Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/04/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
Resource
win7-20240319-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe
-
Size
45KB
-
MD5
f8c8261d15ac899ed7ca7da785be2f69
-
SHA1
1e9e493f8a1b1d49cb923e1b181b63e38a3cf778
-
SHA256
151d87625af2d66affc77bce07749f5327bd95eb71e9400f31fc827e2f86593c
-
SHA512
9c70789dfaae952d44f303185973ce34f5b28d777fe0813156af16c3f581ab8b5b8ee9f8e5f49ffeeaf444a80d98d1e4c27485a0d07e448922aee7e33040a9b9
-
SSDEEP
768:53T6/tU/6Tv9ReFciJbatIXzlQIscQm56WDG/Xs9J1QjLsUcraA2:BT6/tU/6TLeFY2hE1509J6jLFcrF2
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mslt32.dll = "{34652EB7-0000-0000-5D56-70EE307DFD75}" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad mshc.exe -
Modifies Installed Components in the registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" msce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75} mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34652EB7-0000-0000-5D56-70EE307DFD75}\StubPath = "c:\\windows\\system32\\mshc.exe" mshc.exe -
Executes dropped EXE 64 IoCs
pid Process 3392 mshc.exe 440 mshc.exe 3996 mshc.exe 2612 mshc.exe 2848 mshc.exe 1088 mshc.exe 4692 mshc.exe 4280 mshc.exe 4728 mshc.exe 4696 mshc.exe 2620 mshc.exe 3852 mshc.exe 1984 mshc.exe 2176 mshc.exe 1172 mshc.exe 4104 mshc.exe 4988 mshc.exe 2388 mshc.exe 2840 mshc.exe 3316 mshc.exe 4008 mshc.exe 4316 mshc.exe 404 mshc.exe 4892 mshc.exe 3520 mshc.exe 3740 mshc.exe 3804 mshc.exe 3752 mshc.exe 1488 mshc.exe 4064 mshc.exe 3228 mshc.exe 1916 mshc.exe 2524 mshc.exe 2384 mshc.exe 3976 mshc.exe 4368 mshc.exe 3980 mshc.exe 3140 mshc.exe 1192 mshc.exe 440 mshc.exe 3736 mshc.exe 3504 mshc.exe 60 mshc.exe 3356 mshc.exe 4308 mshc.exe 4280 mshc.exe 2732 mshc.exe 2104 mshc.exe 2540 mshc.exe 1008 mshc.exe 1172 mshc.exe 5044 mshc.exe 2204 mshc.exe 1900 mshc.exe 4544 mshc.exe 2024 mshc.exe 4584 mshc.exe 1924 mshc.exe 2924 mshc.exe 2284 mshc.exe 2108 mshc.exe 1204 mshc.exe 4560 mshc.exe 2820 mshc.exe -
Loads dropped DLL 64 IoCs
pid Process 824 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 3392 mshc.exe 440 mshc.exe 3996 mshc.exe 2612 mshc.exe 2848 mshc.exe 1088 mshc.exe 4692 mshc.exe 4280 mshc.exe 4728 mshc.exe 4696 mshc.exe 2620 mshc.exe 3852 mshc.exe 1984 mshc.exe 2176 mshc.exe 1172 mshc.exe 4104 mshc.exe 4988 mshc.exe 2388 mshc.exe 2840 mshc.exe 3316 mshc.exe 4008 mshc.exe 4316 mshc.exe 404 mshc.exe 4892 mshc.exe 3520 mshc.exe 3740 mshc.exe 3804 mshc.exe 3752 mshc.exe 1488 mshc.exe 4064 mshc.exe 3228 mshc.exe 1916 mshc.exe 2524 mshc.exe 2384 mshc.exe 3976 mshc.exe 4368 mshc.exe 3980 mshc.exe 3140 mshc.exe 1192 mshc.exe 440 mshc.exe 3736 mshc.exe 3504 mshc.exe 60 mshc.exe 3356 mshc.exe 4308 mshc.exe 4280 mshc.exe 2732 mshc.exe 2104 mshc.exe 2540 mshc.exe 1008 mshc.exe 1172 mshc.exe 5044 mshc.exe 2204 mshc.exe 1900 mshc.exe 4544 mshc.exe 2024 mshc.exe 4584 mshc.exe 1924 mshc.exe 2924 mshc.exe 2284 mshc.exe 2108 mshc.exe 1204 mshc.exe 4560 mshc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe msce.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe File created \??\c:\windows\SysWOW64\mshc.exe mshc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ mshc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mshc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mshc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32 mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ = "c:\\windows\\SysWow64\\mslt32.dll" mshc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34652EB7-0000-0000-5D56-70EE307DFD75}\InprocServer32\ThreadingModel = "Both" mshc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 3392 824 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 90 PID 824 wrote to memory of 3392 824 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 90 PID 824 wrote to memory of 3392 824 f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe 90 PID 3392 wrote to memory of 440 3392 mshc.exe 91 PID 3392 wrote to memory of 440 3392 mshc.exe 91 PID 3392 wrote to memory of 440 3392 mshc.exe 91 PID 440 wrote to memory of 3996 440 mshc.exe 92 PID 440 wrote to memory of 3996 440 mshc.exe 92 PID 440 wrote to memory of 3996 440 mshc.exe 92 PID 3996 wrote to memory of 2612 3996 mshc.exe 93 PID 3996 wrote to memory of 2612 3996 mshc.exe 93 PID 3996 wrote to memory of 2612 3996 mshc.exe 93 PID 2612 wrote to memory of 2848 2612 mshc.exe 94 PID 2612 wrote to memory of 2848 2612 mshc.exe 94 PID 2612 wrote to memory of 2848 2612 mshc.exe 94 PID 2848 wrote to memory of 1088 2848 mshc.exe 95 PID 2848 wrote to memory of 1088 2848 mshc.exe 95 PID 2848 wrote to memory of 1088 2848 mshc.exe 95 PID 1088 wrote to memory of 4692 1088 mshc.exe 96 PID 1088 wrote to memory of 4692 1088 mshc.exe 96 PID 1088 wrote to memory of 4692 1088 mshc.exe 96 PID 4692 wrote to memory of 4280 4692 mshc.exe 97 PID 4692 wrote to memory of 4280 4692 mshc.exe 97 PID 4692 wrote to memory of 4280 4692 mshc.exe 97 PID 4280 wrote to memory of 4728 4280 mshc.exe 98 PID 4280 wrote to memory of 4728 4280 mshc.exe 98 PID 4280 wrote to memory of 4728 4280 mshc.exe 98 PID 4728 wrote to memory of 4696 4728 mshc.exe 99 PID 4728 wrote to memory of 4696 4728 mshc.exe 99 PID 4728 wrote to memory of 4696 4728 mshc.exe 99 PID 4696 wrote to memory of 2620 4696 mshc.exe 100 PID 4696 wrote to memory of 2620 4696 mshc.exe 100 PID 4696 wrote to memory of 2620 4696 mshc.exe 100 PID 2620 wrote to memory of 3852 2620 mshc.exe 101 PID 2620 wrote to memory of 3852 2620 mshc.exe 101 PID 2620 wrote to memory of 3852 2620 mshc.exe 101 PID 3852 wrote to memory of 1984 3852 mshc.exe 102 PID 3852 wrote to memory of 1984 3852 mshc.exe 102 PID 3852 wrote to memory of 1984 3852 mshc.exe 102 PID 1984 wrote to memory of 2176 1984 mshc.exe 103 PID 1984 wrote to memory of 2176 1984 mshc.exe 103 PID 1984 wrote to memory of 2176 1984 mshc.exe 103 PID 2176 wrote to memory of 1172 2176 mshc.exe 104 PID 2176 wrote to memory of 1172 2176 mshc.exe 104 PID 2176 wrote to memory of 1172 2176 mshc.exe 104 PID 1172 wrote to memory of 4104 1172 mshc.exe 105 PID 1172 wrote to memory of 4104 1172 mshc.exe 105 PID 1172 wrote to memory of 4104 1172 mshc.exe 105 PID 4104 wrote to memory of 4988 4104 mshc.exe 106 PID 4104 wrote to memory of 4988 4104 mshc.exe 106 PID 4104 wrote to memory of 4988 4104 mshc.exe 106 PID 4988 wrote to memory of 2388 4988 mshc.exe 107 PID 4988 wrote to memory of 2388 4988 mshc.exe 107 PID 4988 wrote to memory of 2388 4988 mshc.exe 107 PID 2388 wrote to memory of 2840 2388 mshc.exe 108 PID 2388 wrote to memory of 2840 2388 mshc.exe 108 PID 2388 wrote to memory of 2840 2388 mshc.exe 108 PID 2840 wrote to memory of 3316 2840 mshc.exe 109 PID 2840 wrote to memory of 3316 2840 mshc.exe 109 PID 2840 wrote to memory of 3316 2840 mshc.exe 109 PID 3316 wrote to memory of 4008 3316 mshc.exe 110 PID 3316 wrote to memory of 4008 3316 mshc.exe 110 PID 3316 wrote to memory of 4008 3316 mshc.exe 110 PID 4008 wrote to memory of 4316 4008 mshc.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f8c8261d15ac899ed7ca7da785be2f69_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"14⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"17⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"21⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4316 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:404 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:4892 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3520 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3740 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3804 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3752 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:4064 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"32⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3228 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1916 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"34⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2524 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"36⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3976 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4368 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"38⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3980 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"39⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3140 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:440 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"42⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
PID:3736 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3504 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"44⤵
- Executes dropped EXE
- Loads dropped DLL
PID:60 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3356 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"46⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4308 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"47⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4280 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"48⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"49⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2104 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"50⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2540 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"52⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5044 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1900 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:4544 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"58⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4584 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"59⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"60⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"61⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"62⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2108 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"63⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"64⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4560 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"66⤵
- Modifies Installed Components in the registry
PID:4640 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1120 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"68⤵PID:3212
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"69⤵
- Modifies Installed Components in the registry
- Modifies registry class
PID:5104 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"70⤵PID:4224
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"71⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:4352 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"72⤵PID:2836
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"73⤵
- Drops file in System32 directory
PID:4368 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"74⤵
- Drops file in System32 directory
- Modifies registry class
PID:5036 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"75⤵
- Drops file in System32 directory
PID:3140 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"76⤵PID:824
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"77⤵
- Modifies registry class
PID:5016 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"78⤵
- Drops file in System32 directory
PID:1164 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"79⤵
- Drops file in System32 directory
PID:4992 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"80⤵
- Modifies Installed Components in the registry
PID:1992 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"81⤵
- Modifies Installed Components in the registry
- Drops file in System32 directory
PID:1944 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4052 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"83⤵
- Modifies Installed Components in the registry
PID:3312 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"84⤵PID:3816
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"85⤵
- Modifies Installed Components in the registry
PID:900 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"86⤵PID:2608
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"87⤵
- Modifies Installed Components in the registry
PID:4408 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"88⤵
- Modifies Installed Components in the registry
PID:3176 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"89⤵PID:1964
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"90⤵PID:5108
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"91⤵PID:5048
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"92⤵
- Modifies registry class
PID:4100 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"93⤵
- Drops file in System32 directory
PID:5112 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"94⤵PID:4116
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"96⤵PID:4112
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"97⤵
- Drops file in System32 directory
PID:4544 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"98⤵PID:3604
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"100⤵
- Modifies registry class
PID:1924 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"101⤵
- Modifies registry class
PID:4684 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4068 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"103⤵
- Modifies registry class
PID:3788 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"104⤵PID:3804
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"105⤵
- Modifies registry class
PID:552 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"106⤵PID:3752
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2844 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"108⤵
- Modifies Installed Components in the registry
PID:1216 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"109⤵
- Modifies Installed Components in the registry
PID:4968 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"110⤵PID:1120
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"111⤵PID:5024
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"112⤵
- Checks processor information in registry
PID:3300 -
\??\c:\windows\SysWOW64\msce.exe"c:\windows\system32\msce.exe"113⤵
- Modifies Installed Components in the registry
PID:4476 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"114⤵
- Modifies registry class
PID:2984 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"115⤵PID:2712
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"116⤵PID:3992
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"117⤵
- Drops file in System32 directory
PID:3736 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"118⤵PID:1852
-
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:60 -
\??\c:\windows\SysWOW64\mshc.exe"c:\windows\system32\mshc.exe"121⤵
- Drops file in System32 directory
PID:1164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-