Analysis Overview
SHA256
08ee8a89c78013621b08fae8fd83765eab5fdcc1342cb5958ac10b1545688392
Threat Level: Likely malicious
The file 12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Checks computer location settings
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Runs net.exe
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 17:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 17:49
Reported
2024-06-26 17:52
Platform
win7-20240419-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\Beep.sys | C:\Program Files\bnsk3.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrvAnti.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessSafe.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
| N/A | N/A | C:\Program Files\bnsk3.exe | N/A |
| N/A | N/A | C:\Program Files\Vodstup3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\POWER | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\PROFSVC | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WINDEFEND | C:\Program Files\bnsk3.exe | N/A |
Loads dropped DLL
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\bnsk3.exe | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
| File created | C:\Program Files\Vodstup3.exe | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net stop "Security Center"
C:\Windows\SysWOW64\net.exe
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net.exe
net stop System Restore Service
C:\Windows\SysWOW64\net.exe
net stop "Security Center"
C:\Windows\SysWOW64\net.exe
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net.exe
net stop System Restore Service
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Users\Admin\AppData\Local\Temp\wmnet.exe
C:\Users\Admin\AppData\Local\Temp\wmnet.exe
C:\Program Files\bnsk3.exe
"C:\Program Files\bnsk3.exe"
C:\Program Files\Vodstup3.exe
"C:\Program Files\Vodstup3.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.1
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.4
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
Files
memory/1968-0-0x0000000010000000-0x00000000101D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\wmnet.exe
| MD5 | 777cd8cf92c578b41e631603faeff99b |
| SHA1 | c8d2b6d02711095df3baaf3cb575ad0c776bc29b |
| SHA256 | 43781fd2d7aa7f88da5bcc6259825e91040ff520e61d6b9bbc36ce4e0851147c |
| SHA512 | 006b035181dc46186e6c7658e37f0f912f1e921d6e7e6354bc3481fcaf53fe2d5fd20bb182754f3f3cece16184ee4e2ab915497f3c8785ef7b5727c6faae51e2 |
memory/1968-8-0x0000000001DE0000-0x0000000001FA5000-memory.dmp
memory/1968-11-0x0000000001DE0000-0x0000000001FA5000-memory.dmp
memory/2496-12-0x0000000000400000-0x00000000005C4B10-memory.dmp
\Program Files\bnsk3.exe
| MD5 | 396ca637411fc5ed58dd7e2f7c935c56 |
| SHA1 | 628d16624b8a2bc897a8d53f71ced4d499d54773 |
| SHA256 | 06ae50c9bf25303326b169bc78d7de383ee8e9688eedf12bdb832e03d587869c |
| SHA512 | 2e26fef6f6721ae6ef2d9d421faeffe740e1510e03f7853f62b27679213dd0cc5b54398507f26a48cce2e0c40ea9740965cc928d5176d092c0adc20ff4ce068e |
\Program Files\Vodstup3.exe
| MD5 | cfda9c8171425aa7b205244d58bb7340 |
| SHA1 | a965c3621c7d22c341d14eb70268f4ab414dcda8 |
| SHA256 | 61ed11474d4a545764c81edc0a606c95534de929703f702010e680742f347ad1 |
| SHA512 | f07a838d4662c718a7315d67bad37da3d938340e5f2de790c18375bba3c7ba51e99287d26b25591e19eb61d898a4aa72fc3426ebebf5afe05d0366c2d3bd0095 |
memory/2496-42-0x0000000000400000-0x00000000005C4B10-memory.dmp
\Users\Admin\AppData\Local\Temp\nst2187.tmp\LangDLL.dll
| MD5 | 8c909780802ac2097ea4132e6375acd2 |
| SHA1 | b35fbda0725d7c66281d5c340b53eb5d54922583 |
| SHA256 | c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f |
| SHA512 | e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08 |
C:\Users\Admin\AppData\Local\Temp\nst2187.tmp\ioSpecial.ini
| MD5 | ec6b2aef5738fc79da56157faffb86ea |
| SHA1 | 2381d92e78b3890581da798ed13688d25e78a511 |
| SHA256 | 84c2ea1af7d35a1857458f4c07e216185e0f149e1c51520928922084479afbea |
| SHA512 | 0842ee98427c43c148c7fb326175f522420d12e563faa1b5fe2abf3b75ddb2d020036e9ca4923e01e81db966186c57c4b34583c2674b3b15e0bc56c7f0a6db46 |
\Users\Admin\AppData\Local\Temp\nst2187.tmp\InstallOptions.dll
| MD5 | 3809b1424d53ccb427c88cabab8b5f94 |
| SHA1 | bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e |
| SHA256 | 426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088 |
| SHA512 | 626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee |
\Users\Admin\AppData\Local\Temp\urlm0n.dll
| MD5 | 2ee1e467d73642afddb03019f58c252b |
| SHA1 | ea1f3b03f46db029a955190692cecbc571e1d46c |
| SHA256 | 5a7d5dafe22082b3ed035d640578ed7b5005edfe80e5c911774ec77a2caff1b3 |
| SHA512 | 3482715d7c9adbfe61f7834120d1a8fce47ae5d70add285ddcfe8802a5d4a95ae00ae82079b9b9639c5d4fa5126ecfc61e1b09a141c0fea86926e26fc22f9082 |
\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | cb9bdfde8f15d9af1353940632936d09 |
| SHA1 | 67e27f1b550813f5ac08ad7ba53a0f1731b3bbb5 |
| SHA256 | debdbd31ce2269b2c61b42992fb8d90fee649e5e4c7c591da6a5d014f7290713 |
| SHA512 | 741d50a93ee9307da18e09a822277db8a536afdce9cf15dbfbb2ff01ff5fe6540102f85e2c1ca6efd6bdcd10e48cbc63341c88710599d932201941c7b2c15c38 |
memory/1968-149-0x0000000010000000-0x00000000101D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 17:49
Reported
2024-06-26 17:52
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\Beep.sys | C:\Program Files\bnsk3.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiArp.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegTool.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessSafe.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RawCopy.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe | C:\Program Files\bnsk3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger = "ntsd -d" | C:\Program Files\bnsk3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
| N/A | N/A | C:\Program Files\bnsk3.exe | N/A |
| N/A | N/A | C:\Program Files\Vodstup3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\CBDHSVC | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IAI2C.SYS | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\POWER | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PROFSVC | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SERCX2.SYS | C:\Program Files\bnsk3.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\USERMANAGER | C:\Program Files\bnsk3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Vodstup3.exe | N/A |
| N/A | N/A | C:\Program Files\Vodstup3.exe | N/A |
| N/A | N/A | C:\Program Files\bnsk3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Vodstup3.exe | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
| File created | C:\Program Files\bnsk3.exe | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\wmnet.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12dbeb8bfc7e94dbf74e4f28ad7d9acd_JaffaCakes118.exe"
C:\Windows\SysWOW64\net.exe
net stop "Security Center"
C:\Windows\SysWOW64\net.exe
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net.exe
net stop System Restore Service
C:\Windows\SysWOW64\net.exe
net stop "Security Center"
C:\Windows\SysWOW64\net.exe
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net.exe
net stop System Restore Service
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop System Restore Service
C:\Users\Admin\AppData\Local\Temp\wmnet.exe
C:\Users\Admin\AppData\Local\Temp\wmnet.exe
C:\Program Files\bnsk3.exe
"C:\Program Files\bnsk3.exe"
C:\Program Files\Vodstup3.exe
"C:\Program Files\Vodstup3.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.1
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.2
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.4
C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe 10.127.0.5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ut.njsk2.cn | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4532-0-0x0000000010000000-0x00000000101D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmnet.exe
| MD5 | 777cd8cf92c578b41e631603faeff99b |
| SHA1 | c8d2b6d02711095df3baaf3cb575ad0c776bc29b |
| SHA256 | 43781fd2d7aa7f88da5bcc6259825e91040ff520e61d6b9bbc36ce4e0851147c |
| SHA512 | 006b035181dc46186e6c7658e37f0f912f1e921d6e7e6354bc3481fcaf53fe2d5fd20bb182754f3f3cece16184ee4e2ab915497f3c8785ef7b5727c6faae51e2 |
memory/1984-6-0x0000000000400000-0x00000000005C4B10-memory.dmp
C:\Program Files\bnsk3.exe
| MD5 | 396ca637411fc5ed58dd7e2f7c935c56 |
| SHA1 | 628d16624b8a2bc897a8d53f71ced4d499d54773 |
| SHA256 | 06ae50c9bf25303326b169bc78d7de383ee8e9688eedf12bdb832e03d587869c |
| SHA512 | 2e26fef6f6721ae6ef2d9d421faeffe740e1510e03f7853f62b27679213dd0cc5b54398507f26a48cce2e0c40ea9740965cc928d5176d092c0adc20ff4ce068e |
C:\Program Files\Vodstup3.exe
| MD5 | cfda9c8171425aa7b205244d58bb7340 |
| SHA1 | a965c3621c7d22c341d14eb70268f4ab414dcda8 |
| SHA256 | 61ed11474d4a545764c81edc0a606c95534de929703f702010e680742f347ad1 |
| SHA512 | f07a838d4662c718a7315d67bad37da3d938340e5f2de790c18375bba3c7ba51e99287d26b25591e19eb61d898a4aa72fc3426ebebf5afe05d0366c2d3bd0095 |
memory/1984-72-0x0000000000400000-0x00000000005C4B10-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\LangDLL.dll
| MD5 | 8c909780802ac2097ea4132e6375acd2 |
| SHA1 | b35fbda0725d7c66281d5c340b53eb5d54922583 |
| SHA256 | c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f |
| SHA512 | e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08 |
C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\ioSpecial.ini
| MD5 | 8071dfaabbec0af00f85d2b5bf1f62f0 |
| SHA1 | a6e1e99e87dd492043194fb33686d0f5dd43f7fb |
| SHA256 | ee140278c3c3700d8c7ab528f8c0c2443b71aaf354b9d00c0b38a9a0840dd580 |
| SHA512 | d2237c27bd16405fb4096a86dad64e6c550d0dee843971c5fe49ebac89fa8a16ab032adf5ad27081fbca20bc034474f6053e05eb93ff5a9221908ff2962324a1 |
C:\Users\Admin\AppData\Local\Temp\nsp3971.tmp\InstallOptions.dll
| MD5 | 3809b1424d53ccb427c88cabab8b5f94 |
| SHA1 | bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e |
| SHA256 | 426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088 |
| SHA512 | 626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee |
C:\Users\Admin\AppData\Local\Temp\urlm0n.dll
| MD5 | e0e12856ca90be7f5ab8dfc0f0313078 |
| SHA1 | cc5accf48b8e6c2fd39d1f800229cdbb54305518 |
| SHA256 | 81ec3e3c98e5f0af0dca21b9f08f2be445b46df2ca2354eaf3523bddcb125619 |
| SHA512 | 162c56367dca2291117f2391951970273969518b0db2bbc5d51c458173a8028c88d9dfd93aef01ed05b369f953e2953cc6be252daeb17556dbc33e5383900fa6 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | cb9bdfde8f15d9af1353940632936d09 |
| SHA1 | 67e27f1b550813f5ac08ad7ba53a0f1731b3bbb5 |
| SHA256 | debdbd31ce2269b2c61b42992fb8d90fee649e5e4c7c591da6a5d014f7290713 |
| SHA512 | 741d50a93ee9307da18e09a822277db8a536afdce9cf15dbfbb2ff01ff5fe6540102f85e2c1ca6efd6bdcd10e48cbc63341c88710599d932201941c7b2c15c38 |
memory/4532-173-0x0000000010000000-0x00000000101D8000-memory.dmp
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |