metasploit | ce640c918e47daa06332ced69c05b632b37bc728761b0d479022b3b65194646b

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe
Size

673KB
MD5

d9aa5632bd7daeda4d9eaa9c4423edf1
SHA1

6a60fe010e04551c27cd2aef53f1bbea8bdc4685
SHA256

ce640c918e47daa06332ced69c05b632b37bc728761b0d479022b3b65194646b
SHA512

91f8b4b64a3a60ffcb0ed81c7cdb6563748be836cb025edf8976dfbcab15246bd263fa07c28104c8ed80d8434696aa8bb6131546911a3c1a888bd09861c3b8e8
SSDEEP

12288:NYY1zds7OOtjYCxKb99VWT4NMLa4MTVVG4BRFhaiRvtqNtYMUQIZuzwpQAb8Pt:eqzdsjdYlbk4qLxMTVVGQRFEiRFqv0Ab

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

Executes dropped EXE 14 IoCs

pid	Process
1704	bot.exe
2920	wr-1-1285.exe
1140	BoaT.exe
1312	NOD32.FiX.v2.2-nsane.exe
5064	is-DOS9Q.tmp
2352	system.exe
2756	system.exe
2348	system.exe
4388	system.exe
1300	system.exe
3888	system.exe
1616	system.exe
384	system.exe
1444	system.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer4 = "http://u24.eset.com/nod_eval/"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer8 = "http://89.202.157.138/nod_eval/"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServerCount = "21"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer1	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer8	is-DOS9Q.tmp
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355	is-DOS9Q.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\Params = 3c3f786d6c2076657273696f6e3d22312e30223f3e3c4e4f4433325f434f4d4d3e3c5343484544554c45445f5441534b20504c5547494e3d2236433530343334332220414354494f4e3d223022204445534352495054494f4e3d22466958204e4f443332223e3c444154413e3c4e4f4445204e414d453d2246494c454e414d45222056414c55453d222577696e646972255c726567656469742e6578652220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d224449524543544f5259222056414c55453d22433a5c50726f6772616d2046696c65732028783836295c457365742220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d22434d444c494e45222056414c55453d222f73206e6f6433326669782e7265672220545950453d22535452494e4722202f3e3c2f444154413e3c2f5343484544554c45445f5441534b3e3c2f4e4f4433325f434f4d4d3e	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer2 = "http://u22.eset.com/nod_eval/"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer11	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion	is-DOS9Q.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer7	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\Config000\Settings	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167\Enabled = "1"	is-DOS9Q.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167\Params = 3c3f786d6c2076657273696f6e3d22312e30223f3e3c4e4f4433325f434f4d4d3e3c5343484544554c45445f5441534b20504c5547494e3d2236433530343334332220414354494f4e3d223022204445534352495054494f4e3d22466958204e4f443332223e3c444154413e3c4e4f4445204e414d453d2246494c454e414d45222056414c55453d222577696e646972255c726567656469742e6578652220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d224449524543544f5259222056414c55453d22433a5c50726f6772616d2046696c65732028783836295c457365742220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d22434d444c494e45222056414c55453d222f73206e6f6433326669782e7265672220545950453d22535452494e4722202f3e3c2f444154413e3c2f5343484544554c45445f5441534b3e3c2f4e4f4433325f434f4d4d3e	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer12 = "http://u29.eset.com/nod_eval/"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\ModuleID = "1817199427"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\TriggerType = "4"	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer0 = "http://u20.eset.com/nod_eval/"	is-DOS9Q.tmp
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\Config000\Settings	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\TriggerType = "4"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\LastExec = "4294967295"	is-DOS9Q.tmp
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer5 = "http://89.202.157.135/nod_eval/"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer2	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer4	is-DOS9Q.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\991979032	is-DOS9Q.tmp
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Eset\Nod\CurrentVersion\Info	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\Enabled = "1"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\LastExec = "4294967295"	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer14 = "http://u28.eset.com/nod_eval/"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer6	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\ActionCode = "0"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167\ModuleID = "1817199427"	is-DOS9Q.tmp
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer9 = "http://89.202.157.139/nod_eval/"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer15 = "http://u29.eset.com/nod_eval/"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer0	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer5	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\StartFailSettings = "0"	is-DOS9Q.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\Params = 3c3f786d6c2076657273696f6e3d22312e30223f3e3c4e4f4433325f434f4d4d3e3c5343484544554c45445f5441534b20504c5547494e3d2236433530343334332220414354494f4e3d223022204445534352495054494f4e3d22466958204e4f443332223e3c444154413e3c4e4f4445204e414d453d2246494c454e414d45222056414c55453d222577696e646972255c726567656469742e6578652220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d224449524543544f5259222056414c55453d22433a5c50726f6772616d2046696c65732028783836295c457365742220545950453d22535452494e4722202f3e3c4e4f4445204e414d453d22434d444c494e45222056414c55453d222f73206e6f6433326669782e7265672220545950453d22535452494e4722202f3e3c2f444154413e3c2f5343484544554c45445f5441534b3e3c2f4e4f4433325f434f4d4d3e	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer11 = "http://u28.eset.com/nod_eval/"	is-DOS9Q.tmp
Delete value	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\UserServer9	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\Config000\Settings\SelectedServer = "AUTOSELECT"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\Name = "NOD32 FiX"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167\StartFailSettings = "0"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\ActionCode = "0"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\Enabled = "1"	is-DOS9Q.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer1 = "http://u21.eset.com/nod_eval/"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer6 = "http://89.202.157.136/nod_eval/"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer7 = "http://89.202.157.137/nod_eval/"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer10 = "http://u29.eset.com/nod_eval/"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3342761167\ActionCode = "0"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\Name = "NOD32 FiX"	is-DOS9Q.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Modules\Update\Settings\DefaultServer13 = "http://u27.eset.com/nod_eval/"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\3797230355\StartFailSettings = "0"	is-DOS9Q.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\CurrentVersion\Scheduler\1525236854\ModuleID = "1817199427"	is-DOS9Q.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	BoaT.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	BoaT.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File created	C:\Windows\SysWOW64\system.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	system.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Eset\unins000.dat	is-DOS9Q.tmp
File created	C:\Program Files (x86)\Eset\unins000.dat	is-DOS9Q.tmp
File created	C:\Program Files (x86)\Eset\is-909TG.tmp	is-DOS9Q.tmp
File created	C:\Program Files (x86)\Eset\is-256GU.tmp	is-DOS9Q.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOD32.FiX.v2.2-nsane.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoaT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wr-1-1285.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-DOS9Q.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 10 IoCs

pid	Process
3344	regedit.exe
1252	regedit.exe
4276	regedit.exe
4500	regedit.exe
2284	regedit.exe
1316	regedit.exe
468	regedit.exe
2888	regedit.exe
4624	regedit.exe
1136	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2920	wr-1-1285.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 1704	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	82
PID 3272 wrote to memory of 1704	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	82
PID 3272 wrote to memory of 1704	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	82
PID 1704 wrote to memory of 2920	1704	bot.exe	83
PID 1704 wrote to memory of 2920	1704	bot.exe	83
PID 1704 wrote to memory of 2920	1704	bot.exe	83
PID 1704 wrote to memory of 1140	1704	bot.exe	91
PID 1704 wrote to memory of 1140	1704	bot.exe	91
PID 1704 wrote to memory of 1140	1704	bot.exe	91
PID 3272 wrote to memory of 1312	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	92
PID 3272 wrote to memory of 1312	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	92
PID 3272 wrote to memory of 1312	3272	d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe	92
PID 1140 wrote to memory of 1444	1140	BoaT.exe	93
PID 1140 wrote to memory of 1444	1140	BoaT.exe	93
PID 1140 wrote to memory of 1444	1140	BoaT.exe	93
PID 1312 wrote to memory of 5064	1312	NOD32.FiX.v2.2-nsane.exe	94
PID 1312 wrote to memory of 5064	1312	NOD32.FiX.v2.2-nsane.exe	94
PID 1312 wrote to memory of 5064	1312	NOD32.FiX.v2.2-nsane.exe	94
PID 1444 wrote to memory of 3344	1444	cmd.exe	95
PID 1444 wrote to memory of 3344	1444	cmd.exe	95
PID 1444 wrote to memory of 3344	1444	cmd.exe	95
PID 1140 wrote to memory of 2352	1140	BoaT.exe	96
PID 1140 wrote to memory of 2352	1140	BoaT.exe	96
PID 1140 wrote to memory of 2352	1140	BoaT.exe	96
PID 2352 wrote to memory of 1496	2352	system.exe	97
PID 2352 wrote to memory of 1496	2352	system.exe	97
PID 2352 wrote to memory of 1496	2352	system.exe	97
PID 1496 wrote to memory of 4500	1496	cmd.exe	98
PID 1496 wrote to memory of 4500	1496	cmd.exe	98
PID 1496 wrote to memory of 4500	1496	cmd.exe	98
PID 2352 wrote to memory of 2756	2352	system.exe	101
PID 2352 wrote to memory of 2756	2352	system.exe	101
PID 2352 wrote to memory of 2756	2352	system.exe	101
PID 2756 wrote to memory of 4556	2756	system.exe	102
PID 2756 wrote to memory of 4556	2756	system.exe	102
PID 2756 wrote to memory of 4556	2756	system.exe	102
PID 4556 wrote to memory of 2284	4556	cmd.exe	103
PID 4556 wrote to memory of 2284	4556	cmd.exe	103
PID 4556 wrote to memory of 2284	4556	cmd.exe	103
PID 2756 wrote to memory of 2348	2756	system.exe	104
PID 2756 wrote to memory of 2348	2756	system.exe	104
PID 2756 wrote to memory of 2348	2756	system.exe	104
PID 2348 wrote to memory of 4940	2348	system.exe	105
PID 2348 wrote to memory of 4940	2348	system.exe	105
PID 2348 wrote to memory of 4940	2348	system.exe	105
PID 4940 wrote to memory of 1316	4940	cmd.exe	106
PID 4940 wrote to memory of 1316	4940	cmd.exe	106
PID 4940 wrote to memory of 1316	4940	cmd.exe	106
PID 2348 wrote to memory of 4388	2348	system.exe	108
PID 2348 wrote to memory of 4388	2348	system.exe	108
PID 2348 wrote to memory of 4388	2348	system.exe	108
PID 4388 wrote to memory of 3436	4388	system.exe	109
PID 4388 wrote to memory of 3436	4388	system.exe	109
PID 4388 wrote to memory of 3436	4388	system.exe	109
PID 3436 wrote to memory of 1252	3436	cmd.exe	110
PID 3436 wrote to memory of 1252	3436	cmd.exe	110
PID 3436 wrote to memory of 1252	3436	cmd.exe	110
PID 4388 wrote to memory of 1300	4388	system.exe	111
PID 4388 wrote to memory of 1300	4388	system.exe	111
PID 4388 wrote to memory of 1300	4388	system.exe	111
PID 1300 wrote to memory of 1220	1300	system.exe	112
PID 1300 wrote to memory of 1220	1300	system.exe	112
PID 1300 wrote to memory of 1220	1300	system.exe	112
PID 1220 wrote to memory of 4276	1220	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d9aa5632bd7daeda4d9eaa9c4423edf1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Users\Admin\AppData\Local\Temp\bot.exe
  "C:\Users\Admin\AppData\Local\Temp\bot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\wr-1-1285.exe
    "C:\Users\Admin\AppData\Local\Temp\wr-1-1285.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\BoaT.exe
    "C:\Users\Admin\AppData\Local\Temp\BoaT.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:3344
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe 1040 "C:\Users\Admin\AppData\Local\Temp\BoaT.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4500
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1172 "C:\Windows\SysWOW64\system.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2284
      - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1148 "C:\Windows\SysWOW64\system.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1316
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1152 "C:\Windows\SysWOW64\system.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1252
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1144 "C:\Windows\SysWOW64\system.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4276
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1156 "C:\Windows\SysWOW64\system.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:468
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1160 "C:\Windows\SysWOW64\system.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:2888
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1164 "C:\Windows\SysWOW64\system.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4624
        
        C:\Windows\SysWOW64\system.exe
        
        C:\Windows\system32\system.exe 1176 "C:\Windows\SysWOW64\system.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1136
- C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe
  "C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\is-ETE62.tmp\is-DOS9Q.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ETE62.tmp\is-DOS9Q.tmp" /SL4 $601FA "C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe" 52497 52224
    3⤵
    - Executes dropped EXE
    - Checks for any installed AV software in registry
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
925B

MD5
0d1e5715cf04d212bcd7c9dea5f7ab72

SHA1
a8add44bf542e4d22260a13de6a35704fb7f3bfb

SHA256
5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473

SHA512
89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
576B

MD5
8a0897226da780b90c11da0756b361f1

SHA1
67f813e8733ad75a2147c59cca102a60274daeab

SHA256
115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee

SHA512
55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f708dcfd087b5b3763678cfb8d63735e

SHA1
a38fa7fa516c1402762425176ff1b607db36c752

SHA256
abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10

SHA512
fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BoaT.exe

Filesize
339KB

MD5
76b26527e2f56f4a59e59493d0e3ef84

SHA1
90272c83a9c39bf321620cadf86414dd7305298a

SHA256
a78b255bb7d3f67419907a440b330f964aad0702e9ab20f7c011566777381a97

SHA512
5b5be0c8752c8f9826b1a7c3cd082e1470885f91ee7be738b0c06e3e642d4ba99c2918c423c599cad87ddcdb262e09080dc672f4365c4253cca8fbd86bca4a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOD32.FiX.v2.2-nsane.exe

Filesize
298KB

MD5
fbd455f1ccd102ac012f94b4879416a0

SHA1
cb0ca01b5c91cab02b08705aea9b6ed890d1c571

SHA256
f702e7302cebeb47f1516b2dd989b9c7a3daccc2de25c66c08cf39a09421b072

SHA512
08d862a5276c6893a0d39a8bb39e542fdec443c4b706696dd2149106ec0b87df8205de08da137fa5c05fc44a5b39d4e5841245a2a2cb594083d0dbb1d0c2aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.exe

Filesize
347KB

MD5
1575ea206dc9db18863f1a0560b045a5

SHA1
41cef1bf498a000d064441d89429d087bb4b2aa4

SHA256
651da0337c2dd9d56711f4f76b922d338df889fb0612d2160b5ace16369b0b57

SHA512
cc6d03688edfc49852e74ade7e58ccc0a6a3f8b004ad31861deaade78f98e44f0af5f523a1e64ee4378e5f4d592de6b109b2e2714ccee30710f71559248ead6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ETE62.tmp\is-DOS9Q.tmp

Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\wr-1-1285.exe

Filesize
9KB

MD5
66061f51c9db08a88a239ce666eb4ae1

SHA1
55db97bf05ca3fd2c5f020cacebe3ad6e0ad0961

SHA256
8c768d20e683d4394a250c8097272bba44983531e2c587e33afe7baae31cf546

SHA512
94510ed8ef7395efa97e1c9b1bde072a6efe420ff2729c2b46d88961f5b7b4698f9b7a5a36387638a0be89d80ae5cbe7b954dd14535982efc8113bdbd6ee8fdd

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/1312-270-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1312-516-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1312-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2920-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2920-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2920-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5064-515-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5064-386-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5064-384-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/5064-271-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads