Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
5b7184b825866b331b646b976e52165d_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b7184b825866b331b646b976e52165d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
5b7184b825866b331b646b976e52165d_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
5b7184b825866b331b646b976e52165d
-
SHA1
e88407cfb398a23e65113fdaa763e924f0da3819
-
SHA256
312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b
-
SHA512
521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29
-
SSDEEP
49152:4gjblslEu5zl4Yb9jUefS89Zg1aOGIC+kM:4g3i15VVUMZg1aOan
Malware Config
Signatures
-
Luminosity 2 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2348 schtasks.exe -
Executes dropped EXE 2 IoCs
pid Process 2736 tsmgr.exe 2780 notepad.exe -
Loads dropped DLL 6 IoCs
pid Process 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2736 tsmgr.exe 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2780 notepad.exe -
Adds Run key to start application 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Client Monitor = "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\"" REG.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2036 set thread context of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2780 notepad.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe 2736 tsmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe Token: SeDebugPrivilege 2736 tsmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 tsmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2736 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 31 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2036 wrote to memory of 2808 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 32 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2808 wrote to memory of 2816 2808 cmd.exe 34 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2036 wrote to memory of 2780 2036 5b7184b825866b331b646b976e52165d_JaffaCakes118.exe 35 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 3016 2736 tsmgr.exe 36 PID 2736 wrote to memory of 2780 2736 tsmgr.exe 35 PID 2736 wrote to memory of 2780 2736 tsmgr.exe 35 PID 2736 wrote to memory of 2780 2736 tsmgr.exe 35 PID 2736 wrote to memory of 2780 2736 tsmgr.exe 35 PID 2736 wrote to memory of 2780 2736 tsmgr.exe 35 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 2348 2736 tsmgr.exe 38 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 1664 2736 tsmgr.exe 40 PID 2736 wrote to memory of 2028 2736 tsmgr.exe 42 PID 2736 wrote to memory of 2028 2736 tsmgr.exe 42 PID 2736 wrote to memory of 2028 2736 tsmgr.exe 42 PID 2736 wrote to memory of 2028 2736 tsmgr.exe 42 PID 2736 wrote to memory of 2028 2736 tsmgr.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b7184b825866b331b646b976e52165d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b7184b825866b331b646b976e52165d_JaffaCakes118.exe"1⤵
- Luminosity
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\tsmgr.exe"C:\Users\Admin\AppData\Local\Temp\tsmgr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /NP /sc onlogon /tn "Client Monitor" /rl highest /tr "'C:\Program Files (x86)\Client\client.exe' /startup" /f3⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2348
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1664
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:848
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2176
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1712
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1508
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1772
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1976
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1160
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1504
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\SysWOW64\REG.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Client Monitor" /d "cmd /c """start """Client Monitor""" """C:\Program Files (x86)\Client\client.exe"""" /f /reg:643⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\tsmgr.exe.lnk " /f3⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD55b7184b825866b331b646b976e52165d
SHA1e88407cfb398a23e65113fdaa763e924f0da3819
SHA256312e16e72dcedac92740dfff0b3b2a6e33640b2568acd2be827cec18e483710b
SHA512521f667d961b6a703a5230fe52165eb3866527f4542e75b81756fb003a309e60929983e24707e3b7a52ad8ff24edbb5414199d53ca48b59145da4e5b80155f29
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
857KB
MD5bc6529f2a93dd5eb328963e0b41a855a
SHA10d3fe448baa8a886fd33541f17e893a8a550640f
SHA256b98c711a375f39574672d49fdb798e70dab73b56c5a605c2cfd55a82d8d1b528
SHA5124b50bc0de71bdbdbe76622d498d70b940e11a5c34b6d58b43765eacb2447d3106da3ac80f3a20e7eed67598bf9875cda9646694724b8fae6d91a7ed97b0bad73