Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/08/2024, 00:19
General
-
Target
a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
a8d164756ecd1e60e4510334f4ef64c6
-
SHA1
9d3825cc87e83bd29561a31a49cee63f173ff515
-
SHA256
e0f566934e24a7fe29c2b45f2c8b70bb56980769238002dedf2ef72ebe49cde3
-
SHA512
fbf7a081ed5048a3daa44de7b11058358e52e9139178a970654b9f4880eed5e63ff3e0086603361b6cb83662ce87643e5971d1077a79a32d37acad3d509758c9
-
SSDEEP
24576:F0nWgSSwbfqAuwIlIRz/JCLhtrNGy6Eydl+uP4ySUbK+w5GgZzkEg8:F0nWgoXIlI5/gLHrNRyn+H7l+w3zk18
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 23 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates processes with tasklist 1 TTPs 19 IoCs
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 49 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d164756ecd1e60e4510334f4ef64c6_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8453.tmp\BiscontiComputers.bat" C:\Users\Admin\AppData\Local\Temp\"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\\bisc_files"3⤵
- Views/modifies file attributes
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running2.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\BiscontiComputers-start.exe"BiscontiComputers-start.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ztmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ztmp"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ztmp4⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ztmp5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha" del "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml" del "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9083.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9083.bat"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5071.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5071.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9083.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\waiting.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 1256⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 www.modyouri.com5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\find.exefind "Reply from "5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\bisc\check_inet.bat"5⤵
-
C:\Windows\SysWOW64\PING.EXEPING -n 1 www.google.com6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\find.exefind "Reply from "6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\bisc\dwn_util.bat"5⤵
-
C:\Windows\SysWOW64\mode.commode con: lines=106⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" x -t"C:\Users\Admin\AppData\Local\Temp\bisc" -y+ C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\bisc\curl.exe""C:\Users\Admin\AppData\Local\Temp\bisc\curl"" --progress-bar -o "C:\Users\Admin\AppData\Local\Temp\bisc\aiov.txt " "http://www.modyouri.com/bisc_files/aiov.txt "6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\fc.exefc "C:\Users\Admin\AppData\Local\Temp\bisc_files\aiov.txt" "C:\Users\Admin\AppData\Local\Temp\bisc\aiov.txt"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\AutoFix.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\check_inet.bat"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\createsrp.vbs"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha" del "C:\Users\Admin\AppData\Local\Temp\afolder\curl.uha"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\no_dup.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\prog_list.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs" del "C:\Users\Admin\AppData\Local\Temp\afolder\resetdma.vbs"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\say.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\sendmail.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\SetWallpaper.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\uharc.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\dwn_util.bat"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat" del "C:\Users\Admin\AppData\Local\Temp\afolder\waiting.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe" del "C:\Users\Admin\AppData\Local\Temp\afolder\regjump.exe"4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml" del "C:\Users\Admin\AppData\Local\Temp\afolder\Wi-Fi-bisconticomputers.xml"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9083.bat" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp9083.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5071.exe" del "C:\Users\Admin\AppData\Local\Temp\ztmp\tmp5071.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\8453.tmp\tasklist.exetasklist /FI "IMAGENAME eq BiscontiComputers-start.exe" /FO CSV3⤵
- Executes dropped EXE
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind "BiscontiComputers-start.exe" C:\Users\Admin\AppData\Local\Temp\running.log3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 10003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e379168fe006772711f9e9ccf22411e5
SHA13d9440603c535aeb1e4c95c0283dba38ea87f3cb
SHA2564a9b643d707939baff1f987dc2ed250c72380a2f58cc837f04478887d2803512
SHA51222cd94475e81f537f56a69d19988805d56a9198ecd82ccb46fe7489d2426b24e932ea5f2007b1409131bd0b4f390c15092f7cef4d7916300f59a32ba88602a50
-
Filesize
2KB
MD588b5086f5f0dfd215e12290e8de8148b
SHA1ef2509a6896200ff5fd752c9ec9021a89f832c2e
SHA256da58bb85e99f8c4941fed0f3b5ba7d6812056d4445d3dbac26268caa5c48c33d
SHA512542e9d5d728e35a2b03fa1985d792d72b15008ef2183ea0f3d37cc5dbf1b0a2518652c1d072d2c7c64acd58500def158fe4abd4ffd3c4573900523f496b1db78
-
Filesize
70KB
MD570363a3228df8fc8cff4e78f36b31c45
SHA167a3482b629b1ee013da449112d3d24aad6fa957
SHA256c568e436289c271b09c82d51b10b713ea46d2aee7f0ff515c4ffbbf5d11f8178
SHA512da494184a36b2aaa709147c0a558258701755520d82b2863c9c22794ac0f295b70d3bbffaaf97ca77ce0d7313e408f5eeaac9e31b6972b7cb8a16ca3aa0d2d15
-
Filesize
712B
MD5ee776b220c4f95e18b93e8e91695ac2c
SHA17a257aede812707c64797b5decad9cc9f0839ee1
SHA256cd07c43b967d37ae09275acde2d5ee70c76c727ee1c86e5bf9e4e4a1222c4be8
SHA512266a9de4fe8278e428d61b179f90def0addc523d77bd65f2f1f0b04c43880f54118857bdceee2285dc8b66e1ad56d0cfa6ab2ba5d0b56946a4ad7fb4bc1b6f57
-
Filesize
664B
MD5581b6ba034bc84910287bc2b4d71ab58
SHA181b241cda9516e6db484f2dbbff3c0eb641b9186
SHA2562d805f58c664b6be4e6d6aba5af0c7d07c4bf173981f36a62011c50809862ed4
SHA51243a89e66f4804d233a98c855d0c4b20c439a0258d3231e399ad0c063535e57ba1f38cf2ba699b7f09e376330f0f412569d7def771d831911e9643199c32774b9
-
Filesize
816KB
MD5045bb7f6767536d2734a82bfa907a88c
SHA1d661d2d131d4df532f9375c1953b4e3b5cb5d8a6
SHA256105c7728959c59efaee6c23b5ec90e1e0b243a2b21855313fca015ee1b45d8bd
SHA51261d9a8a7fb00fda4d24a89473b9ada4da8ba6b0b72157e7d19105e525efd4d9fffe36c8de57b19576d20510b8922081c807f057d971dfffa66d6885d4bd96bdb
-
Filesize
1KB
MD508b1e6c236cf405c8eaf2174f47f840d
SHA14885088aa42193f2e81692084a74fe38d63e779e
SHA2560720c8786ae5b0064637392be0706e82524737f34249abf5b6b94b74c952a6e5
SHA51217fe6ee6f3d7ab0cdbee18f66ae412c35535b6e4d6d5cae2d04caab2230cfa16ef4fb0a8b1d980972c333261ef9620f8df035eedead6c71ab531079f58b20f7b
-
Filesize
101KB
MD550f6270de215776eb6e9ab43c2367f90
SHA1a2f0be6b23b6a923c402d6893e7e3c50e89a1132
SHA256f0a425fc7159c0311fcf32a03c80e24f40b273d199ce95defe470786087f822a
SHA5126dac8fbf961c41832000623092247b1deccf288a4fe32c4f028e89eb485b8d1713012038af955a87674beeaba92c0bc9ef47c4c10242bc3953b2b1a0e53431ac
-
Filesize
1KB
MD59d18a3c65e1607e3b947002c410dc854
SHA1e3150714ebe02225e94e9384cb06f4d6bac0498a
SHA256124743104aa1d341eee0da8704bff5550c083af64c7da7d16f1cacf3c741c43d
SHA512fb3acb5e87a42970b23caa4dda1e994ead34ce6feb532eb2a34f156e1c6c61eaa893c57842dbf7d0460dada6150d586317cb1cb7c695dd434cf9e265147e6c6d
-
Filesize
167B
MD50104c301c5e02bd6148b8703d19b3a73
SHA17436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA51284427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf
-
Filesize
432KB
MD542d74927a0f4f583fb4a43c6841f0da1
SHA184e0ddb2b0fd27a72d5e5caaf19d2323babeedd0
SHA256a5666c0d1ab708994ee1636d0cbe8cec759378d764a6704e20c31a505f19809c
SHA51201e3d5423c49a484cd1ffb295bbdd4583fa70d08549b0c42b283f0a31bfe799bdda95d3452f19cf59e288545dce248972de7e1b37db7f23bd4c292baa8df7093
-
Filesize
322KB
MD5659c79fbe882e54c44f3bd39f073d7c0
SHA1d684bab7481def64c5e75d1732b69bbd6ca2ffb3
SHA256ea7c540a7e59596a8793bd00d742ca5f86db7022be03465b6967285c1667c849
SHA5120ea0483774c09a99deaf9a26372ea9308c719f1b5dbc6b9413ecdb89a3e4cc1b36e8a59f7dcddbd76c0e683d5169c9271f997eee465b0ea927264ec514d45245
-
Filesize
1.5MB
MD5923fad7854959d5e971bcb787a699f3c
SHA141a72dd510b5f08d9a2cf4a0dacf3fbb76ddb2ca
SHA2569018baac15d34cfd47f092a3c9c12ba1c5ddb910a4692187174d8f09f193e5f8
SHA5124f367d95468d7c27647d2e9626006908ca1c5d786c6e364953f83bc81df5248e7fba0468097fc017d1ac48f77526ebaaad77c4c1e49712a2381de8bf3e159660
-
Filesize
19KB
MD5b15da2b65fe5e474b60db4a961f363e8
SHA1f78b9d1ebd3b22cd52d152806a85297b70e00956
SHA25610d7081a72d7fd4b4dfe0bb88119be5dd1df0a019a43b8fe25136b64e397e067
SHA512518334e3e1a5d307596fa1416df4bf5081a7304d7ac15d97e7b2af79502fe414dc577c5caf6122a7cd093a6b6ae7ae37b2e7f821918a8911479858219305d79b
-
Filesize
346KB
MD5b394f91a8069216775f87749253dbe82
SHA1d82f8cf2f2198fb60dddfd1ab4deec47b3b70657
SHA2560f22abb27e6572b0bd383fec50076dd9898cd2f3366551bb51f2856697d11c19
SHA51286dfccfee8693b2a6ad2265fbaa3f472569e3ae4725dae8224ba9cacaf11aa2e4f9a9ff9d41620d42f41c91df758c8a76008242e148c88e3a6b216dda8ef65d5
-
Filesize
122B
MD558bbca6325217d955bc89cf554abec9f
SHA14d3cc4753a8dd7da2d9ca05bdf0831db655ad5ba
SHA256721c548dea07664ee6b97b67aa3d74dcd5b22b8584198629efa44576e023f40e
SHA51290958cbe85d7734250b831e2e5d2abf28fd976506d1286add4bcd28dbbf861a2fd6313daff0cfea66a99c2863845488729949d50714b96042630538ead0285bf
-
Filesize
122B
MD5c105d933ff341fda83c134a02d1bb979
SHA1e3db944e2e64cc29c28c90554a9a6fe97fd60cb2
SHA256841344ac4baf805111214a69aedc684f7f74c392f0679e50bdcb1fd3b5308606
SHA512c755745fd419ebab6ba1e09956a7f5121bfccd628889f5395f5e31b61aa6371e7370867cee1ace5039882b4e47a72190f86373ece3cee57d74242cc4223eb621
-
Filesize
122B
MD5d2b478fc86fe53ed7b4dbc824e73a73a
SHA13a850ef0416373318b14a081a383d9c16cba749d
SHA256b01319aa9395650d25d9d9afb228cf3997b768f9e9a3aef8033625c44ba6a539
SHA51249048cea9eb9a48644a1f98e601345a35cac602a1662001f9264f39b0cf26ee16d80e6f33e786349c11a53680f0436e35eb5592ee181b8950e91ea919bdb7d74
-
Filesize
122B
MD5c7e5dca6adadef7a5175a79983e38819
SHA174cbad43d1f4958c363e76445f1ae9e80c68004b
SHA256311ea124f484ad1de9aa61775ce81cb3f0c22e2b8fd4b49d18fe6e77b1948b99
SHA512ee53ddbbd598d94cf244ba6fc47d301872b287b4ad0d47a85a26fcae00ea2b0179df948359bb38cd6a7d1ebf897b297ce28dbcce4cf917676e62bbfdac9716ff
-
Filesize
119KB
MD530717bef454489b3e9899af525fd063e
SHA17434ac986e0bae4c6ea0bf38b98c9b83f0f49db0
SHA2564540565ec5969e5f836f077d2544d4c3ba24458051a25044d9f08b8077cd9ea6
SHA51249afb9cce82b5d828616842c625451354d45c1e6462f536dd9efc7f3fab46dc880a42e36d3d213b8575e999f7c22d0c93fa9c618c06ba7c4fd12157910e94cfd
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
460KB
-
Filesize
1.2MB
-
Filesize
268KB
-
Filesize
588KB
-
Filesize
588KB