metasploit | 62c2cc068a664f5357ec867d83ff772c55cb8426f7ce7bf2636957bbd449b36f

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3df80296b4ab0962ac6611792ccbd07f.exe
Size

1.2MB
MD5

3df80296b4ab0962ac6611792ccbd07f
SHA1

16122e7c3fcb9f78237873277e015981cdcce3c7
SHA256

62c2cc068a664f5357ec867d83ff772c55cb8426f7ce7bf2636957bbd449b36f
SHA512

045e740df67bf820e25979a153d0f04ff1f15a08c52668e0fe5f4aa01d238fe534dab56a43f88a24e060ce9ad4ea18d96133812d6db20a8dccf50d99de86ba5c
SSDEEP

3072:SjyCCyz8K7mI0X1sawfXSh7q/ZwEKYSP+HMpC42mPZud/OMLZCdkRc3EHgyj3:2yC99KvH5Vq/tKvwXnOMLZCpC

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
4100	msxdll.exe
4088	msxdll.exe
3320	msxdll.exe
8	msxdll.exe
3344	msxdll.exe
2604	msxdll.exe
1708	msxdll.exe
4184	msxdll.exe
4392	msxdll.exe
4380	msxdll.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	3df80296b4ab0962ac6611792ccbd07f.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	3df80296b4ab0962ac6611792ccbd07f.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File created	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe
File opened for modification	C:\Windows\SysWOW64\msxdll.exe	msxdll.exe

Runs .reg file with regedit 11 IoCs

pid	Process
2260	regedit.exe
1500	regedit.exe
1452	regedit.exe
3952	regedit.exe
5112	regedit.exe
704	regedit.exe
2240	regedit.exe
3364	regedit.exe
3040	regedit.exe
3648	regedit.exe
4672	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2400	4748	3df80296b4ab0962ac6611792ccbd07f.exe	87
PID 4748 wrote to memory of 2400	4748	3df80296b4ab0962ac6611792ccbd07f.exe	87
PID 4748 wrote to memory of 2400	4748	3df80296b4ab0962ac6611792ccbd07f.exe	87
PID 2400 wrote to memory of 4672	2400	cmd.exe	88
PID 2400 wrote to memory of 4672	2400	cmd.exe	88
PID 2400 wrote to memory of 4672	2400	cmd.exe	88
PID 4748 wrote to memory of 4100	4748	3df80296b4ab0962ac6611792ccbd07f.exe	91
PID 4748 wrote to memory of 4100	4748	3df80296b4ab0962ac6611792ccbd07f.exe	91
PID 4748 wrote to memory of 4100	4748	3df80296b4ab0962ac6611792ccbd07f.exe	91
PID 4100 wrote to memory of 2636	4100	msxdll.exe	92
PID 4100 wrote to memory of 2636	4100	msxdll.exe	92
PID 4100 wrote to memory of 2636	4100	msxdll.exe	92
PID 2636 wrote to memory of 5112	2636	cmd.exe	94
PID 2636 wrote to memory of 5112	2636	cmd.exe	94
PID 2636 wrote to memory of 5112	2636	cmd.exe	94
PID 4100 wrote to memory of 4088	4100	msxdll.exe	99
PID 4100 wrote to memory of 4088	4100	msxdll.exe	99
PID 4100 wrote to memory of 4088	4100	msxdll.exe	99
PID 4088 wrote to memory of 4368	4088	msxdll.exe	100
PID 4088 wrote to memory of 4368	4088	msxdll.exe	100
PID 4088 wrote to memory of 4368	4088	msxdll.exe	100
PID 4368 wrote to memory of 2260	4368	cmd.exe	101
PID 4368 wrote to memory of 2260	4368	cmd.exe	101
PID 4368 wrote to memory of 2260	4368	cmd.exe	101
PID 4088 wrote to memory of 3320	4088	msxdll.exe	106
PID 4088 wrote to memory of 3320	4088	msxdll.exe	106
PID 4088 wrote to memory of 3320	4088	msxdll.exe	106
PID 3320 wrote to memory of 3496	3320	msxdll.exe	107
PID 3320 wrote to memory of 3496	3320	msxdll.exe	107
PID 3320 wrote to memory of 3496	3320	msxdll.exe	107
PID 3496 wrote to memory of 704	3496	cmd.exe	108
PID 3496 wrote to memory of 704	3496	cmd.exe	108
PID 3496 wrote to memory of 704	3496	cmd.exe	108
PID 3320 wrote to memory of 8	3320	msxdll.exe	112
PID 3320 wrote to memory of 8	3320	msxdll.exe	112
PID 3320 wrote to memory of 8	3320	msxdll.exe	112
PID 8 wrote to memory of 1200	8	msxdll.exe	113
PID 8 wrote to memory of 1200	8	msxdll.exe	113
PID 8 wrote to memory of 1200	8	msxdll.exe	113
PID 1200 wrote to memory of 1500	1200	cmd.exe	114
PID 1200 wrote to memory of 1500	1200	cmd.exe	114
PID 1200 wrote to memory of 1500	1200	cmd.exe	114
PID 8 wrote to memory of 3344	8	msxdll.exe	118
PID 8 wrote to memory of 3344	8	msxdll.exe	118
PID 8 wrote to memory of 3344	8	msxdll.exe	118
PID 3344 wrote to memory of 456	3344	msxdll.exe	119
PID 3344 wrote to memory of 456	3344	msxdll.exe	119
PID 3344 wrote to memory of 456	3344	msxdll.exe	119
PID 456 wrote to memory of 2240	456	cmd.exe	120
PID 456 wrote to memory of 2240	456	cmd.exe	120
PID 456 wrote to memory of 2240	456	cmd.exe	120
PID 3344 wrote to memory of 2604	3344	msxdll.exe	122
PID 3344 wrote to memory of 2604	3344	msxdll.exe	122
PID 3344 wrote to memory of 2604	3344	msxdll.exe	122
PID 2604 wrote to memory of 2208	2604	msxdll.exe	123
PID 2604 wrote to memory of 2208	2604	msxdll.exe	123
PID 2604 wrote to memory of 2208	2604	msxdll.exe	123
PID 2208 wrote to memory of 3364	2208	cmd.exe	124
PID 2208 wrote to memory of 3364	2208	cmd.exe	124
PID 2208 wrote to memory of 3364	2208	cmd.exe	124
PID 2604 wrote to memory of 1708	2604	msxdll.exe	126
PID 2604 wrote to memory of 1708	2604	msxdll.exe	126
PID 2604 wrote to memory of 1708	2604	msxdll.exe	126
PID 1708 wrote to memory of 4072	1708	msxdll.exe	127

C:\Users\Admin\AppData\Local\Temp\3df80296b4ab0962ac6611792ccbd07f.exe
"C:\Users\Admin\AppData\Local\Temp\3df80296b4ab0962ac6611792ccbd07f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:4672
- C:\Windows\SysWOW64\msxdll.exe
  C:\Windows\system32\msxdll.exe 1168 "C:\Users\Admin\AppData\Local\Temp\3df80296b4ab0962ac6611792ccbd07f.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:5112
- - C:\Windows\SysWOW64\msxdll.exe
    C:\Windows\system32\msxdll.exe 1164 "C:\Windows\SysWOW64\msxdll.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2260
  - - C:\Windows\SysWOW64\msxdll.exe
      C:\Windows\system32\msxdll.exe 1136 "C:\Windows\SysWOW64\msxdll.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:704
    - - C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1140 "C:\Windows\SysWOW64\msxdll.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1500
      - C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1144 "C:\Windows\SysWOW64\msxdll.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2240
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1148 "C:\Windows\SysWOW64\msxdll.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3364
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1152 "C:\Windows\SysWOW64\msxdll.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1452
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1160 "C:\Windows\SysWOW64\msxdll.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3040
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1172 "C:\Windows\SysWOW64\msxdll.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3648
        
        C:\Windows\SysWOW64\msxdll.exe
        
        C:\Windows\system32\msxdll.exe 1176 "C:\Windows\SysWOW64\msxdll.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1011B

MD5
5088b4be1b90717121e76c1fc33c033a

SHA1
090676b012c30e6b0d6493ca1e9a31f3093cad6f

SHA256
d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a

SHA512
0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
300B

MD5
9e1df6d58e6c905e4628df434384b3c9

SHA1
e67dd641da70aa9654ed24b19ed06a3eb8c0db43

SHA256
25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

SHA512
93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5575ef034e791d4d3b09da6c0c4ee764

SHA1
50a0851ddf4b0c4014ad91f976e953baffe30951

SHA256
9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

SHA512
ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
0a839c0e3eb1ed25e6211159e43f4df1

SHA1
a227a9322f58b8f40b2f6f326dca58145f599587

SHA256
717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

SHA512
bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
431B

MD5
9fa547ff360b09f7e093593af0b5a13b

SHA1
9debc99bb7450f59a7b09f16c0393e5c7a955ba4

SHA256
7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

SHA512
30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
476B

MD5
a5d4cddfecf34e5391a7a3df62312327

SHA1
04a3c708bab0c15b6746cf9dbf41a71c917a98b9

SHA256
8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

SHA512
48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5bf31d7ea99b678c867ccdec344298aa

SHA1
2e548f54bf50d13993105c4f59bbeaeb87b17a68

SHA256
52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281

SHA512
1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b9dc88ed785d13aaeae9626d7a26a6a0

SHA1
ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e

SHA256
9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc

SHA512
df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
989c5352030fafd44b92adf4d4164738

SHA1
e02985c15eb20682115e3fc343f829e28770ed6c

SHA256
248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

SHA512
9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
360B

MD5
3a1a83c2ffad464e87a2f9a502b7b9f1

SHA1
4ffa65ecdd0455499c8cd6d05947605340cbf426

SHA256
73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6

SHA512
8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
47985593a44ee38c64665b04cbd4b84c

SHA1
84900c2b2e116a7b744730733f63f2a38b4eb76e

SHA256
4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

SHA512
abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2299014e9ce921b7045e958d39d83e74

SHA1
26ed64f84417eb05d1d9d48441342ca1363084da

SHA256
ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

SHA512
0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Windows\SysWOW64\msxdll.exe

Filesize
243KB

MD5
5034047a0de098d6d8fde0ecb212e469

SHA1
5bbcb7181f279bcb7dba4edbeecf3043d1c65d1f

SHA256
5f62f349776352719e42037e7dff750b36a814fea5cce1564ad68f52b219c9da

SHA512
35930cc250f85a3abe6163e1e8e306e18a7a2b947b1212ca16496df8c24feadd6755d5b53b8012908dfc5aa16bc11ad0b6c721d3893e5f510aa4e50283901b7c

Download Submit
C:\Windows\SysWOW64\msxdll.exe

Filesize
1.2MB

MD5
3df80296b4ab0962ac6611792ccbd07f

SHA1
16122e7c3fcb9f78237873277e015981cdcce3c7

SHA256
62c2cc068a664f5357ec867d83ff772c55cb8426f7ce7bf2636957bbd449b36f

SHA512
045e740df67bf820e25979a153d0f04ff1f15a08c52668e0fe5f4aa01d238fe534dab56a43f88a24e060ce9ad4ea18d96133812d6db20a8dccf50d99de86ba5c

Download Submit
C:\Windows\SysWOW64\msxdll.exe

Filesize
984KB

MD5
e005225d95e9dbf9b2c2178ccb8f08c5

SHA1
50c18b6c5212cecf62d97f232b0f53e8804edd37

SHA256
72ad89aed3848707d983c43c842687ad58d28642d57b2b173bcffad1c864b092

SHA512
715b9b8483c070513cdce79eaa00c6633dc3fa8e283e195cb37739b43b0f7365031db20f3222047dbe2c54f35e449594f14cfcd2ac3354f197dae9eaa621df71

Download Submit
C:\Windows\SysWOW64\msxdll.exe

Filesize
960KB

MD5
6be311811bf4237eb6982ad18b71a842

SHA1
35248fdef6aa2d0735c39f209137d465d47e367b

SHA256
af16f188b683dd588b3c26e10dd7ad246764f360ca15f5c8b3422ab99e8e0ad3

SHA512
bc9e856364b1d026a36a2830582bc12e6c7228d1316809af4a8b1a2dfd427ad76759ea6bf009fd115cd1e7e4e1ef40169b7d961f77d644fd2f526826ec30b0d9

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/8-645-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1708-792-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/1708-1013-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2604-793-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2604-680-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/3320-454-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/3344-721-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/3344-566-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4088-342-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4100-338-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4184-1126-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4392-1129-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4748-0-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/4748-147-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads