Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 21:15
Behavioral task
behavioral1
Sample
4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe
-
Size
253KB
-
MD5
4f112f651b8025db019ae8089a8d591a
-
SHA1
17a81f254644dc7cb89739d0789de51bddf7365d
-
SHA256
f8fcdb7600d274e4bfbcc4cea1a3484b917956f343fd05c5a3488b5d72dbef8e
-
SHA512
93fae5fd976fdb22c9acf93918e04d7f0eeab0f9476e0d22b432f4e4e0b344f89a5a32cd97998289efac5c8c59b65c9d27d4a8cb322f36962557f023d1fca21c
-
SSDEEP
6144:4VFNCNrUiyArOqLVA97qxKD/diPo1S11WXTjiBHk95:UN0UOrXZA97PD/dwWKBHk95
Malware Config
Signatures
-
Suspicious use of NtCreateProcessOtherParentProcess 20 IoCs
description pid Process procid_target PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 PID 2788 created 1208 2788 RkRealTech.exe 21 PID 2360 created 1208 2360 RkRealTech.exe 21 -
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2460-52-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/2276-55-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft behavioral1/memory/1324-77-0x0000000000400000-0x0000000000415000-memory.dmp Nirsoft -
Executes dropped EXE 10 IoCs
pid Process 2788 RkRealTech.exe 2360 RkRealTech.exe 2460 RtkSYUdp.exe 2276 RtkSYUdp.exe 2132 RtkSYUdp.exe 2664 RtkSYUdp.exe 1164 RtkSYUdp.exe 896 RtkSYUdp.exe 1324 RtkSYUdp.exe 1168 RtkSYUdp.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini RtkSYUdp.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2292-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x000300000000549a-48.dat upx behavioral1/memory/1852-49-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/1852-50-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2460-52-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2276-55-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral1/memory/2292-58-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1324-77-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\RtkSYUdp.exe 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe File created C:\Windows\RkRealTech.exe 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RtkSYUdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
Modifies registry class 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" regedit.exe -
Runs regedit.exe 21 IoCs
pid Process 1440 regedit.exe 2912 regedit.exe 1824 regedit.exe 1260 regedit.exe 2324 regedit.exe 796 regedit.exe 2296 regedit.exe 628 regedit.exe 1788 regedit.exe 2012 regedit.exe 908 regedit.exe 1640 regedit.exe 2420 regedit.exe 3008 regedit.exe 768 regedit.exe 2960 regedit.exe 2888 regedit.exe 1836 regedit.exe 2024 regedit.exe 1664 regedit.exe 2852 regedit.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2788 RkRealTech.exe 2360 RkRealTech.exe 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 30 PID 2292 wrote to memory of 2860 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2860 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 31 PID 2292 wrote to memory of 2788 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 33 PID 2292 wrote to memory of 2788 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 33 PID 2292 wrote to memory of 2788 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 33 PID 2292 wrote to memory of 2788 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 33 PID 2292 wrote to memory of 2660 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2660 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2660 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 34 PID 2292 wrote to memory of 2660 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 34 PID 2292 wrote to memory of 1852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 36 PID 2292 wrote to memory of 1852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 36 PID 2292 wrote to memory of 1852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 36 PID 2292 wrote to memory of 1852 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 36 PID 2292 wrote to memory of 2360 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 37 PID 2292 wrote to memory of 2360 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 37 PID 2292 wrote to memory of 2360 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 37 PID 2292 wrote to memory of 2360 2292 4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe 37 PID 2788 wrote to memory of 796 2788 RkRealTech.exe 40 PID 2788 wrote to memory of 796 2788 RkRealTech.exe 40 PID 2788 wrote to memory of 796 2788 RkRealTech.exe 40 PID 2788 wrote to memory of 796 2788 RkRealTech.exe 40 PID 2788 wrote to memory of 796 2788 RkRealTech.exe 40 PID 2360 wrote to memory of 908 2360 RkRealTech.exe 42 PID 2360 wrote to memory of 908 2360 RkRealTech.exe 42 PID 2360 wrote to memory of 908 2360 RkRealTech.exe 42 PID 2360 wrote to memory of 908 2360 RkRealTech.exe 42 PID 2360 wrote to memory of 908 2360 RkRealTech.exe 42 PID 1852 wrote to memory of 2460 1852 cmd.exe 43 PID 1852 wrote to memory of 2460 1852 cmd.exe 43 PID 1852 wrote to memory of 2460 1852 cmd.exe 43 PID 1852 wrote to memory of 2460 1852 cmd.exe 43 PID 1852 wrote to memory of 2276 1852 cmd.exe 44 PID 1852 wrote to memory of 2276 1852 cmd.exe 44 PID 1852 wrote to memory of 2276 1852 cmd.exe 44 PID 1852 wrote to memory of 2276 1852 cmd.exe 44 PID 2788 wrote to memory of 2296 2788 RkRealTech.exe 46 PID 2788 wrote to memory of 2296 2788 RkRealTech.exe 46 PID 2788 wrote to memory of 2296 2788 RkRealTech.exe 46 PID 2788 wrote to memory of 2296 2788 RkRealTech.exe 46 PID 2788 wrote to memory of 2296 2788 RkRealTech.exe 46 PID 1852 wrote to memory of 2132 1852 cmd.exe 45 PID 1852 wrote to memory of 2132 1852 cmd.exe 45 PID 1852 wrote to memory of 2132 1852 cmd.exe 45 PID 1852 wrote to memory of 2132 1852 cmd.exe 45 PID 2360 wrote to memory of 1440 2360 RkRealTech.exe 47 PID 2360 wrote to memory of 1440 2360 RkRealTech.exe 47 PID 2360 wrote to memory of 1440 2360 RkRealTech.exe 47 PID 2360 wrote to memory of 1440 2360 RkRealTech.exe 47 PID 2360 wrote to memory of 1440 2360 RkRealTech.exe 47 PID 1852 wrote to memory of 2664 1852 cmd.exe 48 PID 1852 wrote to memory of 2664 1852 cmd.exe 48 PID 1852 wrote to memory of 2664 1852 cmd.exe 48 PID 1852 wrote to memory of 2664 1852 cmd.exe 48 PID 1852 wrote to memory of 1164 1852 cmd.exe 49 PID 1852 wrote to memory of 1164 1852 cmd.exe 49 PID 1852 wrote to memory of 1164 1852 cmd.exe 49 PID 1852 wrote to memory of 1164 1852 cmd.exe 49
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f112f651b8025db019ae8089a8d591a_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\regedit.exeregedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Runs regedit.exe
PID:2852
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat3⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
C:\Windows\RkRealTech.exeC:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp3⤵
- Suspicious use of NtCreateProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat3⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:896
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Windows\RtkSYUdp.exeC:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168
-
-
-
C:\Windows\RkRealTech.exeC:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1208 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp3⤵
- Suspicious use of NtCreateProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat3⤵
- System Location Discovery: System Language Discovery
PID:1600
-
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:796
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:908
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2296
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1440
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2888
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:628
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1640
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2420
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1788
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:3008
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2912
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:768
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1836
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1824
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2024
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1664
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:1260
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2960
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2012
-
-
\Windows\SysWOW64\regedit.exe2⤵
- Runs regedit.exe
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253B
MD5cb350b29233b3440633123bb77692140
SHA152793f1ba4c7925d41c6e79a109080c3d12b69e6
SHA2567031fcb0fa967101e4d4894e9ebbac7e0ed00cc3ba57777afa02f521356530d3
SHA5120e5d3b34262260b807179d6a51e2c62524d3b0a132c05c4425830d376d1002d150aa0fd8e747a67d96b8ae8145ab903892ce3eaa8245084832eefd02b31c09b8
-
Filesize
602B
MD5a1132bccc90603d0d1e299920dd5ca20
SHA146ab3b8e23816d2dc0de5fb3297b017d5b9a51aa
SHA25695d5a933f8eac6102ad16bbe4db6f64f55cbf8abdf09d0a55e5cb34be78ed5d6
SHA5123b35223c5dd11d000c9a757dc3f8f9f36afffb49fc44faea410dd9bff4f44dc0150a38202146a5b399fd18d7f7f8bf8bcba1821dc41a79927814f93501db1a29
-
Filesize
59B
MD50cf180f20e716094bef34db0f1a39a04
SHA1f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b
SHA2562a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26
SHA512a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b
-
Filesize
1KB
MD55ed245d923fd9fa2d236979980bf54e6
SHA10c8939062da21c2db98575ad1e5fb03d7fa4ab28
SHA25684d64538b8d83661d0e985a5bdb6c498264fc225e95b38ef34c1d5b43ac415f9
SHA5122e2b5ab76bc8a3c2c6a03a9b68e68e284042e495421d179548c1622e221d303987c884a44b0da50a2573ec8e4a38fda990c307c3950a60d221f1387d00cc5b65
-
Filesize
1KB
MD5185038ec1cc9a69a109726c8989e4cf5
SHA1bfb62037297e8533e5f3940a32fb9505acf4fe26
SHA25648ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727
SHA512bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391
-
Filesize
1KB
MD5a6fad63d53a0f242688753be4a791373
SHA1b56bf60bd88e783403c46e29b9344e2eb6967dc3
SHA2560eef1845b0b62106594ac8180950e47b8c801851bb3a67bdd0072f63302752d2
SHA5124a8b2b67c665a73f3636956aea32f662e8cb61dd262ee1d6c5327a39385239413a6dac183380af1bbfa65f8ee6db49619447bfc379f49c0f6eb2655fc5ef9738
-
Filesize
64KB
MD5fcd6bcb56c1689fcef28b57c22475bad
SHA11adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA51273e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2
-
Filesize
92KB
MD53350569bad492f3cf54e6da064a7d5cc
SHA17ec1de0bdccc409d2193d9827128580e9d53e458
SHA256ba48989d9c5fb3320ded14ab48a372950948c0ba136893e564e3fe0fb3ce7d95
SHA512044187e1e6ac4740689faca5e4f70ad274711f8610a60dcb01c711e5727892da994e458a79d2a6ae80ac1042367cb081553ab83c142f48d4f99996d288ac909b
-
Filesize
30KB
MD5d0cd586c5c857850a188e778b971f25a
SHA13f584fd89e41151c389b4701d876d2bdd2885fc2
SHA2562f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb
SHA512995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c