Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe
-
Size
80KB
-
MD5
bf7b61b7d5984c357907a111480602e8
-
SHA1
95d79d6f7da79b6487fb19431134ccb09fc027b8
-
SHA256
520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c
-
SHA512
cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14
-
SSDEEP
768:qIgxZk/RCEH4QJcWfL3n8z3vpPzXreencxkgbsb3JnPY4f54jKV+JVbZU:QRQJciIDvpLr/nkcr4GVubZU
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE 3 IoCs
pid Process 3476 wmimgmt.exe 1712 avp.exe 1588 ctfmon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysld = "C:\\Windows\\ctfmon.exe" ctfmon.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: wmimgmt.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
pid Process 2560 ARP.EXE -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5088 tasklist.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ctfmon.exe avp.exe File opened for modification C:\Windows\ctfmon.exe avp.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmimgmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe -
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
pid Process 4868 NETSTAT.EXE -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 3684 net.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
pid Process 4868 NETSTAT.EXE 1432 NETSTAT.EXE 2236 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1184 systeminfo.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeBackupPrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeBackupPrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeRestorePrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeBackupPrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeRestorePrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeBackupPrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeRestorePrivilege 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1712 avp.exe Token: SeDebugPrivilege 5088 tasklist.exe Token: SeDebugPrivilege 4868 NETSTAT.EXE Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeRestorePrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe Token: SeBackupPrivilege 3476 wmimgmt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4892 wrote to memory of 3476 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe 86 PID 4892 wrote to memory of 3476 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe 86 PID 4892 wrote to memory of 3476 4892 bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1712 3476 wmimgmt.exe 90 PID 3476 wrote to memory of 1712 3476 wmimgmt.exe 90 PID 3476 wrote to memory of 1712 3476 wmimgmt.exe 90 PID 1712 wrote to memory of 1588 1712 avp.exe 91 PID 1712 wrote to memory of 1588 1712 avp.exe 91 PID 1712 wrote to memory of 1588 1712 avp.exe 91 PID 1712 wrote to memory of 452 1712 avp.exe 92 PID 1712 wrote to memory of 452 1712 avp.exe 92 PID 1712 wrote to memory of 452 1712 avp.exe 92 PID 3476 wrote to memory of 2184 3476 wmimgmt.exe 93 PID 3476 wrote to memory of 2184 3476 wmimgmt.exe 93 PID 3476 wrote to memory of 2184 3476 wmimgmt.exe 93 PID 2184 wrote to memory of 1176 2184 cmd.exe 95 PID 2184 wrote to memory of 1176 2184 cmd.exe 95 PID 2184 wrote to memory of 1176 2184 cmd.exe 95 PID 2184 wrote to memory of 1576 2184 cmd.exe 96 PID 2184 wrote to memory of 1576 2184 cmd.exe 96 PID 2184 wrote to memory of 1576 2184 cmd.exe 96 PID 2184 wrote to memory of 4964 2184 cmd.exe 97 PID 2184 wrote to memory of 4964 2184 cmd.exe 97 PID 2184 wrote to memory of 4964 2184 cmd.exe 97 PID 4964 wrote to memory of 4544 4964 net.exe 98 PID 4964 wrote to memory of 4544 4964 net.exe 98 PID 4964 wrote to memory of 4544 4964 net.exe 98 PID 2184 wrote to memory of 2752 2184 cmd.exe 101 PID 2184 wrote to memory of 2752 2184 cmd.exe 101 PID 2184 wrote to memory of 2752 2184 cmd.exe 101 PID 2752 wrote to memory of 2508 2752 net.exe 102 PID 2752 wrote to memory of 2508 2752 net.exe 102 PID 2752 wrote to memory of 2508 2752 net.exe 102 PID 2184 wrote to memory of 5088 2184 cmd.exe 103 PID 2184 wrote to memory of 5088 2184 cmd.exe 103 PID 2184 wrote to memory of 5088 2184 cmd.exe 103 PID 2184 wrote to memory of 1184 2184 cmd.exe 105 PID 2184 wrote to memory of 1184 2184 cmd.exe 105 PID 2184 wrote to memory of 1184 2184 cmd.exe 105 PID 2184 wrote to memory of 2072 2184 cmd.exe 108 PID 2184 wrote to memory of 2072 2184 cmd.exe 108 PID 2184 wrote to memory of 2072 2184 cmd.exe 108 PID 2184 wrote to memory of 1104 2184 cmd.exe 109 PID 2184 wrote to memory of 1104 2184 cmd.exe 109 PID 2184 wrote to memory of 1104 2184 cmd.exe 109 PID 2184 wrote to memory of 4596 2184 cmd.exe 110 PID 2184 wrote to memory of 4596 2184 cmd.exe 110 PID 2184 wrote to memory of 4596 2184 cmd.exe 110 PID 2184 wrote to memory of 4836 2184 cmd.exe 111 PID 2184 wrote to memory of 4836 2184 cmd.exe 111 PID 2184 wrote to memory of 4836 2184 cmd.exe 111 PID 2184 wrote to memory of 3860 2184 cmd.exe 112 PID 2184 wrote to memory of 3860 2184 cmd.exe 112 PID 2184 wrote to memory of 3860 2184 cmd.exe 112 PID 2184 wrote to memory of 4064 2184 cmd.exe 113 PID 2184 wrote to memory of 4064 2184 cmd.exe 113 PID 2184 wrote to memory of 4064 2184 cmd.exe 113 PID 2184 wrote to memory of 1880 2184 cmd.exe 114 PID 2184 wrote to memory of 1880 2184 cmd.exe 114 PID 2184 wrote to memory of 1880 2184 cmd.exe 114 PID 2184 wrote to memory of 4308 2184 cmd.exe 115 PID 2184 wrote to memory of 4308 2184 cmd.exe 115 PID 2184 wrote to memory of 4308 2184 cmd.exe 115 PID 2184 wrote to memory of 1692 2184 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bf7b61b7d5984c357907a111480602e8_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\ProgramData\Application Data\wmimgmt.exe"C:\ProgramData\Application Data\wmimgmt.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\avp.exeC:\Users\Admin\AppData\Local\Temp\avp.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\ctfmon.exeC:\Windows\ctfmon.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\avp.exe /a /f /q > nul4⤵
- System Location Discovery: System Language Discovery
PID:452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\findstr.exefindstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt4⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
C:\Windows\SysWOW64\chcp.comchcp4⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
- System Location Discovery: System Language Discovery
PID:2508
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:1184
-
-
C:\Windows\SysWOW64\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"4⤵
- System Location Discovery: System Language Discovery
PID:2072
-
-
C:\Windows\SysWOW64\find.exefind "REG_"4⤵
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office4⤵
- System Location Discovery: System Language Discovery
PID:4596
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:3860
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:4064
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
C:\Windows\SysWOW64\reg.exereg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo4⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2236
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano4⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2560
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -r4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print5⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\ROUTE.EXEC:\Windows\system32\route.exe print6⤵
- System Location Discovery: System Language Discovery
PID:4320
-
-
-
-
C:\Windows\SysWOW64\net.exenet start4⤵
- System Location Discovery: System Language Discovery
PID:3820 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start5⤵
- System Location Discovery: System Language Discovery
PID:728
-
-
-
C:\Windows\SysWOW64\net.exenet use4⤵
- System Location Discovery: System Language Discovery
PID:3756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo n"4⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
C:\Windows\SysWOW64\net.exenet share4⤵
- System Location Discovery: System Language Discovery
PID:3816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share5⤵
- System Location Discovery: System Language Discovery
PID:3248
-
-
-
C:\Windows\SysWOW64\net.exenet view /domain4⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:3684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:3892
-
-
C:\Windows\SysWOW64\find.exefind /i /v "------"4⤵
- System Location Discovery: System Language Discovery
PID:1904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\SysWOW64\find.exefind /i /v "domain"4⤵
- System Location Discovery: System Language Discovery
PID:468
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\SysWOW64\find.exefind /i /v "¬A╛╣"4⤵
- System Location Discovery: System Language Discovery
PID:3424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\find.exefind /i /v "░⌡ªµª¿"4⤵
- System Location Discovery: System Language Discovery
PID:4376
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "4⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\find.exefind /i /v "├ⁿ┴ε"4⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "4⤵
- System Location Discovery: System Language Discovery
PID:4944
-
-
C:\Windows\SysWOW64\find.exefind /i /v "completed successfully"4⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Discovery
Network Service Discovery
1Network Share Discovery
1Peripheral Device Discovery
1Permission Groups Discovery
1Local Groups
1Process Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5bf7b61b7d5984c357907a111480602e8
SHA195d79d6f7da79b6487fb19431134ccb09fc027b8
SHA256520a97331c488c176432b18191957390c3e4961af04fa14d8e39482764bade1c
SHA512cce9cd58fcb907618f0289ceb4a63bf9ca8df5bb53a6fa559db68c31f8c05e786b5c862218fc49dc68b2a18d7ecf7d81d9c781a3876455f42420ae21e4443b14
-
Filesize
43B
MD504c4cb4dd076cac072f427d020699c42
SHA14ff2543d8c1279105d191546aab7fe29d3f1bb6c
SHA2562a22056355efded2a78c32c0b27ed02c6a8e4177e25cf02c83d1de377531f079
SHA51265ef8e83759fce0b9f5a10acb5dcd7fa8a426ed5f4cf203a248086525737df685a1b00a876c9e1716f8682173698a66c4a6915d8d1ceec2da6f4764e29d82fd9
-
Filesize
12KB
MD59f7b56e3b44736a7bd2de90e51ef1dd6
SHA1d212fe4b7d98ce3da41c2350084afce5f7d9a535
SHA25663b9d3237df537c2ce9665b92675403205308cdf2da705f0440fe6f5abddc853
SHA512aec09aa37bc501ad1d917dfb5f322cd7b1d9d1e070aa7b4dc52f1fed64726e04ca5b47aa62c023394a30cf36011b6867f5914f9630b4d9cb776b272bd8a7c3e9
-
Filesize
37.5MB
MD5c4ae1add9896d479b0879182fbfc0e6f
SHA1336c17d4670b2ec8f909ebdc0342cdf865695780
SHA25660f5407206a9f6bfaa3fe7dcc11533c3097a4957c13acb3ed5beb8da40495268
SHA512b04f17446f9985f8aee9df4309e5f95b747035f3855d479852b74bba162130872a085961e4f3eb85f9c749d4765f48c20d0302023cafc981f6329eb62ceb7911
-
Filesize
25KB
MD5d1c53b02d8e555d4c9d01c50da28ee8d
SHA1cac0e3ead0758b2f889735e9e01a0d65af8392ab
SHA2565b199306d8b7c40b38c7f73a47395f7bbbc65da3f474ee2daad83ae4199ba809
SHA512711d89461ee90874f360fd83db5cf753f2337a2991002983689936814730cfdbf5e54ce8f0164f12aca84252f712cbdcb4563a593a642e8c1dbf6687e4b5cc4f
-
Filesize
15B
MD54ff8e80638f36abd8fb131c19425317b
SHA1358665afaf5f88dfebcdb7c56e963693c520c136
SHA2566b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626
SHA512d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1
-
Filesize
3KB
MD55431296029e067a37ab14127c8fbf3f6
SHA10e6106b3984b7e48a62d7d439324528ad9948793
SHA2564a51230e15fd4dee03618c89eb0b2068e19de35660ce24acfc9505de1644d9e6
SHA5125be870e295ed808f283bf969ca54789572e985fba16cb6fe9c088712381c0e4e44209cf39cebb367060914979d92517d99a1d3cf7d1d5531645b3fa08ae5a149
-
Filesize
64B
MD5a089b0c1a3dc621cd2855b674d275689
SHA1645c4be3bcaef74c8689efc46e47598dbf6cadf6
SHA256427907be5bc0944644dfd6625a927e6019b1579e327795bfa0aa8f0094caae79
SHA512b255eaf384d517a8f9f31a9644e29e6fadbc2d9cc6bfd044a359c89430fb4542c98bec73d6f8f29b11a94f3ba27053129ce4be069519ba39205675049e49b9d1