7ca4e6020511294fcfcf503eb985db51513fa8fa294f45ef7112fd061acd7955

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe
Size

19KB
MD5

3caa54444e29063eb3e316ba20ca9e83
SHA1

2ce5d9186b70d77808115e2cd2df3a5d09a59b90
SHA256

7ca4e6020511294fcfcf503eb985db51513fa8fa294f45ef7112fd061acd7955
SHA512

1155ccdc913b55a7ab444ab20441c5522e89fc705a35790ca84c9c1193d97262a1b1b489d392e0c31b84ff916fba02b269e4f3944bfea0d443ec16e764f17ffe
SSDEEP

384:jxNR77zN0w638TNFTBs16QCzOcg9FgGJV4EFdYHuwETKUgPZ9bMt5vAxVqxkeOlS:jxN17zn66W2zONFgS4aay

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1104	cmd.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbem	attrib.exe
File created	C:\Windows\SysWOW64\Wbem\rs.reg	cmd.exe
File created	C:\Windows\SysWOW64\en.bas	cmd.exe
File opened for modification	C:\Windows\SysWOW64\en.bas	cmd.exe
File created	C:\Windows\SysWOW64\Wbem\en.bas	cmd.exe
File created	C:\Windows\SysWOW64\rs.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\rs.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Wbem\rs.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wbem	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Wbem\en.bas	cmd.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	cmd.exe
File created	C:\Windows\rs.reg	cmd.exe
File opened for modification	C:\Windows\rs.reg	cmd.exe
File opened for modification	C:\Windows\SysWOW64	attrib.exe
File opened for modification	C:\Windows\en.bas	attrib.exe
File opened for modification	C:\Windows\Reiniger.bat	cmd.exe
File created	C:\Windows\Reiniger.vbs	cmd.exe
File opened for modification	C:\Windows\Reiniger.vbs	cmd.exe
File opened for modification	C:\Windows\en.bas	cmd.exe
File opened for modification	C:\Windows\SysWOW64	attrib.exe
File created	C:\Windows\Reiniger.bat	cmd.exe
File opened for modification	C:\Windows\rs.reg	attrib.exe
File created	C:\Windows\en.bas	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2784	2660	3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2784	2660	3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2784	2660	3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2784	2660	3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2708	2784	cmd.exe	32
PID 2784 wrote to memory of 2708	2784	cmd.exe	32
PID 2784 wrote to memory of 2708	2784	cmd.exe	32
PID 2784 wrote to memory of 2708	2784	cmd.exe	32
PID 2784 wrote to memory of 2696	2784	cmd.exe	33
PID 2784 wrote to memory of 2696	2784	cmd.exe	33
PID 2784 wrote to memory of 2696	2784	cmd.exe	33
PID 2784 wrote to memory of 2696	2784	cmd.exe	33
PID 2784 wrote to memory of 2828	2784	cmd.exe	34
PID 2784 wrote to memory of 2828	2784	cmd.exe	34
PID 2784 wrote to memory of 2828	2784	cmd.exe	34
PID 2784 wrote to memory of 2828	2784	cmd.exe	34
PID 2784 wrote to memory of 2144	2784	cmd.exe	35
PID 2784 wrote to memory of 2144	2784	cmd.exe	35
PID 2784 wrote to memory of 2144	2784	cmd.exe	35
PID 2784 wrote to memory of 2144	2784	cmd.exe	35
PID 2784 wrote to memory of 2972	2784	cmd.exe	36
PID 2784 wrote to memory of 2972	2784	cmd.exe	36
PID 2784 wrote to memory of 2972	2784	cmd.exe	36
PID 2784 wrote to memory of 2972	2784	cmd.exe	36
PID 2784 wrote to memory of 2832	2784	cmd.exe	37
PID 2784 wrote to memory of 2832	2784	cmd.exe	37
PID 2784 wrote to memory of 2832	2784	cmd.exe	37
PID 2784 wrote to memory of 2832	2784	cmd.exe	37
PID 2784 wrote to memory of 2816	2784	cmd.exe	38
PID 2784 wrote to memory of 2816	2784	cmd.exe	38
PID 2784 wrote to memory of 2816	2784	cmd.exe	38
PID 2784 wrote to memory of 2816	2784	cmd.exe	38
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2716	2784	cmd.exe	39
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 2152	2784	cmd.exe	40
PID 2784 wrote to memory of 1128	2784	cmd.exe	41
PID 2784 wrote to memory of 1128	2784	cmd.exe	41
PID 2784 wrote to memory of 1128	2784	cmd.exe	41
PID 2784 wrote to memory of 1128	2784	cmd.exe	41
PID 2784 wrote to memory of 2924	2784	cmd.exe	42
PID 2784 wrote to memory of 2924	2784	cmd.exe	42
PID 2784 wrote to memory of 2924	2784	cmd.exe	42
PID 2784 wrote to memory of 2924	2784	cmd.exe	42
PID 2784 wrote to memory of 1904	2784	cmd.exe	43
PID 2784 wrote to memory of 1904	2784	cmd.exe	43
PID 2784 wrote to memory of 1904	2784	cmd.exe	43
PID 2784 wrote to memory of 1904	2784	cmd.exe	43
PID 2784 wrote to memory of 1100	2784	cmd.exe	44
PID 2784 wrote to memory of 1100	2784	cmd.exe	44
PID 2784 wrote to memory of 1100	2784	cmd.exe	44
PID 2784 wrote to memory of 1100	2784	cmd.exe	44
PID 2784 wrote to memory of 2524	2784	cmd.exe	45
PID 2784 wrote to memory of 2524	2784	cmd.exe	45

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
344	attrib.exe
1128	attrib.exe
2924	attrib.exe
1904	attrib.exe
1100	attrib.exe
1352	attrib.exe
1664	attrib.exe
2840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3caa54444e29063eb3e316ba20ca9e83_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ver"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\find.exe
    find /i "XP"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" if errorlevel1 ctty nul | if not errorlevel1 exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\find.exe
    find /v /i "[windows]"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\find.exe
    find /v /i "load="
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\find.exe
    find /v /i "run="
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\find.exe
    find /v /i "NullPort="
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 mouse,disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 keyboard,disable
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\rs.reg
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1128
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\system32
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:2924
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows
    3⤵
    - Views/modifies file attributes
    PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\System32\Wbem
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\rs.reg c:\Reiniger.reg /y
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\rs.reg d:\Reiniger.reg /y
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\rs.reg e:\Reiniger.reg /y
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\rs.reg f:\Reiniger.reg /y
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\rs.reg g:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\rs.reg h:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\rs.reg i:\Reiniger.reg /y
    3⤵
    PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\rs.reg j:\Reiniger.reg /y
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\rs.reg k:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\rs.reg l:\Reiniger.reg /y
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\rs.reg m:\Reiniger.reg /y
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\rs.reg n:\Reiniger.reg /y
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\rs.reg o:\Reiniger.reg /y
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\rs.reg p:\Reiniger.reg /y
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\rs.reg q:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\rs.reg r:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\rs.reg s:\Reiniger.reg /y
    3⤵
    PID:644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\rs.reg t:\Reiniger.reg /y
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\rs.reg u:\Reiniger.reg /y
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\rs.reg v:\Reiniger.reg /y
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\rs.reg w:\Reiniger.reg /y
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\rs.reg x:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\rs.reg y:\Reiniger.reg /y
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\rs.reg z:\Reiniger.reg /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist a:\nul copy C:\Windows\rs.reg a:\Reiniger.reg /y
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\en.bas
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1352
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\system32
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:1664
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2840
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -h -s -a C:\Windows\System32\Wbem
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\en.bas c:\Reiniger.bas /y
    3⤵
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\en.bas d:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\en.bas e:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\en.bas f:\Reiniger.bas /y
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\en.bas g:\Reiniger.bas /y
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\en.bas h:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\en.bas i:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\en.bas j:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\en.bas k:\Reiniger.bas /y
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\en.bas l:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\en.bas m:\Reiniger.bas /y
    3⤵
    PID:784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\en.bas n:\Reiniger.bas /y
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\en.bas o:\Reiniger.bas /y
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\en.bas p:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\en.bas q:\Reiniger.bas /y
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\en.bas r:\Reiniger.bas /y
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\en.bas s:\Reiniger.bas /y
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\en.bas t:\Reiniger.bas /y
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\en.bas u:\Reiniger.bas /y
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\en.bas v:\Reiniger.bas /y
    3⤵
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\en.bas w:\Reiniger.bas /y
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\en.bas x:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\en.bas y:\Reiniger.bas /y
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\en.bas z:\Reiniger.bas /y
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist a:\nul copy C:\Windows\en.bas a:\Reiniger.bas /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥00 1>nul"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥01 1>nul"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥02 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥03 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥04 1>nul"
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥05 1>nul"
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥06 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥07 1>nul"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥08 1>nul"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥09 1>nul"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥10 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥11 1>nul"
    3⤵
    PID:828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥12 1>nul"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥13 1>nul"
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥14 1>nul"
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥15 1>nul"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥16 1>nul"
    3⤵
    PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥17 1>nul"
    3⤵
    PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥18 1>nul"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥19 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥20 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥21 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥22 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥23 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥24 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥25 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥26 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥27 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥28 1>nul"
    3⤵
    PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥29 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥30 1>nul"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥31 1>nul"
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥32 1>nul"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥33 1>nul"
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥34 1>nul"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥35 1>nul"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥36 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥37 1>nul"
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥38 1>nul"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥39 1>nul"
    3⤵
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥40 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥41 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥42 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥43 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥44 1>nul"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥45 1>nul"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥46 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥47 1>nul"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥48 1>nul"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥49 1>nul"
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥50 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥51 1>nul"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥52 1>nul"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥53 1>nul"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥54 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥55 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥56 1>nul"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥57 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥58 1>nul"
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥59 1>nul"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥60 1>nul"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥61 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥62 1>nul"
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥63 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥64 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥65 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥66 1>nul"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥67 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥68 1>nul"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥69 1>nul"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥70 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥71 1>nul"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥72 1>nul"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥73 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥74 1>nul"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥75 1>nul"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥76 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥77 1>nul"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥78 1>nul"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥79 1>nul"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥80 1>nul"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥81 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥82 1>nul"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥83 1>nul"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥84 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥85 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥86 1>nul"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥87 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥88 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥89 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥90 1>nul"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥91 1>nul"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥92 1>nul"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥93 1>nul"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥94 1>nul"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥95 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥96 1>nul"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥97 1>nul"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥98 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" md C:\Windows\desktop\╬é╝╒í╥99 1>nul"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2772
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Windows\Reiniger.vbs
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat" "
  2⤵
  - Deletes itself
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
5KB

MD5
08ba7299e46ff5ce240cc4443f978254

SHA1
962bcaf1a40c9e64ce4255304308a45415307108

SHA256
694bec51824f93182e9a88eca05c8d5d12709c657e176799747f45c39f259da9

SHA512
a8012d1f46ca28b04bbdf104904de437d4ceca992d4d0a9094b2d1094c7ad0f05612668727a85a33593acf7b2fb7d8d01b578ca56fd9bd30c69eb20eb2a82389

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpfile0.bat

Filesize
146B

MD5
88381f6a43477c19636c8c4a3507467b

SHA1
ee5b1692a1e2cdaab427ee6b439a3863af194c7a

SHA256
43f4d0929ad9829357a007818d770887a8985ee09ddb8b2dd1df240deeaf5a0a

SHA512
9693b61fa6d89044870be79376f8423447fc0f9ba1d2c99352a19f2b246901cfd7fd36d0f549f269d01131ff2f8b7d6a8864e723278c2d0ac61e72c0e3c12b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\y

Filesize
478B

MD5
2465ebc8cd6e412cdc1ab9fef40bcae6

SHA1
fb581afdb945b2cd43de0acde49b47790097edf2

SHA256
6d29b301024777e51366a000e05c6b3d40325c9d355a01e8383f59de511b7002

SHA512
ddb29f68166d1a66374cade87972517b4f44a8e5c2a2f3ccd4025ae7c75279b588822a1b168d041104d96bc7e3efffb1b91d29be610d757549a069618566439b

Download Submit
C:\Windows\Reiniger.vbs

Filesize
60B

MD5
f3b84e927a29e6d9fb3cd5d1f6ccabe5

SHA1
e41da26cfef8bd04ea99a3c7e2b638664f223599

SHA256
ad1014f9ccb8551b89ec3dfcc20a37b848b039483db4cc01dba96caca41af989

SHA512
fd8b8f64cdcd0001322039710e958de20662789d1a912bc9e4e428237730bef2217866417b15ec9d2632119a6d22c839ec1b25aa7c11ac803fdcb3b3ca5acb6a

Download Submit
C:\Windows\en.bas

Filesize
38B

MD5
db5c52e599a2e1e03aec949cd123202c

SHA1
1e1c02c09099f8af11bc02076f948aa16279d084

SHA256
52f80668e2183a576ae2274ef51b862e452df043166546ecc96bfe5e8efa8ebb

SHA512
b34f8b9df1c85fde87b5538c71fc990c123fe665e864d5a32371e986121be7974ead4faed13b3fd01a0c8826198f118df0104d065f10000fb97534d5177aaacd

Download Submit
C:\Windows\rs.reg

Filesize
64B

MD5
8f00a4264d7ba1a110879d4504e7161d

SHA1
b3ecea2bb2f920b7c8e17415a399502e40e14ea9

SHA256
d00be3786aa68c5f29fafa971572f5db307364a7ccb85357b719dd659920a41f

SHA512
530a6584a2e93bd06de6b9528022a5491f1064d6b6d680ff405c26772b476d6b3ea81acebb712d9e19314e483c4bf8505396feb9a1a73da1692999c76689b7f3

Download Submit
memory/2472-68-0x0000000076F10000-0x000000007700A000-memory.dmp

Filesize
1000KB

Download
memory/2472-67-0x0000000076DF0000-0x0000000076F0F000-memory.dmp

Filesize
1.1MB

Download
memory/2660-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2660-27-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download