Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
-
Size
21.3MB
-
MD5
4277477edd95a0337f04acb5f75705d1
-
SHA1
58ce92f0b43d1a67cf9a8e453a1c9c3978f203a8
-
SHA256
af4076b2ca7ef8b6aa19702b2f31ad5dceb9feef26c4ec5b649afa83748bbbf8
-
SHA512
88e7b67210f487743fb722d961d61760691b0ac1fb692cf0889b2939d8d360e39a3df2ff85108cd32242b3bfcf770f86b466729a5bc2829250d6d1e7e3eb1b7e
-
SSDEEP
393216:w6Tm05yl21jcsqsPC3JUrnQxNboS59A43Uk4U6bOIkvzMe6:w6ijqjWunSNH59z4NOI+zMe6
Malware Config
Extracted
vidar
�,:
1
-
profile_id
1
Extracted
http://aircraftik.ru/gate/update.php
Signatures
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-184-0x0000000000400000-0x0000000000487000-memory.dmp family_vidar behavioral1/memory/2372-182-0x0000000000400000-0x0000000000487000-memory.dmp family_vidar behavioral1/memory/2372-228-0x0000000000400000-0x0000000000487000-memory.dmp family_vidar -
Executes dropped EXE 9 IoCs
Processes:
rar.exe44.exeArkei1.exeBlueScreenView.exedfrgui.exeBlueScreenView.exedfrgui.exeBlueScreenView.exeBlueScreenView.exepid process 2464 rar.exe 2784 44.exe 2980 Arkei1.exe 1068 BlueScreenView.exe 596 dfrgui.exe 2372 BlueScreenView.exe 1168 dfrgui.exe 2436 BlueScreenView.exe 2768 BlueScreenView.exe -
Loads dropped DLL 21 IoCs
Processes:
cmd.exerar.exeArkei1.exe44.exeBlueScreenView.exedfrgui.exedfrgui.exeBlueScreenView.exepid process 2652 cmd.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2464 rar.exe 2980 Arkei1.exe 2784 44.exe 1068 BlueScreenView.exe 596 dfrgui.exe 1068 BlueScreenView.exe 596 dfrgui.exe 1168 dfrgui.exe 1168 dfrgui.exe 1168 dfrgui.exe 1168 dfrgui.exe 2436 BlueScreenView.exe 2436 BlueScreenView.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
BlueScreenView.exedfrgui.exeBlueScreenView.exedescription pid process target process PID 1068 set thread context of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 596 set thread context of 1168 596 dfrgui.exe dfrgui.exe PID 2436 set thread context of 2768 2436 BlueScreenView.exe BlueScreenView.exe -
Drops file in Program Files directory 14 IoCs
Processes:
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Desert.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Jellyfish.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Lighthouse.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Penguins1.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\photo.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Chrysanthemum.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Hydrangeas.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\tylpan.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\rar.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\engvins.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Koala.jpg 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File created C:\Program Files (x86)\ZX Comany\Setup\Uninstall.ini 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\11.bat 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\ZX Comany\Setup\Uninstall.exe 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\dfrgui.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\dfrgui.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
BlueScreenView.exedfrgui.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BlueScreenView.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BlueScreenView.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfrgui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfrgui.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2528 schtasks.exe 1104 schtasks.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2252 taskkill.exe -
NTFS ADS 2 IoCs
Processes:
dfrgui.exedescription ioc process File created C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe:Zone.Identifier dfrgui.exe File opened for modification C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe:Zone.Identifier dfrgui.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Arkei1.exe44.exeBlueScreenView.exedfrgui.exeBlueScreenView.exepid process 2980 Arkei1.exe 2980 Arkei1.exe 2784 44.exe 2784 44.exe 2980 Arkei1.exe 2784 44.exe 2372 BlueScreenView.exe 2372 BlueScreenView.exe 2372 BlueScreenView.exe 2372 BlueScreenView.exe 1168 dfrgui.exe 1168 dfrgui.exe 2768 BlueScreenView.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
BlueScreenView.exedfrgui.exeBlueScreenView.exepid process 1068 BlueScreenView.exe 596 dfrgui.exe 2436 BlueScreenView.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
44.exeArkei1.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2784 44.exe Token: SeDebugPrivilege 2980 Arkei1.exe Token: SeDebugPrivilege 2252 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4277477edd95a0337f04acb5f75705d1_JaffaCakes118.execmd.exerar.exeArkei1.exe44.exeBlueScreenView.exedfrgui.exedfrgui.execmd.execmd.exeBlueScreenView.exedescription pid process target process PID 2848 wrote to memory of 2652 2848 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2652 2848 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2652 2848 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 2848 wrote to memory of 2652 2848 4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2464 2652 cmd.exe rar.exe PID 2652 wrote to memory of 2464 2652 cmd.exe rar.exe PID 2652 wrote to memory of 2464 2652 cmd.exe rar.exe PID 2652 wrote to memory of 2464 2652 cmd.exe rar.exe PID 2464 wrote to memory of 2784 2464 rar.exe 44.exe PID 2464 wrote to memory of 2784 2464 rar.exe 44.exe PID 2464 wrote to memory of 2784 2464 rar.exe 44.exe PID 2464 wrote to memory of 2784 2464 rar.exe 44.exe PID 2464 wrote to memory of 2980 2464 rar.exe Arkei1.exe PID 2464 wrote to memory of 2980 2464 rar.exe Arkei1.exe PID 2464 wrote to memory of 2980 2464 rar.exe Arkei1.exe PID 2464 wrote to memory of 2980 2464 rar.exe Arkei1.exe PID 2980 wrote to memory of 1068 2980 Arkei1.exe BlueScreenView.exe PID 2980 wrote to memory of 1068 2980 Arkei1.exe BlueScreenView.exe PID 2980 wrote to memory of 1068 2980 Arkei1.exe BlueScreenView.exe PID 2980 wrote to memory of 1068 2980 Arkei1.exe BlueScreenView.exe PID 2784 wrote to memory of 596 2784 44.exe dfrgui.exe PID 2784 wrote to memory of 596 2784 44.exe dfrgui.exe PID 2784 wrote to memory of 596 2784 44.exe dfrgui.exe PID 2784 wrote to memory of 596 2784 44.exe dfrgui.exe PID 1068 wrote to memory of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 1068 wrote to memory of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 1068 wrote to memory of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 1068 wrote to memory of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 1068 wrote to memory of 2372 1068 BlueScreenView.exe BlueScreenView.exe PID 596 wrote to memory of 1168 596 dfrgui.exe dfrgui.exe PID 596 wrote to memory of 1168 596 dfrgui.exe dfrgui.exe PID 596 wrote to memory of 1168 596 dfrgui.exe dfrgui.exe PID 596 wrote to memory of 1168 596 dfrgui.exe dfrgui.exe PID 596 wrote to memory of 1168 596 dfrgui.exe dfrgui.exe PID 1168 wrote to memory of 2888 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2888 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2888 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2888 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2224 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2224 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2224 1168 dfrgui.exe cmd.exe PID 1168 wrote to memory of 2224 1168 dfrgui.exe cmd.exe PID 2888 wrote to memory of 2348 2888 cmd.exe cmd.exe PID 2888 wrote to memory of 2348 2888 cmd.exe cmd.exe PID 2888 wrote to memory of 2348 2888 cmd.exe cmd.exe PID 2888 wrote to memory of 2348 2888 cmd.exe cmd.exe PID 2888 wrote to memory of 2948 2888 cmd.exe cacls.exe PID 2888 wrote to memory of 2948 2888 cmd.exe cacls.exe PID 2888 wrote to memory of 2948 2888 cmd.exe cacls.exe PID 2888 wrote to memory of 2948 2888 cmd.exe cacls.exe PID 2224 wrote to memory of 2924 2224 cmd.exe cmd.exe PID 2224 wrote to memory of 2924 2224 cmd.exe cmd.exe PID 2224 wrote to memory of 2924 2224 cmd.exe cmd.exe PID 2224 wrote to memory of 2924 2224 cmd.exe cmd.exe PID 2224 wrote to memory of 2192 2224 cmd.exe cacls.exe PID 2224 wrote to memory of 2192 2224 cmd.exe cacls.exe PID 2224 wrote to memory of 2192 2224 cmd.exe cacls.exe PID 2224 wrote to memory of 2192 2224 cmd.exe cacls.exe PID 2372 wrote to memory of 1188 2372 BlueScreenView.exe cmd.exe PID 2372 wrote to memory of 1188 2372 BlueScreenView.exe cmd.exe PID 2372 wrote to memory of 1188 2372 BlueScreenView.exe cmd.exe PID 2372 wrote to memory of 1188 2372 BlueScreenView.exe cmd.exe PID 2372 wrote to memory of 1128 2372 BlueScreenView.exe cmd.exe PID 2372 wrote to memory of 1128 2372 BlueScreenView.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\ZX Comany\Setup\11.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\ZX Comany\Setup\rar.exerar.exe -p123321 -dC:\TEMP3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\TEMP\44.exe"C:\TEMP\44.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}" /P "%USERNAME%:R"7⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2348
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}" /P "Admin:R"8⤵PID:2948
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /P "%USERNAME%:R"7⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2924
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /P "Admin:R"8⤵PID:2192
-
C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2436 -
C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\BVQG76LE92B2.ps1" /P "%USERNAME%:R"7⤵PID:2700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2492
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\BVQG76LE92B2.ps1" /P "Admin:R"8⤵PID:2444
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /P "%USERNAME%:R"7⤵PID:2696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2644
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /P "Admin:R"8⤵PID:840
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\JFK2LFE7AT7Y.cmd" /P "%USERNAME%:R"7⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2780
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\JFK2LFE7AT7Y.cmd" /P "Admin:R"8⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}" /P "%USERNAME%:R"7⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2652
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}" /P "Admin:R"8⤵PID:2524
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "BMCIZHP7EYRE6T" /TR "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /F7⤵
- Creates scheduled task(s)
PID:2528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "9AXRIWV8IHOIS8BY3E" /TR "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /F7⤵
- Creates scheduled task(s)
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im dfrgui.exe /f & erase Xõ˜& & exit7⤵PID:2976
-
C:\TEMP\Arkei1.exe"C:\TEMP\Arkei1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\E7QNYVQS4X2XXS7⤵PID:1188
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im BlueScreenView.exe /f & erase C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe & exit7⤵PID:1128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im BlueScreenView.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49B
MD59c5ff437f1c8df2188522588a13d8a39
SHA1c7659b5e9231fba6de6337aa61945b4cf35fc6f9
SHA256f629d747c54a3cba4c7ff7a961fd23022a1ad8fe6f988f94037f4ab1160a9a27
SHA512b7c6e6e453d20d5b8a736e526dcbfcbc1c7668bf2f78c2768b5d68dc2016e50bfb7e8267f373b3390559558ffbcd245ce4c75c94bda417377cc7ce3f1aea1079
-
Filesize
1.7MB
MD566aff81a4148ac26ee7e57627e2ecbc7
SHA19d6b2264f1cfeadb556b1fe880a965102e3c557f
SHA2567fb160efad7efd2ee2deacf99f63f433fc4b58c714a678e34a3e5e162e99f1be
SHA512721a00c68fa913ede6d5b45bb3e01c4f863c0614af224ca98585a548b37c953eaaf91eb275e62ef9e392c400d1f346ee3dbbe91a815c89f2afa381cc2c3551e9
-
Filesize
474B
MD532728e13e7aa16ecac76bc91926d2470
SHA1aebbe6ab60899e6fda3c0812fff1a97969240b2a
SHA256c718cf8da12f26190db66f23b642b34ab36d461f0050c2a696a2572e6a05fe34
SHA5125392d4a3181d3711728f0bc620da307f9d152f11b0f36a0f216261afa554f94b6c11ff33e79868dab054d15c3e0bbd678dfcf0eac84c97fd39e83c70c304a1cc
-
Filesize
130B
MD5d926395920ef3c3397dbdf36344e4a8f
SHA11a2a6f30b6dcfb097c355d195eeb124e13aeea6f
SHA25662a5bc7d992d79ec02b7c7f398175a5d6c8a78395a6d883a70f66720a62c5144
SHA51245c8c8adb2370ff7649b0ee9d117aeae0f8d77b4aae2b67da07615687ac4e5a6ca9f31e0749cf40cbfd333e1fe6c85aee331dcbcd6bc1365e75fca983b6ccfb6
-
Filesize
414B
MD5cefdfff73ddd69daee5f52d19ffe6a87
SHA135df81c193793ed905f14e25da6378663247ffa2
SHA25686ea2641aa3383b31fda76f0cbda81034b36852ca6591dceb882919d546df4ea
SHA5127b363a415cca98a3f94a7ec629d7e2b1097c5eb66283b8bbac9e3639810ad84fb9f4604c54f1a90666e4b7ef21d57492666c0e8f067783e8191bac04536ba395
-
Filesize
144B
MD523b5fc7a23fc5ae587bf5cc392bd343a
SHA1554e5145f629d218d804df0173982b22687c7ede
SHA2567ab784dc145819e31f61f3c50449725a6b31d33839707b34083ed3fdd7f72137
SHA512132602f1e8eba4ee1fdbb143650833ea0d74888ec493ae7480bed71943a19a9f20b7e7416923cd643850e1bf66e8d84535124060096cd2a5211c0f3868b488ce
-
Filesize
879KB
MD5343ab41be912e2fd47c5b440adea8283
SHA19172aeccb1a9373bef8e37893fe3b64624326dd1
SHA25620ed4aa51c59153dc2eec8a610467fb3a7eb38474ef6ec179c3b71e1ffbcce59
SHA512e8f6d009caf7f3b5a9980614b5c0a50115cdcb8f0999edb9af7587e65017c61e484def72650cd5ab81279e5a99f21111c9677b1a21fa1ad3c3e8aa3913b095ad
-
Filesize
832KB
MD5568712e628008b963d6c40a12f10ac00
SHA13bc8567a248cffd1ac43d8fa47edb5eee6bd65b0
SHA25645c2a05d843c448491a4f31f06db4bfe5553ebba2a9d990317cd2cb0dabff30b
SHA512e15e7c7f7f1c9a5f168b2d5fa28a0b28f3ff67ada0b5837bfac98e1f9e04074b51eed2721a4b6de60dfc7198042031fa2bea003cff75fd0718714ecbeb522735
-
Filesize
8.0MB
MD59e5061f48550753fd4a67bced21d31e6
SHA16cdd2e6ec542d585b5481ab6fbaf64f1eab1658d
SHA2568aa8301129281f1a4d1aa9eba37e69282fd1d68f084455a9a25f5db3f158c7b3
SHA512c5d079f3375a2ddeab9daa54b83ede12960ee507428aae1a06431b7f905b1a4cd71c6f98d34c78131d52818ed0f3324b48b59d40baa24c8b7d775a3c0fae1871
-
Filesize
5.2MB
MD59380743a114a72fdd83ae0d9bc7ecc82
SHA1b378df8008977d1d57a24874936b19f8ae4b1553
SHA25641c2200ffdbf809d9898747753421f0a59a7989c412696af7dae1bdca172bc80
SHA512d3ec0f19dabd6568c7c4b8feeaf6320c88a91dae4dc5b7589900d7eb1ba94d0f634fc5fbe4e8a43f52b56417e4bd2faa3739325c500b22c73df66ddd04d42824
-
Filesize
223KB
MD5ea6fec14d884134c2d1ad876f5acb93d
SHA1e56a586ff0ea3fa0b766b6a354fc8e1dfb5bd86a
SHA2566f1120217baa44a5ac1b8776d5aa2d96b760ec98b2ff7df44de020011abdf96d
SHA512031cf84283fdb4f1b0e74e3dc7745fdd48f12168b616c4d89f2cde4635601fdb2efa0438734f9c276c083a1941c321567269873b67df70d8dd0ab9ea5fda90ae
-
Filesize
654KB
MD57399f9bec3517e33cb548b00414c49da
SHA132630a25c5adc819f6ce491bd13ba850a29eae9d
SHA256ade8f7dfecdc7bcadb1686ea34682305cb9613c7cde67ed55dd319050e9de145
SHA5120280c5b55ea1dce71f9b2ddbfe0bac2f030d4d87a830bce1e89807876ae9d12f48045b3123e20f6859c1089d443751fa9204d2487d1b58264a1ad7e32d2e1c06
-
Filesize
763KB
MD59f3bf0c3af2387816095511aeee7ffc4
SHA10e7eb78ffdeba6bc3806c946cf5e5a3f62f89201
SHA256eb082d0c9627b183fdcd688a92b3589f9ea7c2a585c31f1ccad681fc5a54adb0
SHA5123ebd8e3f83e91a7ef55df422aefcde11156d20c0fb0c489ee9f3d46f96f428639a1ec49e27680c2cd94b35a786ed440a680e6b12ec5fc56b0499e68545015a49
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6