd0cfeecc6636c6b691b8f8a2b4d
SHA512

4bd82421566247e31a1c2b3d9244f8a99a1d380efcba55f7c0172256c503b2a98b1e892db9ec39317d3749daf8856156a0c4c23815df8f340583ff961258bef4
SSDEEP

393216:3n50SkxQKakQGVE2D5MFtca9r1wWZveUS3ax6Q3jqbjVPiJXVyE:pu5akHVEc5ULjwWZveUs8jq3VKJXx

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\npf.sys	update.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	MSIAEF3.tmp

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pthreadVC.dll	update.exe
File created	C:\Windows\SysWOW64\wpcap.dll	update.exe
File created	C:\Windows\SysWOW64\Packet.dll	update.exe
File created	C:\Windows\system32\wpcap.dll	update.exe
File created	C:\Windows\system32\Packet.dll	update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WinPcap\rpcapd.exe	update.exe
File created	C:\Program Files\WinPcap\LICENSE	update.exe
File created	C:\Program Files\WinPcap\uninstall.exe	update.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIAEF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{40360E66-1CE1-4EB2-A89A-697A94459BA9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB26.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a901.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a901.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABB5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAC71.tmp	msiexec.exe
File created	C:\Windows\sysupdate.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB16.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2484	MSIAEF3.tmp
2220	instsrv.exe
4536	update.exe

Loads dropped DLL 10 IoCs

pid	Process
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
1664	MsiExec.exe
4536	update.exe
4536	update.exe
4536	update.exe
4536	update.exe
4536	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3672	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIAEF3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023539-171.dat	nsis_installer_1
behavioral2/files/0x0007000000023539-171.dat	nsis_installer_2

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3160	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3292	msiexec.exe
3292	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3292	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeMachineAccountPrivilege	3672	msiexec.exe
Token: SeTcbPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeTakeOwnershipPrivilege	3672	msiexec.exe
Token: SeLoadDriverPrivilege	3672	msiexec.exe
Token: SeSystemProfilePrivilege	3672	msiexec.exe
Token: SeSystemtimePrivilege	3672	msiexec.exe
Token: SeProfSingleProcessPrivilege	3672	msiexec.exe
Token: SeIncBasePriorityPrivilege	3672	msiexec.exe
Token: SeCreatePagefilePrivilege	3672	msiexec.exe
Token: SeCreatePermanentPrivilege	3672	msiexec.exe
Token: SeBackupPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3672	msiexec.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeDebugPrivilege	3672	msiexec.exe
Token: SeAuditPrivilege	3672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3672	msiexec.exe
Token: SeChangeNotifyPrivilege	3672	msiexec.exe
Token: SeRemoteShutdownPrivilege	3672	msiexec.exe
Token: SeUndockPrivilege	3672	msiexec.exe
Token: SeSyncAgentPrivilege	3672	msiexec.exe
Token: SeEnableDelegationPrivilege	3672	msiexec.exe
Token: SeManageVolumePrivilege	3672	msiexec.exe
Token: SeImpersonatePrivilege	3672	msiexec.exe
Token: SeCreateGlobalPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeRestorePrivilege	3292	msiexec.exe
Token: SeTakeOwnershipPrivilege	3292	msiexec.exe
Token: SeShutdownPrivilege	3292	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3672	msiexec.exe
3672	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4828	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1664	3292	msiexec.exe	84
PID 3292 wrote to memory of 1664	3292	msiexec.exe	84
PID 3292 wrote to memory of 1664	3292	msiexec.exe	84
PID 3292 wrote to memory of 2484	3292	msiexec.exe	85
PID 3292 wrote to memory of 2484	3292	msiexec.exe	85
PID 3292 wrote to memory of 2484	3292	msiexec.exe	85
PID 2484 wrote to memory of 4792	2484	MSIAEF3.tmp	86
PID 2484 wrote to memory of 4792	2484	MSIAEF3.tmp	86
PID 2484 wrote to memory of 4792	2484	MSIAEF3.tmp	86
PID 4792 wrote to memory of 2220	4792	cmd.exe	88
PID 4792 wrote to memory of 2220	4792	cmd.exe	88
PID 4792 wrote to memory of 2220	4792	cmd.exe	88
PID 4792 wrote to memory of 3160	4792	cmd.exe	89
PID 4792 wrote to memory of 3160	4792	cmd.exe	89
PID 4792 wrote to memory of 3160	4792	cmd.exe	89
PID 4792 wrote to memory of 4536	4792	cmd.exe	90
PID 4792 wrote to memory of 4536	4792	cmd.exe	90
PID 4792 wrote to memory of 4536	4792	cmd.exe	90
PID 4536 wrote to memory of 2140	4536	update.exe	91
PID 4536 wrote to memory of 2140	4536	update.exe	91
PID 4536 wrote to memory of 2140	4536	update.exe	91
PID 2140 wrote to memory of 1460	2140	net.exe	93
PID 2140 wrote to memory of 1460	2140	net.exe	93
PID 2140 wrote to memory of 1460	2140	net.exe	93
PID 4536 wrote to memory of 3748	4536	update.exe	94
PID 4536 wrote to memory of 3748	4536	update.exe	94
PID 4536 wrote to memory of 3748	4536	update.exe	94
PID 3748 wrote to memory of 1960	3748	net.exe	96
PID 3748 wrote to memory of 1960	3748	net.exe	96
PID 3748 wrote to memory of 1960	3748	net.exe	96
PID 1664 wrote to memory of 4400	1664	MsiExec.exe	97
PID 1664 wrote to memory of 4400	1664	MsiExec.exe	97
PID 1664 wrote to memory of 4400	1664	MsiExec.exe	97
PID 1664 wrote to memory of 4524	1664	MsiExec.exe	99
PID 1664 wrote to memory of 4524	1664	MsiExec.exe	99
PID 1664 wrote to memory of 4524	1664	MsiExec.exe	99
PID 1664 wrote to memory of 1048	1664	MsiExec.exe	101
PID 1664 wrote to memory of 1048	1664	MsiExec.exe	101
PID 1664 wrote to memory of 1048	1664	MsiExec.exe	101
PID 1664 wrote to memory of 2168	1664	MsiExec.exe	103
PID 1664 wrote to memory of 2168	1664	MsiExec.exe	103
PID 1664 wrote to memory of 2168	1664	MsiExec.exe	103
PID 1664 wrote to memory of 4324	1664	MsiExec.exe	105
PID 1664 wrote to memory of 4324	1664	MsiExec.exe	105
PID 1664 wrote to memory of 4324	1664	MsiExec.exe	105
PID 1664 wrote to memory of 5112	1664	MsiExec.exe	107
PID 1664 wrote to memory of 5112	1664	MsiExec.exe	107
PID 1664 wrote to memory of 5112	1664	MsiExec.exe	107
PID 1664 wrote to memory of 1132	1664	MsiExec.exe	109
PID 1664 wrote to memory of 1132	1664	MsiExec.exe	109
PID 1664 wrote to memory of 1132	1664	MsiExec.exe	109
PID 1664 wrote to memory of 208	1664	MsiExec.exe	111
PID 1664 wrote to memory of 208	1664	MsiExec.exe	111
PID 1664 wrote to memory of 208	1664	MsiExec.exe	111
PID 1664 wrote to memory of 1752	1664	MsiExec.exe	113
PID 1664 wrote to memory of 1752	1664	MsiExec.exe	113
PID 1664 wrote to memory of 1752	1664	MsiExec.exe	113
PID 1664 wrote to memory of 2004	1664	MsiExec.exe	115
PID 1664 wrote to memory of 2004	1664	MsiExec.exe	115
PID 1664 wrote to memory of 2004	1664	MsiExec.exe	115
PID 1664 wrote to memory of 5020	1664	MsiExec.exe	117
PID 1664 wrote to memory of 5020	1664	MsiExec.exe	117
PID 1664 wrote to memory of 5020	1664	MsiExec.exe	117
PID 1664 wrote to memory of 32	1664	MsiExec.exe	119

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f8e9313f9c993e3ff4754c28725d7a5f_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B9A84278BC84180BD83B8D6BE99FB8EB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4524
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4324
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1132
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5020
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:32
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3452
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:436
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5036
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4064
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4328
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2540
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1648
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4008
- C:\Windows\Installer\MSIAEF3.tmp
  "C:\Windows\Installer\MSIAEF3.tmp" /HideWindow "C:\Msupdate\service.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Msupdate\service.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - \??\c:\Msupdate\instsrv.exe
      c:\Msupdate\instsrv.exe Msupdate c:\Msupdate\srvany.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s 1.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3160
  - - C:\Msupdate\update.exe
      update.exe /S
      4⤵
      Drops file in Drivers directory
      Drops file in System32 directory
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\net.exe
        
        net stop npf
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop npf
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
    - - C:\Windows\SysWOW64\net.exe
        
        net start npf
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start npf
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b1855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a904.rbs

Filesize
17KB

MD5
970a52a3a1b0803306691ed35cb724d6

SHA1
1b696ec2617aeea2db24d9cb58f445e9139f3422

SHA256
dfa9ce8ae5199eec492a9837aa91ba45a534e290f011eb07cbf658919ac390c4

SHA512
7bc2a2a22d6ee30a664cf04fae947befafa23e2af01ebb5616b5c1cfe082c9578e3c897418ba0b4d0a37ebcf7e5f198934e0ba93d05abff6c0718be43d83ef31

Download Submit
C:\Msupdate\1.reg

Filesize
416B

MD5
8dacf3ded9159fb1f5b065215e1fd8aa

SHA1
0c43e91b996ca72b75a02de3f85a695ded7a4a5e

SHA256
1d5766733fdbeb1ecd8ddc4c49634d96024398621a55f3de9d20dbdc9f3c24c5

SHA512
a682ce938d8ecb78fd93e085c35f868968ad9e94b571fcf4de3c007314dfa5495304e31f643f8f3df2f553dadd6cc65f932479103c7570c4ba9939839d6eb0c6

Download Submit
C:\Msupdate\instsrv.exe

Filesize
31KB

MD5
9f7acaad365af0d1a3cd9261e3208b9b

SHA1
b4c7049562e770093e707ac1329cb37ad6313a37

SHA256
f7b0a444b590eb8a6b46cedf544bcb3117c85cab02b599b45d61b8a590095c9c

SHA512
6847bb10cf08f7e594907b5d160768e60468b14a62cdd87ad33dcc0bc2b523549c1c91e9854069ca11ee074e43a6f41f11351201626922c02aaea41fd32c2a54

Download Submit
C:\Msupdate\service.bat

Filesize
88B

MD5
b10428f1774d2caa81092891a980f9e7

SHA1
6fb6df8cb4d293c0e0264c83d97f016fbb0da926

SHA256
884abdf05624ab4d76db2e35720014a616378d299a8c64ab3743d9320258886c

SHA512
9412ac38e876f9232172c6ff6d890dd0c2d1258126bf712602a9e5795ed52aadebad113fc0b985557b615f6305b704ce19bb3440942ee02f56b06793cb4ee105

Download Submit
C:\Msupdate\update.exe

Filesize
422KB

MD5
c6f1d4a6cccd04e4b15a96942372d5f7

SHA1
2f79839fe5cb740f21b29dae3181f43c1ae9de9c

SHA256
89b74dc79f229b0488bf43b552da9f84864a6a38c11039898e4f9d854411a26e

SHA512
1ce87f5b4b0897a6a4cd4d9a58548db47d335eba860714598b297a939e476edc6a8b3e597b71ee92e655857c2320f5812e375da4d67d503e70623f6828eb2119

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB112.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB112.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Windows\Installer\MSIA9BD.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Windows\Installer\MSIAB85.tmp

Filesize
380KB

MD5
3eb31b9a689d506f3b1d3738d28ab640

SHA1
1681fe3bbdcbe617a034b092ea77249dd4c3e986

SHA256
3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

SHA512
2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Download Submit
C:\Windows\Installer\MSIAEF3.tmp

Filesize
17KB

MD5
73c578ca2383a2e7f4687cdee410aefe

SHA1
431b7de3091245b3affbf1911da17a6964b813dc

SHA256
67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1

SHA512
915d88ec68e061c880f319345a4e5d709b4e789b5cc3c6a1c84fd83cc95fe765ef7324a722abf8935f2f8567bffbb3ede9e78fb4baa3f004118959f7ae7f43dd

Download Submit
\??\c:\Msupdate\srvany.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads