c0b3c302ae07173caa57c15bbd9e2cb965ffeb75ce22985d9c8f40753a02b6a4

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093def93805452c55701297283764791_JaffaCakes118.exe
Size

346KB
MD5

093def93805452c55701297283764791
SHA1

be1fa6851dd554d5f3d49877824a7fca35b5f591
SHA256

c0b3c302ae07173caa57c15bbd9e2cb965ffeb75ce22985d9c8f40753a02b6a4
SHA512

8a3185100bfab093d69cdd4589e74eae59fcd297c6e1124bc4a095f105356a3137fed2510f1735f058da70b84356075504422e78b561d809eb4a98446368575e
SSDEEP

6144:qYl4NNIcW4xSj6fYAAPWaTVvMo492aUjHt:nWNNIn4e6QUoj

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3024	powershell.exe
2988	powershell.exe
2216	powershell.exe
2752	powershell.exe
2732	powershell.exe
2636	powershell.exe
1584	powershell.exe
2472	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1332	svchost64.exe
1604	services64.exe
2080	svchost64.exe
1868	sihost64.exe

Loads dropped DLL 4 IoCs

pid	Process
1800	cmd.exe
1332	svchost64.exe
2272	cmd.exe
2080	svchost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	svchost64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1248	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2216	powershell.exe
2752	powershell.exe
2732	powershell.exe
2636	powershell.exe
1332	svchost64.exe
1584	powershell.exe
2472	powershell.exe
3024	powershell.exe
2988	powershell.exe
2080	svchost64.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1332	svchost64.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2080	svchost64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2152	1692	093def93805452c55701297283764791_JaffaCakes118.exe	30
PID 1692 wrote to memory of 2152	1692	093def93805452c55701297283764791_JaffaCakes118.exe	30
PID 1692 wrote to memory of 2152	1692	093def93805452c55701297283764791_JaffaCakes118.exe	30
PID 2152 wrote to memory of 2216	2152	cmd.exe	32
PID 2152 wrote to memory of 2216	2152	cmd.exe	32
PID 2152 wrote to memory of 2216	2152	cmd.exe	32
PID 2152 wrote to memory of 2752	2152	cmd.exe	34
PID 2152 wrote to memory of 2752	2152	cmd.exe	34
PID 2152 wrote to memory of 2752	2152	cmd.exe	34
PID 2152 wrote to memory of 2732	2152	cmd.exe	35
PID 2152 wrote to memory of 2732	2152	cmd.exe	35
PID 2152 wrote to memory of 2732	2152	cmd.exe	35
PID 2152 wrote to memory of 2636	2152	cmd.exe	36
PID 2152 wrote to memory of 2636	2152	cmd.exe	36
PID 2152 wrote to memory of 2636	2152	cmd.exe	36
PID 1692 wrote to memory of 1800	1692	093def93805452c55701297283764791_JaffaCakes118.exe	37
PID 1692 wrote to memory of 1800	1692	093def93805452c55701297283764791_JaffaCakes118.exe	37
PID 1692 wrote to memory of 1800	1692	093def93805452c55701297283764791_JaffaCakes118.exe	37
PID 1800 wrote to memory of 1332	1800	cmd.exe	39
PID 1800 wrote to memory of 1332	1800	cmd.exe	39
PID 1800 wrote to memory of 1332	1800	cmd.exe	39
PID 1332 wrote to memory of 1696	1332	svchost64.exe	40
PID 1332 wrote to memory of 1696	1332	svchost64.exe	40
PID 1332 wrote to memory of 1696	1332	svchost64.exe	40
PID 1696 wrote to memory of 1248	1696	cmd.exe	42
PID 1696 wrote to memory of 1248	1696	cmd.exe	42
PID 1696 wrote to memory of 1248	1696	cmd.exe	42
PID 1332 wrote to memory of 1604	1332	svchost64.exe	43
PID 1332 wrote to memory of 1604	1332	svchost64.exe	43
PID 1332 wrote to memory of 1604	1332	svchost64.exe	43
PID 1332 wrote to memory of 1252	1332	svchost64.exe	45
PID 1332 wrote to memory of 1252	1332	svchost64.exe	45
PID 1332 wrote to memory of 1252	1332	svchost64.exe	45
PID 1604 wrote to memory of 1908	1604	services64.exe	44
PID 1604 wrote to memory of 1908	1604	services64.exe	44
PID 1604 wrote to memory of 1908	1604	services64.exe	44
PID 1908 wrote to memory of 1584	1908	cmd.exe	48
PID 1908 wrote to memory of 1584	1908	cmd.exe	48
PID 1908 wrote to memory of 1584	1908	cmd.exe	48
PID 1252 wrote to memory of 1756	1252	cmd.exe	49
PID 1252 wrote to memory of 1756	1252	cmd.exe	49
PID 1252 wrote to memory of 1756	1252	cmd.exe	49
PID 1908 wrote to memory of 2472	1908	cmd.exe	50
PID 1908 wrote to memory of 2472	1908	cmd.exe	50
PID 1908 wrote to memory of 2472	1908	cmd.exe	50
PID 1908 wrote to memory of 3024	1908	cmd.exe	51
PID 1908 wrote to memory of 3024	1908	cmd.exe	51
PID 1908 wrote to memory of 3024	1908	cmd.exe	51
PID 1908 wrote to memory of 2988	1908	cmd.exe	52
PID 1908 wrote to memory of 2988	1908	cmd.exe	52
PID 1908 wrote to memory of 2988	1908	cmd.exe	52
PID 1604 wrote to memory of 2272	1604	services64.exe	53
PID 1604 wrote to memory of 2272	1604	services64.exe	53
PID 1604 wrote to memory of 2272	1604	services64.exe	53
PID 2272 wrote to memory of 2080	2272	cmd.exe	55
PID 2272 wrote to memory of 2080	2272	cmd.exe	55
PID 2272 wrote to memory of 2080	2272	cmd.exe	55
PID 2080 wrote to memory of 2292	2080	svchost64.exe	56
PID 2080 wrote to memory of 2292	2080	svchost64.exe	56
PID 2080 wrote to memory of 2292	2080	svchost64.exe	56
PID 2080 wrote to memory of 1868	2080	svchost64.exe	58
PID 2080 wrote to memory of 1868	2080	svchost64.exe	58
PID 2080 wrote to memory of 1868	2080	svchost64.exe	58
PID 2292 wrote to memory of 884	2292	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\093def93805452c55701297283764791_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\093def93805452c55701297283764791_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\093def93805452c55701297283764791_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\093def93805452c55701297283764791_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Roaming\services64.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Roaming\services64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2de77051c4dfe1289769349d4a0b9f6a

SHA1
25b41aea628f28359730e2e96eda5527350affcf

SHA256
43629a5e81764214ab3aeb8d9e851ee32b3403cd9f67774287f6219d792c6ada

SHA512
ae9a819faf1d7a87e96f6451c9e0b925ae79fbf7ff1c360a3ca122c585f9136981e3eb73f4775f2e96016ad8f7e4fbea1f00017103644d1f5717c64ce65d8511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CAC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CFD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eb28166fc81d7036ea06c6b73d20c621

SHA1
8fb95a58c48ebd38cf0e83539f189727024bda1d

SHA256
afbc20ee4f7de9b1769af0f664b7e0d5c966666518f0d274a972765c559af6c5

SHA512
ab7253916f92061e15728b3a3753dbd090dd9503034da0e2ed7a7fbcee71b01fcf46b41aaa6dd26c540e9dd9ba8b99151de3f4e82cc1441df5f22b88bb670149

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d848bb191eb9405089af3f0dd7da9f0

SHA1
866a9fb1a2da3b0b8a2bb829283786fb7b020e3e

SHA256
c3397a1b1b16c8f044f9a1b9a58fddddc17e38f44529223a683a3c74b504a1b0

SHA512
a84c1d2f98618633eade4a3b70e6e89082408487b3bac0bb00acd3632de763967ca88dcd2ff2d3ff21e3651358f58f4dd95fa7ccc3d3b5b411609d9b3303d020

Download Submit
\Users\Admin\AppData\Local\Temp\svchost64.exe

Filesize
153KB

MD5
384b832bc2c17307425051058760d122

SHA1
878cb6bfa5b5226828fe467d5f5926181896322d

SHA256
a594576131ba456c3fb5fbe298436b7b8a67d42c828fbd828b1c0fbc04ead888

SHA512
c6313d6e5dc5a075ec2f7dce81af72bf107089c8d82b62d0a7fe2a77ed2ca6010c1dcf6b294dff10bebef9c93eb2030707f81c177f49292e54f60fbf7f3199d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
61KB

MD5
59abdd1bed27334c1e381b57d17ef79e

SHA1
50f87d372a6baea872fb98bb95b84acc764bf9d8

SHA256
0ded18715b8ac6632e91175af38d8c49cd188f5fe52274ef5e567238340b602e

SHA512
7b7a8adf8df2fdb25e084e9727d977f34bd085eae4ee65171c4d9f9c0a678545900e11ddd413dab2a7be03dbfe281a5c6596c3ca4b91f37d083df87a47472222

Download Submit
\Users\Admin\AppData\Roaming\services64.exe

Filesize
346KB

MD5
093def93805452c55701297283764791

SHA1
be1fa6851dd554d5f3d49877824a7fca35b5f591

SHA256
c0b3c302ae07173caa57c15bbd9e2cb965ffeb75ce22985d9c8f40753a02b6a4

SHA512
8a3185100bfab093d69cdd4589e74eae59fcd297c6e1124bc4a095f105356a3137fed2510f1735f058da70b84356075504422e78b561d809eb4a98446368575e

Download Submit
memory/1332-42-0x0000000000140000-0x0000000000158000-memory.dmp

Filesize
96KB

Download
memory/1332-41-0x000000013FA40000-0x000000013FA6C000-memory.dmp

Filesize
176KB

Download
memory/1604-49-0x000000013FE90000-0x000000013FEEA000-memory.dmp

Filesize
360KB

Download
memory/1692-1-0x000000013F4F0000-0x000000013F54A000-memory.dmp

Filesize
360KB

Download
memory/1692-6-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-33-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/1692-34-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-36-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

Filesize
9.9MB

Download
memory/1692-0-0x000007FEF5E53000-0x000007FEF5E54000-memory.dmp

Filesize
4KB

Download
memory/1868-85-0x0000000000860000-0x0000000000866000-memory.dmp

Filesize
24KB

Download
memory/1868-84-0x000000013F440000-0x000000013F456000-memory.dmp

Filesize
88KB

Download
memory/2080-76-0x000000013F340000-0x000000013F36C000-memory.dmp

Filesize
176KB

Download
memory/2216-11-0x000007FEF31B0000-0x000007FEF3B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-10-0x000007FEF31B0000-0x000007FEF3B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-9-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2216-13-0x000007FEF31B0000-0x000007FEF3B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2216-12-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2216-7-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2216-8-0x000007FEF346E000-0x000007FEF346F000-memory.dmp

Filesize
4KB

Download
memory/2216-14-0x000007FEF31B0000-0x000007FEF3B4D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-21-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2752-20-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download