Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe
-
Size
76KB
-
MD5
bc0ee3e54b30159aba15019a51197300
-
SHA1
b02627317e03b6c669922fccc42ff4eb9da95d1a
-
SHA256
02358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a
-
SHA512
20b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798
-
SSDEEP
1536:yy6h6NL247EJlU5IB99muEO40sW9qazlShlq4Se:2hU24uWCB99muEh0sW9nYjq4D
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run myccdd080721a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\ccnhh = "rundll32.exe C:\\Windows\\system32\\mywcc080721.dll bgdll" myccdd080721a.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation myccdd080721a.exe -
Executes dropped EXE 1 IoCs
pid Process 4640 myccdd080721a.exe -
Loads dropped DLL 1 IoCs
pid Process 3332 rundll32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\myccdd080721a.exe bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\myccdd080721a.exe bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe File created C:\Windows\SysWOW64\mywcc080721.dll bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe File created C:\Windows\SysWOW64\mycgc32.dll myccdd080721a.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\cc16.ini bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe File opened for modification C:\Windows\cc16.ini myccdd080721a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 51 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language myccdd080721a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 45 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4652 PING.EXE 3108 PING.EXE 3876 PING.EXE 2364 PING.EXE 3604 PING.EXE 1372 PING.EXE 1436 PING.EXE 916 PING.EXE 4152 PING.EXE 4144 PING.EXE 3316 PING.EXE 1776 PING.EXE 4820 PING.EXE 3808 PING.EXE 3772 PING.EXE 4536 PING.EXE 3228 PING.EXE 3792 PING.EXE 1528 PING.EXE 1680 PING.EXE 4956 PING.EXE 3540 PING.EXE 3096 PING.EXE 3020 PING.EXE 3296 PING.EXE 4172 PING.EXE 1936 PING.EXE 4316 PING.EXE 224 PING.EXE 1388 PING.EXE 2852 PING.EXE 4220 PING.EXE 864 PING.EXE 3344 PING.EXE 1556 PING.EXE 2880 PING.EXE 1568 PING.EXE 796 PING.EXE 4492 PING.EXE 5072 PING.EXE 408 PING.EXE 4696 PING.EXE 4036 PING.EXE 4948 PING.EXE 2456 PING.EXE -
Runs ping.exe 1 TTPs 45 IoCs
pid Process 796 PING.EXE 3792 PING.EXE 4696 PING.EXE 3096 PING.EXE 4652 PING.EXE 3020 PING.EXE 4152 PING.EXE 1568 PING.EXE 3876 PING.EXE 864 PING.EXE 1936 PING.EXE 1388 PING.EXE 4492 PING.EXE 1528 PING.EXE 4956 PING.EXE 4316 PING.EXE 1776 PING.EXE 3808 PING.EXE 1436 PING.EXE 916 PING.EXE 3228 PING.EXE 3316 PING.EXE 3540 PING.EXE 4036 PING.EXE 4536 PING.EXE 2852 PING.EXE 1372 PING.EXE 1556 PING.EXE 2880 PING.EXE 5072 PING.EXE 2364 PING.EXE 4948 PING.EXE 3108 PING.EXE 3604 PING.EXE 4172 PING.EXE 4144 PING.EXE 2456 PING.EXE 3296 PING.EXE 408 PING.EXE 3772 PING.EXE 4820 PING.EXE 224 PING.EXE 4220 PING.EXE 1680 PING.EXE 3344 PING.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe 4640 myccdd080721a.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe Token: SeDebugPrivilege 4640 myccdd080721a.exe Token: SeDebugPrivilege 4640 myccdd080721a.exe Token: SeDebugPrivilege 4640 myccdd080721a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 212 wrote to memory of 3332 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 89 PID 212 wrote to memory of 3332 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 89 PID 212 wrote to memory of 3332 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 89 PID 3332 wrote to memory of 3628 3332 rundll32.exe 90 PID 3332 wrote to memory of 3628 3332 rundll32.exe 90 PID 3332 wrote to memory of 3628 3332 rundll32.exe 90 PID 212 wrote to memory of 5072 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 91 PID 212 wrote to memory of 5072 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 91 PID 212 wrote to memory of 5072 212 bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe 91 PID 5072 wrote to memory of 1372 5072 cmd.exe 95 PID 5072 wrote to memory of 1372 5072 cmd.exe 95 PID 5072 wrote to memory of 1372 5072 cmd.exe 95 PID 3628 wrote to memory of 4640 3628 cmd.exe 94 PID 3628 wrote to memory of 4640 3628 cmd.exe 94 PID 3628 wrote to memory of 4640 3628 cmd.exe 94 PID 4640 wrote to memory of 1048 4640 myccdd080721a.exe 101 PID 4640 wrote to memory of 1048 4640 myccdd080721a.exe 101 PID 4640 wrote to memory of 1048 4640 myccdd080721a.exe 101 PID 4640 wrote to memory of 2436 4640 myccdd080721a.exe 104 PID 4640 wrote to memory of 2436 4640 myccdd080721a.exe 104 PID 4640 wrote to memory of 2436 4640 myccdd080721a.exe 104 PID 2436 wrote to memory of 4696 2436 cmd.exe 106 PID 2436 wrote to memory of 4696 2436 cmd.exe 106 PID 2436 wrote to memory of 4696 2436 cmd.exe 106 PID 2436 wrote to memory of 1936 2436 cmd.exe 107 PID 2436 wrote to memory of 1936 2436 cmd.exe 107 PID 2436 wrote to memory of 1936 2436 cmd.exe 107 PID 2436 wrote to memory of 3316 2436 cmd.exe 108 PID 2436 wrote to memory of 3316 2436 cmd.exe 108 PID 2436 wrote to memory of 3316 2436 cmd.exe 108 PID 2436 wrote to memory of 4316 2436 cmd.exe 109 PID 2436 wrote to memory of 4316 2436 cmd.exe 109 PID 2436 wrote to memory of 4316 2436 cmd.exe 109 PID 2436 wrote to memory of 1556 2436 cmd.exe 110 PID 2436 wrote to memory of 1556 2436 cmd.exe 110 PID 2436 wrote to memory of 1556 2436 cmd.exe 110 PID 2436 wrote to memory of 3540 2436 cmd.exe 112 PID 2436 wrote to memory of 3540 2436 cmd.exe 112 PID 2436 wrote to memory of 3540 2436 cmd.exe 112 PID 2436 wrote to memory of 3772 2436 cmd.exe 113 PID 2436 wrote to memory of 3772 2436 cmd.exe 113 PID 2436 wrote to memory of 3772 2436 cmd.exe 113 PID 2436 wrote to memory of 1776 2436 cmd.exe 116 PID 2436 wrote to memory of 1776 2436 cmd.exe 116 PID 2436 wrote to memory of 1776 2436 cmd.exe 116 PID 2436 wrote to memory of 4820 2436 cmd.exe 117 PID 2436 wrote to memory of 4820 2436 cmd.exe 117 PID 2436 wrote to memory of 4820 2436 cmd.exe 117 PID 2436 wrote to memory of 2880 2436 cmd.exe 118 PID 2436 wrote to memory of 2880 2436 cmd.exe 118 PID 2436 wrote to memory of 2880 2436 cmd.exe 118 PID 2436 wrote to memory of 4036 2436 cmd.exe 119 PID 2436 wrote to memory of 4036 2436 cmd.exe 119 PID 2436 wrote to memory of 4036 2436 cmd.exe 119 PID 2436 wrote to memory of 3096 2436 cmd.exe 120 PID 2436 wrote to memory of 3096 2436 cmd.exe 120 PID 2436 wrote to memory of 3096 2436 cmd.exe 120 PID 2436 wrote to memory of 4652 2436 cmd.exe 121 PID 2436 wrote to memory of 4652 2436 cmd.exe 121 PID 2436 wrote to memory of 4652 2436 cmd.exe 121 PID 2436 wrote to memory of 3808 2436 cmd.exe 122 PID 2436 wrote to memory of 3808 2436 cmd.exe 122 PID 2436 wrote to memory of 3808 2436 cmd.exe 122 PID 2436 wrote to memory of 224 2436 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bc0ee3e54b30159aba15019a51197300_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Windows\system32\mywcc080721.dll bgdll2⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\downf.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\myccdd080721a.exe"C:\Windows\system32\myccdd080721a.exe" i4⤵
- Adds policy Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe"5⤵PID:1048
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4696
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1936
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3316
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4316
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1556
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3540
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3772
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1776
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4820
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2880
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4036
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3096
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:224
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3020
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1436
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:916
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2456
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4152
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1568
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3108
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:796
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3296
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4536
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1388
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2852
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3228
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4220
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3604
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4172
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1528
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3792
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3876
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2364
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4956
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:864
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3344
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4492
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4144
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:408
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "c:\nmDelm.bat"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1372
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD5bc0ee3e54b30159aba15019a51197300
SHA1b02627317e03b6c669922fccc42ff4eb9da95d1a
SHA25602358ba4720c5de7691c9fb71e0cfa437f1c1bc0e856d9a207de563bb6b62b8a
SHA51220b4d6ca2284a52b6198a4ae0699756599503aa41a079de4df4838882dd148b106a78de660e120abf0e586f18be437d32e0084be89dc4c6033450ad75d5bb798
-
Filesize
28KB
MD5868feda0c9c6b32ac94b70fb19493b2b
SHA1e59b08baa120a6f9b834844c9c2903662676e37c
SHA256ae44365f29c76a748653f6f698624f7e1d7f6357a0b497833ca70264b1f34fb6
SHA5127b4ad26f8dcc712cf7876969d489667e2598b92e4ea347f774b9234d5dda4984ad1d5f35572e3d0db4a06d656a16bcbcc18593b82537df04694b844ceedde048
-
Filesize
464B
MD50524cd5586c04330ebd739a802c47676
SHA1b3c7d83a2fb5a601c7679f51b2b1b8f10c9e9bf0
SHA256df5f36832dd0c8f857178d7310cb54d902c9f1889a33d50a9aafa5ba375fe0df
SHA5122c9cd9ac2b88760d0bdace15fc8ed7b54a91c373b9b76f59a79a868a0aebc0b74e0c3c0746e110cfabf48804a00507862994406cdea512771d8b2a0a780850b4
-
Filesize
150B
MD5dbda144b8729a84cca62b0f9d57610a7
SHA1e749ebeedd1b953cf2da7cb6d53ff0b6fafe664b
SHA2569c976bcf1b873d147c57fe3cfcb53251d2e33d37462124397013bf5204235a7f
SHA5120c7ae7c802a78f67e12a5d8f1c97370be55f763bfdd1a38b5496f2165e842199031cee6129812f2ebc413a773820c9dc73db18e1d07f88bece36c84b4f3d9d9b
-
Filesize
51B
MD52b724c6a8fcd230311547ed4e1b9d68e
SHA110355c1441991688bde91b7c02688f308bf00915
SHA2563f77676fa2c0553c11b7277adcd2666bba06e22d4ce39f0ff3c3245eff645a0e
SHA51248215bac2db84c0445d5c4bd80abe13fbdf0f6750c4bad1306a01283362e2e97ab8992be597634b803bd12892c682615c637dcbae36c5441e50fea5346bb374d
-
Filesize
233B
MD584852456cb8bed92b1a703b43ca80e93
SHA13f72ba453f0abc410917d57c12c5951c1d020e61
SHA2569398bc91ea704d880e143ed09303baa8a67ad33a0c8d1de30842c2a1948b2948
SHA5128dff637d817c27887c562047c66813f6bee93e70ed3d3f3c10a8103d3e0c25b7c04a0d92bcfd5140eed721e1b812f3957228b0144fae9547df6505f0bf15f7e6
-
Filesize
139B
MD53a1bd2916250a4d03a63c8877a0098be
SHA1fe761cbb2533906e4a6c5604a79d0c0bf94fd87f
SHA2568183f9a2b8b37f4a70e5296c85d9fff3cba80a6950314d9900026dfc84a00a9d
SHA512d1d03acc696e6b660ddb61c217665f5d202907e4548df4e17c92183490a2bc98c3cb9492a1e3aa678a17c5e8096ba05190c02e918aa4ca0123ca6e50e485e849