e056bf730fa3b5a1016610b2b6469847b3e1b1abc7d9d5333292d45a08d003e5

Analysis

max time kernel
4s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 21:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Size

15KB
MD5

25697dce0ad0b6f399e79dd60861445a
SHA1

85b3022a9ce4538e67f19d497fb95730792b2814
SHA256

e056bf730fa3b5a1016610b2b6469847b3e1b1abc7d9d5333292d45a08d003e5
SHA512

ed5f525ff6092f1b451e58caa0e6c364a673a6840cf7f6102329729c8f4f0ec489f6cb2d5f9d8bc5ccc40079a224e10a8d13df6bc326612058d5ac46993500d7
SSDEEP

384:Iu76MjMOilLoRGkT3a2E+u+9kH+b/hIskuVoGfKzH:mdOilLoBTK9GkH+kuiGfW

Score

8^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 5 IoCs

pid	Process
5620	lpmxajkl.exe
5716	lpmxajkl.exe
5796	lpmxajkl.exe
3108	lpmxajkl.exe
1532	lpmxajkl.exe

Loads dropped DLL 10 IoCs

pid	Process
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
5620	lpmxajkl.exe
5620	lpmxajkl.exe
5716	lpmxajkl.exe
5716	lpmxajkl.exe
5796	lpmxajkl.exe
5796	lpmxajkl.exe
3108	lpmxajkl.exe
3108	lpmxajkl.exe

Installs/modifies Browser Helper Object 2 TTPs 10 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}\ = "nhmxbjkl.dll"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}\ = "nhmxbjkl.dll"	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}\ = "nhmxbjkl.dll"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}\ = "nhmxbjkl.dll"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27AC9076-C898-B098-D098-A18319080972}\ = "nhmxbjkl.dll"	lpmxajkl.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\rnmxajkl.sys	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\lpmxajkl.exe	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lpmxajkl.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\rnmxajkl.sys	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File created	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\lpmxajkl.exe	lpmxajkl.exe
File created	C:\Windows\SysWOW64\nhmxbjkl.dll	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\lpmxajkl.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\rnmxajkl.sys	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\lpmxajkl.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\nhmxbjkl.dll	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\rnmxajkl.sys	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lpmxajkl.exe	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	lpmxajkl.exe
File opened for modification	C:\Windows\SysWOW64\rnmxajkl.sys	lpmxajkl.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpmxajkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpmxajkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpmxajkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpmxajkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lpmxajkl.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ = "C:\\Windows\\SysWow64\\nhmxbjkl.dll"	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ = "C:\\Windows\\SysWow64\\nhmxbjkl.dll"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ = "C:\\Windows\\SysWow64\\nhmxbjkl.dll"	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ = "C:\\Windows\\SysWow64\\nhmxbjkl.dll"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ = "C:\\Windows\\SysWow64\\nhmxbjkl.dll"	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ThreadingModel = "Apartment"	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ThreadingModel = "Apartment"	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ThreadingModel = "Apartment"	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ThreadingModel = "Apartment"	lpmxajkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32\ThreadingModel = "Apartment"	lpmxajkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AC9076-C898-B098-D098-A18319080972}\InprocServer32	lpmxajkl.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
5620	lpmxajkl.exe
5620	lpmxajkl.exe
5620	lpmxajkl.exe
5620	lpmxajkl.exe
5716	lpmxajkl.exe
5796	lpmxajkl.exe
3108	lpmxajkl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
Token: SeDebugPrivilege	5620	lpmxajkl.exe
Token: SeDebugPrivilege	5716	lpmxajkl.exe
Token: SeDebugPrivilege	5796	lpmxajkl.exe
Token: SeDebugPrivilege	3108	lpmxajkl.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2352	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2352	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2352	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	30
PID 1688 wrote to memory of 2352	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	30
PID 1688 wrote to memory of 5620	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	32
PID 1688 wrote to memory of 5620	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	32
PID 1688 wrote to memory of 5620	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	32
PID 1688 wrote to memory of 5620	1688	25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe	32
PID 5620 wrote to memory of 5684	5620	lpmxajkl.exe	33
PID 5620 wrote to memory of 5684	5620	lpmxajkl.exe	33
PID 5620 wrote to memory of 5684	5620	lpmxajkl.exe	33
PID 5620 wrote to memory of 5684	5620	lpmxajkl.exe	33
PID 5620 wrote to memory of 5716	5620	lpmxajkl.exe	35
PID 5620 wrote to memory of 5716	5620	lpmxajkl.exe	35
PID 5620 wrote to memory of 5716	5620	lpmxajkl.exe	35
PID 5620 wrote to memory of 5716	5620	lpmxajkl.exe	35
PID 5716 wrote to memory of 5764	5716	lpmxajkl.exe	36
PID 5716 wrote to memory of 5764	5716	lpmxajkl.exe	36
PID 5716 wrote to memory of 5764	5716	lpmxajkl.exe	36
PID 5716 wrote to memory of 5764	5716	lpmxajkl.exe	36
PID 5716 wrote to memory of 5796	5716	lpmxajkl.exe	37
PID 5716 wrote to memory of 5796	5716	lpmxajkl.exe	37
PID 5716 wrote to memory of 5796	5716	lpmxajkl.exe	37
PID 5716 wrote to memory of 5796	5716	lpmxajkl.exe	37
PID 5796 wrote to memory of 5876	5796	lpmxajkl.exe	39
PID 5796 wrote to memory of 5876	5796	lpmxajkl.exe	39
PID 5796 wrote to memory of 5876	5796	lpmxajkl.exe	39
PID 5796 wrote to memory of 5876	5796	lpmxajkl.exe	39
PID 5796 wrote to memory of 3108	5796	lpmxajkl.exe	41
PID 5796 wrote to memory of 3108	5796	lpmxajkl.exe	41
PID 5796 wrote to memory of 3108	5796	lpmxajkl.exe	41
PID 5796 wrote to memory of 3108	5796	lpmxajkl.exe	41
PID 3108 wrote to memory of 3068	3108	lpmxajkl.exe	42
PID 3108 wrote to memory of 3068	3108	lpmxajkl.exe	42
PID 3108 wrote to memory of 3068	3108	lpmxajkl.exe	42
PID 3108 wrote to memory of 3068	3108	lpmxajkl.exe	42
PID 3108 wrote to memory of 1532	3108	lpmxajkl.exe	44
PID 3108 wrote to memory of 1532	3108	lpmxajkl.exe	44
PID 3108 wrote to memory of 1532	3108	lpmxajkl.exe	44
PID 3108 wrote to memory of 1532	3108	lpmxajkl.exe	44
PID 1532 wrote to memory of 1104	1532	lpmxajkl.exe	45
PID 1532 wrote to memory of 1104	1532	lpmxajkl.exe	45
PID 1532 wrote to memory of 1104	1532	lpmxajkl.exe	45
PID 1532 wrote to memory of 1104	1532	lpmxajkl.exe	45

C:\Users\Admin\AppData\Local\Temp\25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25697dce0ad0b6f399e79dd60861445a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493264.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352
- C:\Windows\SysWOW64\lpmxajkl.exe
  C:\Windows\system32\lpmxajkl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493747.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5684
- - C:\Windows\SysWOW64\lpmxajkl.exe
    C:\Windows\system32\lpmxajkl.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493810.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:5764
  - - C:\Windows\SysWOW64\lpmxajkl.exe
      C:\Windows\system32\lpmxajkl.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259493919.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5876
    - - C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3108
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496399.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
      - C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259496649.bat
        7⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        7⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531640.bat
        8⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        8⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259531765.bat
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259545914.bat
        10⤵
        
        PID:572
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        10⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259547849.bat
        11⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        11⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259548785.bat
        12⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        12⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549221.bat
        13⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        13⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259549658.bat
        14⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        14⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259550594.bat
        15⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        15⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259551390.bat
        16⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        16⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259552451.bat
        17⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        17⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259559736.bat
        18⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        18⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259560157.bat
        19⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        19⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259570094.bat
        20⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        20⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259604695.bat
        21⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        21⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259610124.bat
        22⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        22⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259618002.bat
        23⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        23⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259626379.bat
        24⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        24⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259631403.bat
        25⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        25⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259633867.bat
        26⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\lpmxajkl.exe
        
        C:\Windows\system32\lpmxajkl.exe
        26⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259639733.bat
        27⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259640638.bat
        21⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259635131.bat
        20⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259600889.bat
        19⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259591030.bat
        18⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259591030.bat
        17⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259583978.bat
        16⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259583448.bat
        15⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259581389.bat
        14⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259580078.bat
        13⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259579595.bat
        12⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259579142.bat
        11⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259576958.bat
        10⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259576459.bat
        9⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259562357.bat
        8⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259562107.bat
        7⤵
        
        PID:3832
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259527100.bat
        6⤵
        
        PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259526726.bat
        5⤵
        
        PID:3532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524417.bat
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259524324.bat
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\~DFD259525462.bat
  2⤵
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~DFD259493264.bat

Filesize
121B

MD5
09517fc62284f33e877a276463580bd1

SHA1
0b14fe1db4493818f9de0bf2a56ee5370b8d479a

SHA256
6cc6bbb1f3f754b6894d84130f5f2d86569ac3a603e1632d3cefa028f22b6238

SHA512
1b924dd216d0f38199cc6df215e65ff260aa48fa37aa620dabcbc616f434643bd1f2e617d66b14bd52900214148741565128ba9589782ba582fd7308369f4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259524324.bat

Filesize
121B

MD5
e2410165cfb71f41e262ace67aa489b3

SHA1
7ebda74ae4c41de41ab77f72fe22b495e0f4774a

SHA256
e85f536411b2829abe369ec288582508db5c63902a60b43263acd5ab1ca468e0

SHA512
fa1c25703837a067146c6b1c4be3762b5d3efa00e72867199772171205302549213c31b5b141ceb8a87b57711f07cd1d2b10d504e6eada42ef125a9906939617

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD259525462.bat

Filesize
225B

MD5
a273208fd0f64d5dc6181e5ffd053e93

SHA1
3c4efd6f2a4645ed5917b6d1572c1b0115175939

SHA256
e110ea8bfdf6726ff547c5423684ca7bbdd9f8d30668833491bec26c9ea84993

SHA512
f06e0b8a5cab5f35b527f0a8671bf01d3258d153716958ff50ec0a960dad30aab2bb308926446b518e4dddb3ac1911b48d026859b3754724ce48147495042346

Download Submit
C:\Windows\SysWOW64\lpmxajkl.exe

Filesize
15KB

MD5
25697dce0ad0b6f399e79dd60861445a

SHA1
85b3022a9ce4538e67f19d497fb95730792b2814

SHA256
e056bf730fa3b5a1016610b2b6469847b3e1b1abc7d9d5333292d45a08d003e5

SHA512
ed5f525ff6092f1b451e58caa0e6c364a673a6840cf7f6102329729c8f4f0ec489f6cb2d5f9d8bc5ccc40079a224e10a8d13df6bc326612058d5ac46993500d7

Download Submit
C:\Windows\SysWOW64\nhmxbjkl.dll

Filesize
523KB

MD5
9a71ab2db0e70c008b19e266daa946d8

SHA1
8178bb7241801dc668ccd1e5655f2d3ecdadcf34

SHA256
9a83f9aad7677f5e755ba1fdfc5bec9c7000e128525b5882ce2f459bf3f3ac1d

SHA512
ae3a4cbfec3e4ee36a68bf9276532dbead27201344ce25d411c7893352021db02d205be425101a9c3199046a24dd1a2429968452ab15d4ed29a9c607a459ffb9

Download Submit
C:\Windows\SysWOW64\nhmxbjkl.dll

Filesize
523KB

MD5
6b88f76af22b77366ea5a908173852cb

SHA1
f438e9a8d6c729e257556dc4ff9a2c159598308b

SHA256
4c6e1c612fad89f9b51d18ba1cc9b264f8a18b7c37c59e23528348dc135b2891

SHA512
24388aecec1fe76f65abff9012be357bb44a0622e0c638cfb38265ca67147ded59a321f66d50ea8910472b54e5e272fe818081531cbaa33b91538b6ae1c2f461

Download Submit
C:\Windows\SysWOW64\rnmxajkl.sys

Filesize
520B

MD5
c8ee317de55cac0aa9a26ebef55520ab

SHA1
1f6d1afe1d01dd7e694a416f131c9f6e91eac947

SHA256
cd45d7c41fa2150a22752e936a5bddfeeaf5ab8521d4b5ec571ddf19867af4bf

SHA512
79c229bbc070763c690a3b04d770c4cf6a55debcfd642ea7ee5dab7421a5d10cefe8f3c8336799df23a5976e8f25dbd9e23f627b4ec8c0872481f15ef23a5e2d

Download Submit
memory/1120-11902-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1120-10485-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1256-7314-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1256-9186-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/1532-3784-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1532-3167-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1688-1051-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1688-1052-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1688-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1688-2661-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1688-2668-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1688-2667-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1896-15575-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1896-17307-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1928-6241-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1928-4214-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/1960-16599-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/1960-16600-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/2104-14557-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2104-16195-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2128-4202-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2128-5266-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2128-4203-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/2548-5275-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2548-5274-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2548-8246-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/2548-8245-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/3108-2659-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3108-2660-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3108-2860-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3108-2859-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3252-7793-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/3252-5268-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/3252-7792-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/3252-5267-0x0000000000280000-0x0000000000299000-memory.dmp

Filesize
100KB

Download
memory/3572-12521-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/3572-13540-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/3572-12522-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/3572-13541-0x0000000000270000-0x0000000000289000-memory.dmp

Filesize
100KB

Download
memory/3640-7313-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3640-5255-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3640-7312-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/3640-5254-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/4496-12520-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4496-12519-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4496-11502-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/4496-11501-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5024-13539-0x00000000001C0000-0x00000000001D9000-memory.dmp

Filesize
100KB

Download
memory/5024-14773-0x00000000001C0000-0x00000000001D9000-memory.dmp

Filesize
100KB

Download
memory/5024-14772-0x00000000001C0000-0x00000000001D9000-memory.dmp

Filesize
100KB

Download
memory/5024-13538-0x00000000001C0000-0x00000000001D9000-memory.dmp

Filesize
100KB

Download
memory/5072-8289-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/5072-6295-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/5072-8342-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/5072-6293-0x00000000001B0000-0x00000000001C9000-memory.dmp

Filesize
100KB

Download
memory/5100-8344-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5100-8343-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5100-9380-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5100-9379-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5620-2669-0x00000000002E0000-0x00000000002F9000-memory.dmp

Filesize
100KB

Download
memory/5620-1055-0x00000000002E0000-0x00000000002F9000-memory.dmp

Filesize
100KB

Download
memory/5620-1054-0x00000000002E0000-0x00000000002F9000-memory.dmp

Filesize
100KB

Download
memory/5620-1053-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5680-4201-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5680-3180-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5716-1061-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/5716-1060-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/5716-2749-0x0000000000230000-0x0000000000249000-memory.dmp

Filesize
100KB

Download
memory/5796-2857-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5796-2084-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5796-2085-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/5796-1062-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/5804-5234-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5804-6296-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5928-10056-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5928-9383-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5992-8350-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5992-8345-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5992-9381-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download
memory/5992-9382-0x0000000000260000-0x0000000000279000-memory.dmp

Filesize
100KB

Download