Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 21:35
Static task
static1
Behavioral task
behavioral1
Sample
4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
4a1d5155676794951ccdec7aaf181567
-
SHA1
108bb8ba55e8657815ff7deefc8b4b22e59608d6
-
SHA256
ce575fd964bbf7f36b42ba99c3d15f613f8df809ed8317598f8fd8f7e5ad728c
-
SHA512
58fe81f2ce37861b8087b501a4015b0b0a4be5a5473de8728473edc3764931cfd7635de0b89d6633cb1c102432533c461d6517096ed45e613a4c5c9ebe1726da
-
SSDEEP
24576:s3nZqfb4jBSHzuk+bUf4s90JIYHDosyTaqMyAnXxTvNuhSd3P3JlF2+c9L6nGC:sjsutAf4sCWZUXxLIhU3P3fFbmGGC
Malware Config
Signatures
-
Luminosity 3 IoCs
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
pid Process 4760 schtasks.exe 1084 schtasks.exe 1584 schtasks.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 3 IoCs
pid Process 4844 rundll32.exe 1296 rundll32.exe 1036 rundll32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pi1rviy6sl = "C:\\pi1rviy6slpi1rviy6sl\\pi1rviy6sl.vbs" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pi1rviy6sl = "C:\\pi1rviy6slpi1rviy6sl\\pi1rviy6sl.vbs" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pi1rviy6sl = "C:\\pi1rviy6slpi1rviy6sl\\pi1rviy6sl.vbs" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4844 set thread context of 1460 4844 rundll32.exe 99 PID 1296 set thread context of 1028 1296 rundll32.exe 122 PID 1036 set thread context of 4760 1036 rundll32.exe 142 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2504 PING.EXE 1248 PING.EXE 4784 cmd.exe 540 PING.EXE 2148 PING.EXE 4112 cmd.exe 4724 PING.EXE 2728 cmd.exe 3740 cmd.exe 1896 PING.EXE 4912 cmd.exe 5000 cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4724 PING.EXE 2148 PING.EXE 2504 PING.EXE 1248 PING.EXE 540 PING.EXE 1896 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 4844 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1296 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1460 regasm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4868 wrote to memory of 2360 4868 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe 86 PID 4868 wrote to memory of 2360 4868 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe 86 PID 4868 wrote to memory of 2360 4868 4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe 86 PID 2360 wrote to memory of 4844 2360 WScript.exe 88 PID 2360 wrote to memory of 4844 2360 WScript.exe 88 PID 2360 wrote to memory of 4844 2360 WScript.exe 88 PID 4844 wrote to memory of 4912 4844 rundll32.exe 89 PID 4844 wrote to memory of 4912 4844 rundll32.exe 89 PID 4844 wrote to memory of 4912 4844 rundll32.exe 89 PID 4844 wrote to memory of 5000 4844 rundll32.exe 91 PID 4844 wrote to memory of 5000 4844 rundll32.exe 91 PID 4844 wrote to memory of 5000 4844 rundll32.exe 91 PID 4844 wrote to memory of 4760 4844 rundll32.exe 93 PID 4844 wrote to memory of 4760 4844 rundll32.exe 93 PID 4844 wrote to memory of 4760 4844 rundll32.exe 93 PID 4912 wrote to memory of 4724 4912 cmd.exe 95 PID 4912 wrote to memory of 4724 4912 cmd.exe 95 PID 4912 wrote to memory of 4724 4912 cmd.exe 95 PID 5000 wrote to memory of 2148 5000 cmd.exe 96 PID 5000 wrote to memory of 2148 5000 cmd.exe 96 PID 5000 wrote to memory of 2148 5000 cmd.exe 96 PID 4844 wrote to memory of 1460 4844 rundll32.exe 99 PID 4844 wrote to memory of 1460 4844 rundll32.exe 99 PID 4844 wrote to memory of 1460 4844 rundll32.exe 99 PID 4844 wrote to memory of 1460 4844 rundll32.exe 99 PID 4844 wrote to memory of 1460 4844 rundll32.exe 99 PID 4912 wrote to memory of 1908 4912 cmd.exe 102 PID 4912 wrote to memory of 1908 4912 cmd.exe 102 PID 4912 wrote to memory of 1908 4912 cmd.exe 102 PID 3684 wrote to memory of 4692 3684 WScript.exe 111 PID 3684 wrote to memory of 4692 3684 WScript.exe 111 PID 4692 wrote to memory of 1296 4692 rundll32.exe 112 PID 4692 wrote to memory of 1296 4692 rundll32.exe 112 PID 4692 wrote to memory of 1296 4692 rundll32.exe 112 PID 1296 wrote to memory of 4112 1296 rundll32.exe 113 PID 1296 wrote to memory of 4112 1296 rundll32.exe 113 PID 1296 wrote to memory of 4112 1296 rundll32.exe 113 PID 1296 wrote to memory of 2728 1296 rundll32.exe 115 PID 1296 wrote to memory of 2728 1296 rundll32.exe 115 PID 1296 wrote to memory of 2728 1296 rundll32.exe 115 PID 1296 wrote to memory of 1084 1296 rundll32.exe 116 PID 1296 wrote to memory of 1084 1296 rundll32.exe 116 PID 1296 wrote to memory of 1084 1296 rundll32.exe 116 PID 4112 wrote to memory of 2504 4112 cmd.exe 119 PID 4112 wrote to memory of 2504 4112 cmd.exe 119 PID 4112 wrote to memory of 2504 4112 cmd.exe 119 PID 2728 wrote to memory of 1248 2728 cmd.exe 120 PID 2728 wrote to memory of 1248 2728 cmd.exe 120 PID 2728 wrote to memory of 1248 2728 cmd.exe 120 PID 1296 wrote to memory of 916 1296 rundll32.exe 121 PID 1296 wrote to memory of 916 1296 rundll32.exe 121 PID 1296 wrote to memory of 916 1296 rundll32.exe 121 PID 1296 wrote to memory of 1028 1296 rundll32.exe 122 PID 1296 wrote to memory of 1028 1296 rundll32.exe 122 PID 1296 wrote to memory of 1028 1296 rundll32.exe 122 PID 1296 wrote to memory of 1028 1296 rundll32.exe 122 PID 1296 wrote to memory of 1028 1296 rundll32.exe 122 PID 4112 wrote to memory of 2588 4112 cmd.exe 123 PID 4112 wrote to memory of 2588 4112 cmd.exe 123 PID 4112 wrote to memory of 2588 4112 cmd.exe 123 PID 4980 wrote to memory of 1568 4980 WScript.exe 132 PID 4980 wrote to memory of 1568 4980 WScript.exe 132 PID 1568 wrote to memory of 1036 1568 rundll32.exe 133 PID 1568 wrote to memory of 1036 1568 rundll32.exe 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a1d5155676794951ccdec7aaf181567_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\pi1rviy6sl\FeQ2zT.vbs"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" m8q1.dll sx3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4724
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\Users\Admin\pi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\Users\Admin\pi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2148
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE4⤵
- Luminosity
- System Location Discovery: System Language Discovery
PID:4760
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1460
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx2⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2504
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\pi1rviy6slpi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\pi1rviy6slpi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE4⤵
- Luminosity
- System Location Discovery: System Language Discovery
PID:1084
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"4⤵PID:916
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1028
-
-
-
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\pi1rviy6slpi1rviy6sl\m8q1.dll sx3⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v pi1rviy6sl /t REG_SZ /d "C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs" /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 && copy /Y "C:\pi1rviy6slpi1rviy6sl\x" C:\pi1rviy6slpi1rviy6sl\x && copy /Y "C:\pi1rviy6slpi1rviy6sl\m8q1.dll" C:\pi1rviy6slpi1rviy6sl\m8q1.dll4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4784 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1896
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TR C:\pi1rviy6slpi1rviy6sl\pi1rviy6sl.vbs /MO 1 /TN pi1rviy6sl /SC MINUTE4⤵
- Luminosity
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4760
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD542157868488d3ef98c00e3fa12f064be
SHA1aad391be9ac3f6ce1ced49583690486a5f4186fb
SHA256b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c
SHA5128f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471
-
Filesize
79KB
MD54c1b980906a53081d6391edfac398081
SHA15f8cd1bcd7b31c6eae1d50cf529942708ebd7b57
SHA25661ca1f44e719686495a6cf55e0527dd8678098d4738bd15bf5b95569df6670ba
SHA51221db58e71a797d92f0823eaad9327694053df92c1d9bdde30011ec2d69d67e48003d5d80823fb9094d727f128051387e90e3b4a9349b3c5377e022e308a61757
-
Filesize
101B
MD577e6d73b21c5c834cfbef3159b981cd4
SHA14fb085f7dde09eb567951df3ea25f64a769600c2
SHA25620afd3844eb51d22dd83733737ffcc6306e20e37842c206b256a59b0b5d67944
SHA512840a9f0311592b54ceb2a016a9ff91e961b3ffe5cfba049402a0c803b060f518441a2c75fbaae21a6c4772a9581199d42a12094353a2b763aebfb39f69484ee9
-
Filesize
10.6MB
MD5694af45d3117ff8c3e517d0ba3a5966a
SHA1ac187edbee726a94f93eb11aac7989bd3ae5d96b
SHA2562c2f169880796b15549e38caa2a8638637532a9d28b15884b07d78c47d365f6d
SHA5120d3b9eb58634f1c15ab66b9af858c9a67ab3492ff08f3a4a6d789ff9b23c977f9fe8122f0503025d9a8c14897d1f707d7d3c38071af56295689bb8a07d7b4a96
-
Filesize
1.4MB
MD55227ba6411b79fc00134d5e41c5654bb
SHA1e46c9aee2f530b6cc46dabc358efaf42cd12f9d8
SHA2565de223a370937c2a381a02d213d55a3a7869efb40d2273cf47bac4f70f179250
SHA512752d5be8428074c610ee6fed3ebd3c79ec5c81adf841e97e77260ce5180a641aeedfd02ce9021562a2dd1e21cc6f4b7472fa505ce291de1f0045b75b4200aa49
-
Filesize
140B
MD5cdacde29c11575533852e09500a01e44
SHA193024bf043880e1ba56551160d902b45cd3d6e02
SHA2567b748c06cc50601d5303efe5e71f3882ec2f31fc6364187b012c759d133518fa
SHA512bed9b5cf513e97ecfa6d08f5bf51e773ca2b5495e00c5dd2d0e928b7cc113971cb9adc76afa815e27d982de5df05350817e36d787d2851b9ce3a5c1a2f0746db