Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
09/04/2025, 01:40
General
-
Target
JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe
-
Size
332KB
-
MD5
a2a5711a9d2200a395ed21bd32d3af70
-
SHA1
35f5fd6f7837fde69f2bd7b598b62891721222b8
-
SHA256
887579f126ed6883f0d78f658552ff55e479a77edb9c90d986a1e73d66b08a57
-
SHA512
8729144e358228da9cccd408a86a1d42754d55d299b3008af14aed7a9159b5af9f88d5a77cddb1d2d64f1bc6a2479fe345b0233aa53807ffaa0a450008282831
-
SSDEEP
6144:uiu0srKxP6nVMg1FENy/V/5c6thb+lazG8a:u50srcyLjN/5c6thb+lazGr
Score
10/10
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 1 IoCs
-
Modifies firewall policy service 3 TTPs 10 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe:*:Enabled:Windows Messanger" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2a5711a9d2200a395ed21bd32d3af70.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RegBot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RegBot.exe:*:Enabled:Windows Messanger" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RegBot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RegBot.exe:*:Enabled:Windows Messanger" /f3⤵
- Modifies firewall policy service
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\RegBot.exe1⤵
-
C:\Users\Admin\AppData\Roaming\RegBot.exeC:\Users\Admin\AppData\Roaming\RegBot.exe2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5a2a5711a9d2200a395ed21bd32d3af70
SHA135f5fd6f7837fde69f2bd7b598b62891721222b8
SHA256887579f126ed6883f0d78f658552ff55e479a77edb9c90d986a1e73d66b08a57
SHA5128729144e358228da9cccd408a86a1d42754d55d299b3008af14aed7a9159b5af9f88d5a77cddb1d2d64f1bc6a2479fe345b0233aa53807ffaa0a450008282831
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB