19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 22:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Size

342KB
MD5

07bf0d794610eab72b0ac85ed40aabf1
SHA1

eb1badb78457daab0d03fbeefbbbcc32c05a9e05
SHA256

19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26
SHA512

6f9d793e5a109325065d48d37eac89ad60b28e154f1e1fcfb2284abe59363bc3ea50d95a06d4d17d1ae5b19811421307a7a2ae3ea57c98d879d8c9bc7cd5204c
SSDEEP

3072:WIDCldZsGbYS9fAgo3ji0IDCldZsGbYqVDrXhzlrOgkVDpBSqao9c3HwsanTdgyc:Wrv6W0rvX/eSqjc3HsTaxoq/cRzSZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\tgbi.exe -dwup"	tgbi.exe

Executes dropped EXE 49 IoCs

pid	Process
2304	tgbi.exe
1596	tgbi.exe
4776	tgbi.exe
2540	tgbi.exe
4060	tgbi.exe
1448	tgbi.exe
944	tgbi.exe
1120	tgbi.exe
4896	tgbi.exe
4008	tgbi.exe
3676	tgbi.exe
928	tgbi.exe
4960	tgbi.exe
1496	tgbi.exe
1784	tgbi.exe
2668	tgbi.exe
2316	tgbi.exe
2464	tgbi.exe
2380	tgbi.exe
3592	tgbi.exe
2912	tgbi.exe
972	tgbi.exe
1392	tgbi.exe
2032	tgbi.exe
2852	tgbi.exe
1708	tgbi.exe
4428	tgbi.exe
3256	tgbi.exe
5100	tgbi.exe
3768	tgbi.exe
748	tgbi.exe
4156	tgbi.exe
1376	tgbi.exe
4456	tgbi.exe
4408	tgbi.exe
3672	tgbi.exe
4224	tgbi.exe
3020	tgbi.exe
4276	tgbi.exe
2500	tgbi.exe
3932	tgbi.exe
220	tgbi.exe
4120	tgbi.exe
3624	tgbi.exe
1932	tgbi.exe
3384	tgbi.exe
4708	tgbi.exe
4712	tgbi.exe
4352	tgbi.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 2304 set thread context of 1596	2304	tgbi.exe	84
PID 2540 set thread context of 4060	2540	tgbi.exe	87
PID 1448 set thread context of 944	1448	tgbi.exe	94
PID 1120 set thread context of 4896	1120	tgbi.exe	98
PID 4008 set thread context of 3676	4008	tgbi.exe	102
PID 928 set thread context of 4960	928	tgbi.exe	104
PID 1496 set thread context of 1784	1496	tgbi.exe	106
PID 2668 set thread context of 2316	2668	tgbi.exe	108
PID 2464 set thread context of 2380	2464	tgbi.exe	110
PID 3592 set thread context of 2912	3592	tgbi.exe	112
PID 972 set thread context of 1392	972	tgbi.exe	114
PID 2032 set thread context of 2852	2032	tgbi.exe	116
PID 1708 set thread context of 4428	1708	tgbi.exe	118
PID 3256 set thread context of 5100	3256	tgbi.exe	120
PID 3768 set thread context of 748	3768	tgbi.exe	122
PID 4156 set thread context of 1376	4156	tgbi.exe	124
PID 4456 set thread context of 4408	4456	tgbi.exe	126
PID 3672 set thread context of 4224	3672	tgbi.exe	128
PID 3020 set thread context of 4276	3020	tgbi.exe	130
PID 2500 set thread context of 3932	2500	tgbi.exe	132
PID 220 set thread context of 4120	220	tgbi.exe	134
PID 3624 set thread context of 1932	3624	tgbi.exe	136
PID 3384 set thread context of 4708	3384	tgbi.exe	138
PID 4712 set thread context of 4352	4712	tgbi.exe	140

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgbi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4588 wrote to memory of 4996	4588	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	82
PID 4996 wrote to memory of 2304	4996	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	83
PID 4996 wrote to memory of 2304	4996	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	83
PID 4996 wrote to memory of 2304	4996	07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe	83
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 2304 wrote to memory of 1596	2304	tgbi.exe	84
PID 1596 wrote to memory of 4776	1596	tgbi.exe	85
PID 1596 wrote to memory of 4776	1596	tgbi.exe	85
PID 1596 wrote to memory of 4776	1596	tgbi.exe	85
PID 1596 wrote to memory of 4776	1596	tgbi.exe	85
PID 1596 wrote to memory of 4776	1596	tgbi.exe	85
PID 4776 wrote to memory of 2540	4776	tgbi.exe	86
PID 4776 wrote to memory of 2540	4776	tgbi.exe	86
PID 4776 wrote to memory of 2540	4776	tgbi.exe	86
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 2540 wrote to memory of 4060	2540	tgbi.exe	87
PID 4776 wrote to memory of 1448	4776	tgbi.exe	92
PID 4776 wrote to memory of 1448	4776	tgbi.exe	92
PID 4776 wrote to memory of 1448	4776	tgbi.exe	92
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 1448 wrote to memory of 944	1448	tgbi.exe	94
PID 4776 wrote to memory of 1120	4776	tgbi.exe	97
PID 4776 wrote to memory of 1120	4776	tgbi.exe	97
PID 4776 wrote to memory of 1120	4776	tgbi.exe	97
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 1120 wrote to memory of 4896	1120	tgbi.exe	98
PID 4776 wrote to memory of 4008	4776	tgbi.exe	101
PID 4776 wrote to memory of 4008	4776	tgbi.exe	101
PID 4776 wrote to memory of 4008	4776	tgbi.exe	101
PID 4008 wrote to memory of 3676	4008	tgbi.exe	102
PID 4008 wrote to memory of 3676	4008	tgbi.exe	102
PID 4008 wrote to memory of 3676	4008	tgbi.exe	102
PID 4008 wrote to memory of 3676	4008	tgbi.exe	102

C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Roaming\tgbi.exe
    C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe -dwup
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Roaming\tgbi.exe
      C:\Users\Admin\AppData\Local\Temp\07bf0d794610eab72b0ac85ed40aabf1_JaffaCakes118.exe -dwup
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4060
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:944
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4896
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:3676
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4960
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:1784
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:2316
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:2380
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:2912
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:1392
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:2852
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4428
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:5100
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:748
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:1376
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4408
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4224
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4276
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:3932
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4120
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:1932
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4708
      - C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        
        C:\Users\Admin\AppData\Roaming\tgbi.exe
        7⤵
        Executes dropped EXE
        
        PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\tgbi.exe

Filesize
342KB

MD5
07bf0d794610eab72b0ac85ed40aabf1

SHA1
eb1badb78457daab0d03fbeefbbbcc32c05a9e05

SHA256
19ba596c9afab5f63bd263ea8e14b51185005eb3bbdc47837d126ba46eeaea26

SHA512
6f9d793e5a109325065d48d37eac89ad60b28e154f1e1fcfb2284abe59363bc3ea50d95a06d4d17d1ae5b19811421307a7a2ae3ea57c98d879d8c9bc7cd5204c

Download Submit
memory/944-35-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1596-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1596-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1596-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1596-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1784-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2316-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2380-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2912-83-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3676-49-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4060-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4776-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4776-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4896-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4960-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4996-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4996-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4996-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads