Malware Analysis Report

2024-09-23 04:04

Sample ID 240619-xgw4yswhnd
Target 0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118
SHA256 a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5
Tags
metasploit backdoor evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5

Threat Level: Known bad

The file 0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion trojan

MetaSploit

Modifies security service

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 18:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 18:50

Reported

2024-06-19 18:52

Platform

win7-20240508-en

Max time kernel

137s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2140 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 2140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 2140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 2140 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 1928 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1928 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1928 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1928 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2716 wrote to memory of 2160 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2160 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1396 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2716 wrote to memory of 1396 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2716 wrote to memory of 1396 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2716 wrote to memory of 1396 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1860 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1860 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1860 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1396 wrote to memory of 296 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 1396 wrote to memory of 296 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 1396 wrote to memory of 296 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 1396 wrote to memory of 296 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 296 wrote to memory of 1788 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1788 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1788 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 296 wrote to memory of 1788 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1788 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1788 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1788 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 296 wrote to memory of 2456 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 296 wrote to memory of 2456 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 296 wrote to memory of 2456 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 296 wrote to memory of 2456 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2432 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2432 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2432 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2432 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2432 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2456 wrote to memory of 2208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2456 wrote to memory of 2208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2456 wrote to memory of 2208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2456 wrote to memory of 2208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2208 wrote to memory of 1652 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1652 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1652 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1652 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1652 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1652 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1652 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 504 "C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 536 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 540 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 544 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 548 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 552 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 528 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 560 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 564 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 568 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/2140-7-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

\Windows\SysWOW64\msxdll.exe

MD5 0008d6d7ea0571daf5b451985095b9ca
SHA1 e6049ce2a34a0197e3eb60317db4c89ad8d6d40e
SHA256 a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5
SHA512 af0611cc26796c11466f9d67d9e269c247532fbbf708922708bf1eb8e1628bd33b85af702796031f4d64844888b3a2f9239d3e932813239c2aea482ddff4a21d

memory/2140-119-0x00000000027D0000-0x000000000290D000-memory.dmp

memory/2716-128-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2140-126-0x00000000027D0000-0x000000000290D000-memory.dmp

memory/2140-129-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1396-135-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2716-134-0x00000000028F0000-0x0000000002A2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6dd7ad95427e77ae09861afd77104775
SHA1 81c2ffe8c63e71f013a07e5794473b60f50c0716
SHA256 8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2
SHA512 171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f82bc8865c1f6bf7125563479421f95c
SHA1 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d
SHA256 f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6
SHA512 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 47985593a44ee38c64665b04cbd4b84c
SHA1 84900c2b2e116a7b744730733f63f2a38b4eb76e
SHA256 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70
SHA512 abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

memory/2716-251-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 09e45f09a25fed7995c8430f4a370ade
SHA1 fc49fec86e600a7c4e1b6bfa274f883635d65687
SHA256 f827e79f717d490ba61a9ec5f8198ebc3066e22fd25871f06ce15f04162f57b9
SHA512 1a6ed68eced45f30fff3f281ceb082d6ae9e13bc71f6f7da5b4ba064e9876ef7efd76eaffe1325f6e3dfa3a5429200302ea84915245f26ac393105fd1ec365ad

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d8be0d42e512d922804552250f01eb90
SHA1 cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512 f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5f6aefafda312b288b7d555c1fc36dc9
SHA1 f25e2fdea9dd714d0fae68af71cace7bb49302ce
SHA256 60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a
SHA512 97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

memory/1396-370-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2456-381-0x0000000000400000-0x000000000053D000-memory.dmp

memory/296-489-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2208-494-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1a00c84e2e8a76c3caa6c0b89f9f0d6d
SHA1 2650e962d49c5800edb569ee1b989edc8868d9b9
SHA256 f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6
SHA512 a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c

memory/2456-610-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1672-622-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2208-615-0x00000000029D0000-0x0000000002B0D000-memory.dmp

memory/2208-730-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2760-742-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1672-791-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2d37af73d5fe4a504db3f8c0d560e3d
SHA1 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d
SHA256 e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008
SHA512 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

memory/2756-856-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2760-855-0x00000000028A0000-0x00000000029DD000-memory.dmp

memory/2756-975-0x0000000002940000-0x0000000002A7D000-memory.dmp

memory/2684-976-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2756-984-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2476-990-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2684-1105-0x0000000000400000-0x000000000053D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 18:50

Reported

2024-06-19 18:52

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File created C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A
File opened for modification C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4436 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4436 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3768 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3768 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4436 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 4436 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 4436 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe C:\Windows\SysWOW64\msxdll.exe
PID 4852 wrote to memory of 944 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 944 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 944 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 944 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 944 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4852 wrote to memory of 4840 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 4852 wrote to memory of 4840 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 4852 wrote to memory of 4840 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 4840 wrote to memory of 4892 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4892 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 4840 wrote to memory of 4892 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4892 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4892 wrote to memory of 5084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4840 wrote to memory of 3904 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 4840 wrote to memory of 3904 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 4840 wrote to memory of 3904 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3904 wrote to memory of 984 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 984 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 984 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 984 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 984 wrote to memory of 780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3904 wrote to memory of 3280 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3904 wrote to memory of 3280 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3904 wrote to memory of 3280 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3280 wrote to memory of 2704 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 2704 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 2704 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2704 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2704 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3280 wrote to memory of 3208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3280 wrote to memory of 3208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3280 wrote to memory of 3208 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3208 wrote to memory of 1772 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 1772 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 1772 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1772 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1772 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3208 wrote to memory of 844 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3208 wrote to memory of 844 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 3208 wrote to memory of 844 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 844 wrote to memory of 3900 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 3900 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 3900 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe
PID 3900 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3900 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3900 wrote to memory of 4048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 844 wrote to memory of 2276 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 844 wrote to memory of 2276 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 844 wrote to memory of 2276 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\msxdll.exe
PID 2276 wrote to memory of 2384 N/A C:\Windows\SysWOW64\msxdll.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1164 "C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1168 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1140 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1136 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1148 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1144 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1156 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1160 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1152 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\msxdll.exe

C:\Windows\system32\msxdll.exe 1172 "C:\Windows\SysWOW64\msxdll.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 227.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.204.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

memory/4436-0-0x0000000000400000-0x000000000053D000-memory.dmp

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bf7ee07851e04b2a0dbe554db62dc3aa
SHA1 cad155b66053cd7ce2b969a0eb20a8f4812b1f46
SHA256 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9
SHA512 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Windows\SysWOW64\msxdll.exe

MD5 0008d6d7ea0571daf5b451985095b9ca
SHA1 e6049ce2a34a0197e3eb60317db4c89ad8d6d40e
SHA256 a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5
SHA512 af0611cc26796c11466f9d67d9e269c247532fbbf708922708bf1eb8e1628bd33b85af702796031f4d64844888b3a2f9239d3e932813239c2aea482ddff4a21d

memory/4436-127-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 501effddf60a974e98b67dc8921aa7e8
SHA1 734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA512 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

memory/4852-267-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4840-368-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5b77620cb52220f4a82e3551ee0a53a6
SHA1 07d122b8e70ec5887bad4ef8f4d6209df18912d0
SHA256 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579
SHA512 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 0d1e5715cf04d212bcd7c9dea5f7ab72
SHA1 a8add44bf542e4d22260a13de6a35704fb7f3bfb
SHA256 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473
SHA512 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4cee92ad10b11dbf325a40c64ff7d745
SHA1 b395313d0e979fede2261f8cc558fcebfefcae33
SHA256 eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1
SHA512 3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c2d6056624c1d37b1baf4445d8705378
SHA1 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83
SHA256 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96
SHA512 d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

memory/3904-515-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3280-566-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 159bb1d34a927f58fc851798c7c09b58
SHA1 c3a26565004531f3a93e29eabb0f9a196b4c1ba2
SHA256 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd
SHA512 b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

memory/3208-786-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

memory/844-898-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3368-901-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 54ca6e3ef1c12b994043e85a8c9895f0
SHA1 5eaccfb482cbe24cf5c3203ffdc926184097427e
SHA256 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0
SHA512 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

memory/2276-1011-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3368-1123-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1256-1127-0x0000000000400000-0x000000000053D000-memory.dmp