Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
Resource
win7-20240319-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
-
Size
45KB
-
MD5
f8c8261d15ac899ed7ca7da785be2f69
-
SHA1
1e9e493f8a1b1d49cb923e1b181b63e38a3cf778
-
SHA256
151d87625af2d66affc77bce07749f5327bd95eb71e9400f31fc827e2f86593c
-
SHA512
9c70789dfaae952d44f303185973ce34f5b28d777fe0813156af16c3f581ab8b5b8ee9f8e5f49ffeeaf444a80d98d1e4c27485a0d07e448922aee7e33040a9b9
-
SSDEEP
768:53T6/tU/6Tv9ReFciJbatIXzlQIscQm56WDG/Xs9J1QjLsUcraA2:BT6/tU/6TLeFY2hE1509J6jLFcrF2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mszc32.dll = "{3A995612-0000-0000-5D56-70EE307DFD75}" msxa.exe -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{50627AF7-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\msxa.exe" msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A995612-0000-0000-5D56-70EE307DFD75} msxa.exe -
Executes dropped EXE 64 IoCs
pid Process 2368 msxa.exe 1712 msxa.exe 2604 msxa.exe 3068 msxa.exe 2572 msxa.exe 2652 msxa.exe 2596 msxa.exe 2656 msxa.exe 2444 msxa.exe 2688 msxa.exe 2492 msxa.exe 2692 msxa.exe 2400 msxa.exe 2736 msxa.exe 268 msxa.exe 796 msxa.exe 2332 msxa.exe 2188 msxa.exe 364 msxa.exe 1660 msxa.exe 908 msxa.exe 1644 msxa.exe 576 msxa.exe 2728 msxa.exe 544 msxa.exe 2760 msxa.exe 1684 msxa.exe 1596 msxa.exe 1768 msxa.exe 2780 msxa.exe 2816 msxa.exe 2516 msxa.exe 2084 msxa.exe 1724 msxa.exe 2304 msxa.exe 1316 msxa.exe 980 msxa.exe 1968 msxa.exe 2132 msxa.exe 632 msxa.exe 1932 msxa.exe 3060 msxa.exe 3036 msxa.exe 1052 msxa.exe 1448 msxa.exe 1672 msxa.exe 1136 msxa.exe 1296 msxa.exe 2292 msxa.exe 1272 msxa.exe 1936 msxa.exe 1884 msxa.exe 940 msxa.exe 2352 msxa.exe 1384 msxa.exe 1376 msxa.exe 304 msxa.exe 1704 msxa.exe 2396 msxa.exe 1200 msxa.exe 3052 msxa.exe 868 msxa.exe 2172 msxa.exe 2244 msxa.exe -
Loads dropped DLL 64 IoCs
pid Process 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 2368 msxa.exe 2368 msxa.exe 1712 msxa.exe 1712 msxa.exe 2604 msxa.exe 2604 msxa.exe 3068 msxa.exe 3068 msxa.exe 2572 msxa.exe 2572 msxa.exe 2652 msxa.exe 2652 msxa.exe 2596 msxa.exe 2596 msxa.exe 2656 msxa.exe 2656 msxa.exe 2444 msxa.exe 2444 msxa.exe 2688 msxa.exe 2688 msxa.exe 2492 msxa.exe 2492 msxa.exe 2692 msxa.exe 2692 msxa.exe 2400 msxa.exe 2400 msxa.exe 2736 msxa.exe 2736 msxa.exe 268 msxa.exe 268 msxa.exe 796 msxa.exe 796 msxa.exe 2332 msxa.exe 2332 msxa.exe 2188 msxa.exe 2188 msxa.exe 364 msxa.exe 364 msxa.exe 1660 msxa.exe 1660 msxa.exe 908 msxa.exe 908 msxa.exe 1644 msxa.exe 1644 msxa.exe 576 msxa.exe 576 msxa.exe 2728 msxa.exe 2728 msxa.exe 544 msxa.exe 544 msxa.exe 2760 msxa.exe 2760 msxa.exe 1684 msxa.exe 1684 msxa.exe 1596 msxa.exe 1596 msxa.exe 1768 msxa.exe 1768 msxa.exe 2780 msxa.exe 2780 msxa.exe 2816 msxa.exe 2816 msxa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe File created \??\c:\windows\SysWOW64\msxa.exe msxa.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ msxa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier msxa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msxa.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32 msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mszc32.dll" msxa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3A995612-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" msxa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2368 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2368 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2368 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2368 2212 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 28 PID 2368 wrote to memory of 1712 2368 msxa.exe 29 PID 2368 wrote to memory of 1712 2368 msxa.exe 29 PID 2368 wrote to memory of 1712 2368 msxa.exe 29 PID 2368 wrote to memory of 1712 2368 msxa.exe 29 PID 1712 wrote to memory of 2604 1712 msxa.exe 30 PID 1712 wrote to memory of 2604 1712 msxa.exe 30 PID 1712 wrote to memory of 2604 1712 msxa.exe 30 PID 1712 wrote to memory of 2604 1712 msxa.exe 30 PID 2604 wrote to memory of 3068 2604 msxa.exe 31 PID 2604 wrote to memory of 3068 2604 msxa.exe 31 PID 2604 wrote to memory of 3068 2604 msxa.exe 31 PID 2604 wrote to memory of 3068 2604 msxa.exe 31 PID 3068 wrote to memory of 2572 3068 msxa.exe 32 PID 3068 wrote to memory of 2572 3068 msxa.exe 32 PID 3068 wrote to memory of 2572 3068 msxa.exe 32 PID 3068 wrote to memory of 2572 3068 msxa.exe 32 PID 2572 wrote to memory of 2652 2572 msxa.exe 33 PID 2572 wrote to memory of 2652 2572 msxa.exe 33 PID 2572 wrote to memory of 2652 2572 msxa.exe 33 PID 2572 wrote to memory of 2652 2572 msxa.exe 33 PID 2652 wrote to memory of 2596 2652 msxa.exe 34 PID 2652 wrote to memory of 2596 2652 msxa.exe 34 PID 2652 wrote to memory of 2596 2652 msxa.exe 34 PID 2652 wrote to memory of 2596 2652 msxa.exe 34 PID 2596 wrote to memory of 2656 2596 msxa.exe 35 PID 2596 wrote to memory of 2656 2596 msxa.exe 35 PID 2596 wrote to memory of 2656 2596 msxa.exe 35 PID 2596 wrote to memory of 2656 2596 msxa.exe 35 PID 2656 wrote to memory of 2444 2656 msxa.exe 36 PID 2656 wrote to memory of 2444 2656 msxa.exe 36 PID 2656 wrote to memory of 2444 2656 msxa.exe 36 PID 2656 wrote to memory of 2444 2656 msxa.exe 36 PID 2444 wrote to memory of 2688 2444 msxa.exe 37 PID 2444 wrote to memory of 2688 2444 msxa.exe 37 PID 2444 wrote to memory of 2688 2444 msxa.exe 37 PID 2444 wrote to memory of 2688 2444 msxa.exe 37 PID 2688 wrote to memory of 2492 2688 msxa.exe 38 PID 2688 wrote to memory of 2492 2688 msxa.exe 38 PID 2688 wrote to memory of 2492 2688 msxa.exe 38 PID 2688 wrote to memory of 2492 2688 msxa.exe 38 PID 2492 wrote to memory of 2692 2492 msxa.exe 39 PID 2492 wrote to memory of 2692 2492 msxa.exe 39 PID 2492 wrote to memory of 2692 2492 msxa.exe 39 PID 2492 wrote to memory of 2692 2492 msxa.exe 39 PID 2692 wrote to memory of 2400 2692 msxa.exe 40 PID 2692 wrote to memory of 2400 2692 msxa.exe 40 PID 2692 wrote to memory of 2400 2692 msxa.exe 40 PID 2692 wrote to memory of 2400 2692 msxa.exe 40 PID 2400 wrote to memory of 2736 2400 msxa.exe 41 PID 2400 wrote to memory of 2736 2400 msxa.exe 41 PID 2400 wrote to memory of 2736 2400 msxa.exe 41 PID 2400 wrote to memory of 2736 2400 msxa.exe 41 PID 2736 wrote to memory of 268 2736 msxa.exe 42 PID 2736 wrote to memory of 268 2736 msxa.exe 42 PID 2736 wrote to memory of 268 2736 msxa.exe 42 PID 2736 wrote to memory of 268 2736 msxa.exe 42 PID 268 wrote to memory of 796 268 msxa.exe 43 PID 268 wrote to memory of 796 268 msxa.exe 43 PID 268 wrote to memory of 796 268 msxa.exe 43 PID 268 wrote to memory of 796 268 msxa.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"15⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:364 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:576 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:544 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1768 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"33⤵
- Executes dropped EXE
PID:2516 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"34⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Modifies registry class
PID:2084 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"36⤵
- Executes dropped EXE
PID:2304 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"37⤵
- Executes dropped EXE
- Modifies registry class
PID:1316 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:980 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"39⤵
- Executes dropped EXE
PID:1968 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"40⤵
- Executes dropped EXE
PID:2132 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"41⤵
- Executes dropped EXE
PID:632 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"42⤵
- Executes dropped EXE
PID:1932 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"44⤵
- Executes dropped EXE
PID:3036 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1052 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1448 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1672 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"48⤵
- Executes dropped EXE
PID:1136 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1296 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1936 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"53⤵
- Executes dropped EXE
PID:1884 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:940 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"55⤵
- Executes dropped EXE
PID:2352 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"56⤵
- Executes dropped EXE
- Modifies registry class
PID:1384 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"57⤵
- Executes dropped EXE
PID:1376 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"58⤵
- Executes dropped EXE
PID:304 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"59⤵
- Executes dropped EXE
PID:1704 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"60⤵
- Executes dropped EXE
PID:2396 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"61⤵
- Executes dropped EXE
PID:1200 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"63⤵
- Executes dropped EXE
PID:868 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"64⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:2172 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"65⤵
- Executes dropped EXE
PID:2244 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"67⤵PID:2180
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"68⤵PID:2216
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"70⤵PID:1100
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"72⤵PID:2984
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"74⤵PID:1388
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"75⤵PID:2552
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"76⤵
- Drops file in System32 directory
PID:2572 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"77⤵PID:2624
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"78⤵
- Drops file in System32 directory
PID:2556 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2540 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"80⤵PID:2596
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"81⤵PID:2448
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"82⤵PID:2656
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"83⤵PID:2588
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"84⤵
- Modifies registry class
PID:2460 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"85⤵PID:2424
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"86⤵PID:2452
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"87⤵PID:2356
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"88⤵PID:2492
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"89⤵PID:2928
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"90⤵PID:2692
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:568 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"92⤵PID:592
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"93⤵
- Drops file in System32 directory
PID:436 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"94⤵
- Modifies registry class
PID:1996 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"95⤵
- Drops file in System32 directory
PID:2036 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"97⤵
- Modifies registry class
PID:1656 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"98⤵PID:1440
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"99⤵PID:2332
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"100⤵PID:888
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"101⤵PID:2040
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"102⤵PID:1088
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"103⤵PID:1460
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"104⤵PID:368
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"105⤵PID:864
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"106⤵
- Modifies Installed Components in the registry
PID:2704 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"107⤵PID:2748
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"108⤵PID:1780
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"109⤵
- Drops file in System32 directory
PID:1632 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"110⤵PID:1624
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"111⤵
- Modifies registry class
PID:2752 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"112⤵
- Modifies Installed Components in the registry
PID:1548 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"113⤵PID:2756
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"114⤵PID:2600
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"115⤵PID:1636
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"116⤵PID:2100
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"117⤵PID:2084
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"119⤵PID:1432
-
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"120⤵
- Modifies Installed Components in the registry
PID:2868 -
\??\c:\windows\SysWOW64\msxa.exe"c:\windows\system32\msxa.exe"121⤵PID:1496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-