Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
29/03/2025, 19:48
General
-
Target
JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe
-
Size
355KB
-
MD5
95e34fa0f492ecf553ed7eff7ebbc49d
-
SHA1
54ae756a8953dc634a1c5c2dc046600ae6b9198a
-
SHA256
379c236657df94f4b7b43050986c2f8a2a088c3d57c9f3083d856372c9aab273
-
SHA512
6881d40be60c075e9b0530fe42a13e1523bd177f5eaaf9c9d7868985f23bf132f006c37f7ad8d3b7aa65644c2991f9d33cc036344a8fb40369b9f070b33b3fea
-
SSDEEP
6144:TU7DRHFiJ/mDE1P9XCHrCh4NX/jsF65P6AlV/5/pdSOwb3j19PMB:o7DVu/mDELXCHrCh4xwF65P6AlVR/pc+
Score
10/10
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 16 IoCs
-
Modifies firewall policy service 3 TTPs 10 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95e34fa0f492ecf553ed7eff7ebbc49d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RSPinGenerator.exe"C:\Users\Admin\AppData\Local\Temp\RSPinGenerator.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bot.exeC:\Users\Admin\AppData\Roaming\bot.exe2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD57561bc2a2877ce2848d805d4b31fffb9
SHA1de8cbc7778e62651e487dfc6a9ae5634b55ad13c
SHA256d24e2ce5367fcf2b82b3eec2acc0875b07215db00aaaa0d6dc9b0a4c0dc3809e
SHA5123120aaafcc9d0dc01ecd7e2fc7d33ef7bfdf1efb3bf3080c1d6a494aa3d95b0692f36e40aad087aab96721853cd1829f2ffcd66b905faf580b953fcfbf45d02b
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
56KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB
-
Filesize
492KB