06207240ec828539a8c578dc943ed01efaedb5542fa51db3d02667cb572f405b

Analysis

max time kernel
148s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

175705703b9892e0d441e551cdc88574_JaffaCakes118.exe
Size

4.1MB
MD5

175705703b9892e0d441e551cdc88574
SHA1

2f598902a312dd7ddf16a6edf5eebddc5a3dd4b9
SHA256

06207240ec828539a8c578dc943ed01efaedb5542fa51db3d02667cb572f405b
SHA512

2e7043c58d83ba1089663cb0342655e21591b71c64a4eb3c9f6aaec7e081a23d49eab0cbe7015dee8e186fa94d686dd8ee7925ead4a82dd430984b20d26a479f
SSDEEP

49152:CErsedPJLa3CnHxUMUErsedPJLa3CnHx8F:CEAedPJGiUMUEAedPJGiY

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\gvxt.exe -dwup"	gvxt.exe

Executes dropped EXE 48 IoCs

pid	Process
1532	gvxt.exe
2252	gvxt.exe
5016	gvxt.exe
4568	gvxt.exe
2208	gvxt.exe
4848	gvxt.exe
3444	gvxt.exe
5044	gvxt.exe
3792	gvxt.exe
432	gvxt.exe
2060	gvxt.exe
872	gvxt.exe
3076	gvxt.exe
1188	gvxt.exe
8	gvxt.exe
3692	gvxt.exe
3856	gvxt.exe
636	gvxt.exe
3000	gvxt.exe
4520	gvxt.exe
4476	gvxt.exe
3704	gvxt.exe
680	gvxt.exe
1808	gvxt.exe
2272	gvxt.exe
3532	gvxt.exe
1532	gvxt.exe
1756	gvxt.exe
2872	gvxt.exe
3676	gvxt.exe
908	gvxt.exe
3052	gvxt.exe
4940	gvxt.exe
1496	gvxt.exe
3204	gvxt.exe
2608	gvxt.exe
4912	gvxt.exe
4452	gvxt.exe
2984	gvxt.exe
2136	gvxt.exe
3616	gvxt.exe
3160	gvxt.exe
2116	gvxt.exe
3968	gvxt.exe
4356	gvxt.exe
3796	gvxt.exe
2332	gvxt.exe
1180	gvxt.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023457-8.dat	autoit_exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 1532 set thread context of 2252	1532	gvxt.exe	84
PID 4568 set thread context of 2208	4568	gvxt.exe	94
PID 4848 set thread context of 3444	4848	gvxt.exe	96
PID 5044 set thread context of 3792	5044	gvxt.exe	98
PID 432 set thread context of 2060	432	gvxt.exe	102
PID 872 set thread context of 3076	872	gvxt.exe	104
PID 1188 set thread context of 8	1188	gvxt.exe	106
PID 3692 set thread context of 3856	3692	gvxt.exe	108
PID 636 set thread context of 3000	636	gvxt.exe	110
PID 3704 set thread context of 680	3704	gvxt.exe	114
PID 1808 set thread context of 2272	1808	gvxt.exe	116
PID 3532 set thread context of 1532	3532	gvxt.exe	118
PID 1756 set thread context of 2872	1756	gvxt.exe	120
PID 3676 set thread context of 908	3676	gvxt.exe	122
PID 3052 set thread context of 4940	3052	gvxt.exe	124
PID 1496 set thread context of 3204	1496	gvxt.exe	126
PID 2608 set thread context of 4912	2608	gvxt.exe	128
PID 4452 set thread context of 2984	4452	gvxt.exe	130
PID 2136 set thread context of 3616	2136	gvxt.exe	132
PID 3160 set thread context of 2116	3160	gvxt.exe	134
PID 3968 set thread context of 4356	3968	gvxt.exe	136
PID 3796 set thread context of 2332	3796	gvxt.exe	138

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gvxt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 4860 wrote to memory of 2288	4860	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	82
PID 2288 wrote to memory of 1532	2288	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1532	2288	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	83
PID 2288 wrote to memory of 1532	2288	175705703b9892e0d441e551cdc88574_JaffaCakes118.exe	83
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 1532 wrote to memory of 2252	1532	gvxt.exe	84
PID 2252 wrote to memory of 5016	2252	gvxt.exe	85
PID 2252 wrote to memory of 5016	2252	gvxt.exe	85
PID 2252 wrote to memory of 5016	2252	gvxt.exe	85
PID 2252 wrote to memory of 5016	2252	gvxt.exe	85
PID 2252 wrote to memory of 5016	2252	gvxt.exe	85
PID 5016 wrote to memory of 4568	5016	gvxt.exe	91
PID 5016 wrote to memory of 4568	5016	gvxt.exe	91
PID 5016 wrote to memory of 4568	5016	gvxt.exe	91
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 4568 wrote to memory of 2208	4568	gvxt.exe	94
PID 5016 wrote to memory of 4848	5016	gvxt.exe	95
PID 5016 wrote to memory of 4848	5016	gvxt.exe	95
PID 5016 wrote to memory of 4848	5016	gvxt.exe	95
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 4848 wrote to memory of 3444	4848	gvxt.exe	96
PID 5016 wrote to memory of 5044	5016	gvxt.exe	97
PID 5016 wrote to memory of 5044	5016	gvxt.exe	97
PID 5016 wrote to memory of 5044	5016	gvxt.exe	97
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5044 wrote to memory of 3792	5044	gvxt.exe	98
PID 5016 wrote to memory of 432	5016	gvxt.exe	101
PID 5016 wrote to memory of 432	5016	gvxt.exe	101
PID 5016 wrote to memory of 432	5016	gvxt.exe	101
PID 432 wrote to memory of 2060	432	gvxt.exe	102
PID 432 wrote to memory of 2060	432	gvxt.exe	102
PID 432 wrote to memory of 2060	432	gvxt.exe	102
PID 432 wrote to memory of 2060	432	gvxt.exe	102

C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Roaming\gvxt.exe
    C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe -dwup
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Roaming\gvxt.exe
      C:\Users\Admin\AppData\Local\Temp\175705703b9892e0d441e551cdc88574_JaffaCakes118.exe -dwup
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5016
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2208
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3444
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3792
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2060
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3076
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:8
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3856
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3000
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:4476
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:680
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2272
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:1532
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2872
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:908
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:4940
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3204
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:4912
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2984
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:3616
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2116
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:4356
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        7⤵
        Executes dropped EXE
        
        PID:2332
      - C:\Users\Admin\AppData\Roaming\gvxt.exe
        
        C:\Users\Admin\AppData\Roaming\gvxt.exe
        6⤵
        Executes dropped EXE
        
        PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gvxt.exe

Filesize
4.1MB

MD5
175705703b9892e0d441e551cdc88574

SHA1
2f598902a312dd7ddf16a6edf5eebddc5a3dd4b9

SHA256
06207240ec828539a8c578dc943ed01efaedb5542fa51db3d02667cb572f405b

SHA512
2e7043c58d83ba1089663cb0342655e21591b71c64a4eb3c9f6aaec7e081a23d49eab0cbe7015dee8e186fa94d686dd8ee7925ead4a82dd430984b20d26a479f

Download Submit
memory/8-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/680-88-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2060-49-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2208-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2252-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2252-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2252-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2252-51-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2272-95-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2288-2-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2288-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2288-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3000-76-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3076-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3444-35-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3792-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3856-69-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4476-82-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5016-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5016-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads