Analysis
-
max time kernel
124s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 07:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe
-
Size
62KB
-
MD5
0420b684f36b0c0688bda149bcd7f316
-
SHA1
dfc5c96657e8398db309484fcc286ff3374d4559
-
SHA256
e13c926d4df8dea4a9c51da9e6884439f892803b539a6c250fbed536648bb7e7
-
SHA512
e491bfbb5090b6505847ce5a5984d8934a154c8f1171f90842d22f40342517b6c69af3a677da922f15ce69b4a8eaad3961c171526e6fd712231ff03c3fa9e7bb
-
SSDEEP
1536:L0F69FqImwHryxdwOOVDWtiaGJhlsAvkpSTxJpq:L0FsbmwHryxQVCkaGJJcCg
Score
8/10
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwproxy.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\katmain.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBMon.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrogAgent.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icesword.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SnipeSword.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\debugger = "C:\\Windows\\system32\\wscntfy.exe" 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1088 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 3040 32553.exe 2672 32553.exe 2220 host.exe 840 host.exe 2712 host.exe 284 host.exe 1572 host.exe 2800 host.exe 2564 host.exe 1844 host.exe 1308 host.exe 1836 host.exe 1608 host.exe 1748 host.exe 1760 host.exe 1632 host.exe 2384 host.exe 892 host.exe 2848 host.exe 2964 host.exe 2880 host.exe 1732 host.exe 872 host.exe 2896 host.exe 1124 host.exe 2056 host.exe 1700 host.exe 2256 host.exe 2828 host.exe 3020 host.exe 2412 host.exe 2744 host.exe 2200 host.exe 2572 host.exe 2592 host.exe 2492 host.exe 2588 host.exe 2840 host.exe 2676 host.exe 2732 host.exe 2540 host.exe 2920 host.exe 2932 host.exe 2484 host.exe 2288 host.exe 1992 host.exe 1040 host.exe 2696 host.exe 2452 host.exe 2524 host.exe 1956 host.exe 2700 host.exe 1960 host.exe 2164 host.exe 1964 host.exe 496 host.exe 1308 host.exe 2356 host.exe 1636 host.exe 2216 host.exe 2236 host.exe 1792 host.exe 2044 host.exe 2124 host.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 32553.exe 2672 32553.exe 2220 host.exe 2220 host.exe 840 host.exe 840 host.exe 2712 host.exe 2712 host.exe 284 host.exe 284 host.exe 1572 host.exe 1572 host.exe 2800 host.exe 2800 host.exe 2564 host.exe 2564 host.exe 1844 host.exe 1844 host.exe 1308 host.exe 1308 host.exe 1836 host.exe 1836 host.exe 1608 host.exe 1608 host.exe 1748 host.exe 1748 host.exe 1760 host.exe 1760 host.exe 1632 host.exe 1632 host.exe 2384 host.exe 2384 host.exe 892 host.exe 892 host.exe 2848 host.exe 2848 host.exe 2964 host.exe 2964 host.exe 2880 host.exe 2880 host.exe 1732 host.exe 1732 host.exe 872 host.exe 872 host.exe 2896 host.exe 2896 host.exe 1124 host.exe 1124 host.exe 2056 host.exe 2056 host.exe 1700 host.exe 1700 host.exe 2256 host.exe 2256 host.exe 2828 host.exe 2828 host.exe 3020 host.exe 3020 host.exe 2412 host.exe 2412 host.exe 2744 host.exe 2744 host.exe 2200 host.exe 2200 host.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized iexplore.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe host.exe File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File created C:\Windows\SysWOW64\host.exe Process not Found File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini iexplore.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\killme.bat 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe File opened for modification C:\Windows\1.1 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe File opened for modification C:\Windows\k.k 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe File opened for modification C:\Windows\32553.exe 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 20bc0c26eb53bf01 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 20bc0c26eb53bf01 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "ltcczoi" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup ie4uinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 32553.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23\WpadDecisionTime = a028a627eb53bf01 iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF} iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR" iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1786284912" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadNetworkName = "Network 3" iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23\WpadDecisionReason = "1" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadDecision = "0" iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 801d0f26eb53bf01 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = d007010006000100000000000000b703 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046} IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3" iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000d0070100060001000000000007003c0100000000 iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates iexplore.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates iexplore.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot iexplore.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000d007010006000100000000000700cf0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e iexplore.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum iexplore.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSystemtimePrivilege 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Token: SeSystemtimePrivilege 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Token: SeSystemtimePrivilege 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Token: SeSystemtimePrivilege 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe Token: SeSystemtimePrivilege 3040 32553.exe Token: SeIncBasePriorityPrivilege 3040 32553.exe Token: SeIncBasePriorityPrivilege 2220 host.exe Token: SeIncBasePriorityPrivilege 840 host.exe Token: SeIncBasePriorityPrivilege 2712 host.exe Token: SeIncBasePriorityPrivilege 284 host.exe Token: SeIncBasePriorityPrivilege 1572 host.exe Token: SeIncBasePriorityPrivilege 2800 host.exe Token: SeIncBasePriorityPrivilege 2564 host.exe Token: SeIncBasePriorityPrivilege 1844 host.exe Token: SeIncBasePriorityPrivilege 1308 host.exe Token: SeIncBasePriorityPrivilege 1836 host.exe Token: SeIncBasePriorityPrivilege 1608 host.exe Token: SeIncBasePriorityPrivilege 1748 host.exe Token: SeIncBasePriorityPrivilege 1760 host.exe Token: SeIncBasePriorityPrivilege 1632 host.exe Token: SeIncBasePriorityPrivilege 2384 host.exe Token: SeIncBasePriorityPrivilege 892 host.exe Token: SeIncBasePriorityPrivilege 2848 host.exe Token: SeIncBasePriorityPrivilege 2964 host.exe Token: SeIncBasePriorityPrivilege 2880 host.exe Token: SeIncBasePriorityPrivilege 1732 host.exe Token: SeIncBasePriorityPrivilege 872 host.exe Token: SeIncBasePriorityPrivilege 2896 host.exe Token: SeIncBasePriorityPrivilege 1124 host.exe Token: SeIncBasePriorityPrivilege 2056 host.exe Token: SeIncBasePriorityPrivilege 1700 host.exe Token: SeIncBasePriorityPrivilege 2256 host.exe Token: SeIncBasePriorityPrivilege 2828 host.exe Token: SeIncBasePriorityPrivilege 3020 host.exe Token: SeIncBasePriorityPrivilege 2412 host.exe Token: SeIncBasePriorityPrivilege 2744 host.exe Token: SeIncBasePriorityPrivilege 2200 host.exe Token: SeIncBasePriorityPrivilege 2572 host.exe Token: SeIncBasePriorityPrivilege 2592 host.exe Token: SeIncBasePriorityPrivilege 2492 host.exe Token: SeIncBasePriorityPrivilege 2588 host.exe Token: SeIncBasePriorityPrivilege 2840 host.exe Token: SeIncBasePriorityPrivilege 2676 host.exe Token: SeIncBasePriorityPrivilege 2732 host.exe Token: SeIncBasePriorityPrivilege 2540 host.exe Token: SeIncBasePriorityPrivilege 2920 host.exe Token: SeIncBasePriorityPrivilege 2932 host.exe Token: SeIncBasePriorityPrivilege 2484 host.exe Token: SeIncBasePriorityPrivilege 2288 host.exe Token: SeIncBasePriorityPrivilege 1992 host.exe Token: SeIncBasePriorityPrivilege 1040 host.exe Token: SeIncBasePriorityPrivilege 2696 host.exe Token: SeIncBasePriorityPrivilege 2452 host.exe Token: SeIncBasePriorityPrivilege 2524 host.exe Token: SeIncBasePriorityPrivilege 1956 host.exe Token: SeIncBasePriorityPrivilege 2700 host.exe Token: SeIncBasePriorityPrivilege 1960 host.exe Token: SeIncBasePriorityPrivilege 2164 host.exe Token: SeIncBasePriorityPrivilege 1964 host.exe Token: SeIncBasePriorityPrivilege 496 host.exe Token: SeIncBasePriorityPrivilege 1308 host.exe Token: SeIncBasePriorityPrivilege 2356 host.exe Token: SeIncBasePriorityPrivilege 1636 host.exe Token: SeIncBasePriorityPrivilege 2216 host.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe 2596 iexplore.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 2220 host.exe 2220 host.exe 840 host.exe 840 host.exe 2712 host.exe 2712 host.exe 2596 iexplore.exe 2596 iexplore.exe 284 host.exe 284 host.exe 1572 host.exe 1572 host.exe 2800 host.exe 2800 host.exe 2564 host.exe 2564 host.exe 1844 host.exe 1844 host.exe 760 IEXPLORE.EXE 760 IEXPLORE.EXE 1308 host.exe 1308 host.exe 1836 host.exe 1836 host.exe 1608 host.exe 1608 host.exe 1748 host.exe 1748 host.exe 1760 host.exe 1760 host.exe 1632 host.exe 1632 host.exe 2384 host.exe 2384 host.exe 892 host.exe 892 host.exe 2848 host.exe 2848 host.exe 2964 host.exe 2964 host.exe 2880 host.exe 2880 host.exe 1732 host.exe 1732 host.exe 872 host.exe 872 host.exe 2896 host.exe 2896 host.exe 1124 host.exe 1124 host.exe 2056 host.exe 2056 host.exe 1700 host.exe 1700 host.exe 2256 host.exe 2256 host.exe 2828 host.exe 2828 host.exe 3020 host.exe 3020 host.exe 2412 host.exe 2412 host.exe 2744 host.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1276 wrote to memory of 3040 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 28 PID 1276 wrote to memory of 3040 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 28 PID 1276 wrote to memory of 3040 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 28 PID 1276 wrote to memory of 3040 1276 0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe 28 PID 3040 wrote to memory of 2616 3040 32553.exe 30 PID 3040 wrote to memory of 2616 3040 32553.exe 30 PID 3040 wrote to memory of 2616 3040 32553.exe 30 PID 3040 wrote to memory of 2616 3040 32553.exe 30 PID 2672 wrote to memory of 2596 2672 32553.exe 31 PID 2672 wrote to memory of 2596 2672 32553.exe 31 PID 2672 wrote to memory of 2596 2672 32553.exe 31 PID 2672 wrote to memory of 2596 2672 32553.exe 31 PID 2672 wrote to memory of 2596 2672 32553.exe 31 PID 2672 wrote to memory of 2220 2672 32553.exe 32 PID 2672 wrote to memory of 2220 2672 32553.exe 32 PID 2672 wrote to memory of 2220 2672 32553.exe 32 PID 2672 wrote to memory of 2220 2672 32553.exe 32 PID 2596 wrote to memory of 2624 2596 iexplore.exe 33 PID 2596 wrote to memory of 2624 2596 iexplore.exe 33 PID 2596 wrote to memory of 2624 2596 iexplore.exe 33 PID 2220 wrote to memory of 840 2220 host.exe 34 PID 2220 wrote to memory of 840 2220 host.exe 34 PID 2220 wrote to memory of 840 2220 host.exe 34 PID 2220 wrote to memory of 840 2220 host.exe 34 PID 2220 wrote to memory of 2484 2220 host.exe 35 PID 2220 wrote to memory of 2484 2220 host.exe 35 PID 2220 wrote to memory of 2484 2220 host.exe 35 PID 2220 wrote to memory of 2484 2220 host.exe 35 PID 840 wrote to memory of 2712 840 host.exe 36 PID 840 wrote to memory of 2712 840 host.exe 36 PID 840 wrote to memory of 2712 840 host.exe 36 PID 840 wrote to memory of 2712 840 host.exe 36 PID 2596 wrote to memory of 760 2596 iexplore.exe 37 PID 2596 wrote to memory of 760 2596 iexplore.exe 37 PID 2596 wrote to memory of 760 2596 iexplore.exe 37 PID 2596 wrote to memory of 760 2596 iexplore.exe 37 PID 840 wrote to memory of 1832 840 host.exe 38 PID 840 wrote to memory of 1832 840 host.exe 38 PID 840 wrote to memory of 1832 840 host.exe 38 PID 840 wrote to memory of 1832 840 host.exe 38 PID 2712 wrote to memory of 284 2712 host.exe 39 PID 2712 wrote to memory of 284 2712 host.exe 39 PID 2712 wrote to memory of 284 2712 host.exe 39 PID 2712 wrote to memory of 284 2712 host.exe 39 PID 2712 wrote to memory of 2532 2712 host.exe 41 PID 2712 wrote to memory of 2532 2712 host.exe 41 PID 2712 wrote to memory of 2532 2712 host.exe 41 PID 2712 wrote to memory of 2532 2712 host.exe 41 PID 284 wrote to memory of 1572 284 host.exe 40 PID 284 wrote to memory of 1572 284 host.exe 40 PID 284 wrote to memory of 1572 284 host.exe 40 PID 284 wrote to memory of 1572 284 host.exe 40 PID 284 wrote to memory of 2648 284 host.exe 42 PID 284 wrote to memory of 2648 284 host.exe 42 PID 284 wrote to memory of 2648 284 host.exe 42 PID 284 wrote to memory of 2648 284 host.exe 42 PID 1572 wrote to memory of 2800 1572 host.exe 43 PID 1572 wrote to memory of 2800 1572 host.exe 43 PID 1572 wrote to memory of 2800 1572 host.exe 43 PID 1572 wrote to memory of 2800 1572 host.exe 43 PID 1572 wrote to memory of 2152 1572 host.exe 44 PID 1572 wrote to memory of 2152 1572 host.exe 44 PID 1572 wrote to memory of 2152 1572 host.exe 44 PID 1572 wrote to memory of 2152 1572 host.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0420b684f36b0c0688bda149bcd7f316_JaffaCakes118.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\32553.exeC:\Windows\32553.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\32553.exe > nul3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\killme.bat2⤵
- Deletes itself
PID:1088
-
-
C:\Windows\SysWOW64\32553.exeC:\Windows\SysWOW64\32553.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon3⤵
- Modifies data under HKEY_USERS
PID:2624
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:275457 /prefetch:23⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:760
-
-
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2564 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1760 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2384 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2880 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe45⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe47⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe48⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe51⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe53⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe55⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe57⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe59⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe60⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe62⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe63⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe64⤵PID:380
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe65⤵PID:548
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe66⤵PID:1484
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe67⤵PID:1796
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe68⤵PID:1468
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe69⤵PID:2080
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe70⤵PID:2424
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe71⤵PID:952
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe72⤵PID:1276
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe73⤵PID:948
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe74⤵PID:660
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe75⤵PID:468
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe76⤵PID:1124
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe77⤵PID:1696
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe78⤵PID:3028
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe79⤵PID:2724
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe80⤵PID:2712
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe81⤵PID:2752
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe82⤵PID:2532
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe83⤵PID:2352
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe84⤵PID:2124
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe85⤵PID:2196
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe86⤵PID:3016
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe87⤵PID:1632
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe88⤵PID:1612
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe89⤵PID:1628
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe90⤵PID:2972
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe91⤵PID:3012
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe92⤵PID:1176
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe93⤵PID:2720
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe94⤵PID:2676
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe95⤵PID:1568
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe96⤵PID:2152
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe97⤵PID:2800
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe98⤵PID:2304
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe99⤵PID:2000
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe100⤵PID:764
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe101⤵PID:1540
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe102⤵PID:1600
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe103⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe104⤵PID:1292
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe105⤵PID:2880
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe106⤵PID:1348
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe107⤵PID:2908
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe108⤵PID:2620
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe109⤵PID:2660
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe110⤵PID:2528
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe111⤵PID:2584
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe112⤵PID:1832
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe113⤵PID:2452
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe114⤵PID:1984
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe115⤵PID:1568
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe116⤵PID:1764
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe117⤵PID:2108
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe118⤵PID:2912
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe119⤵PID:2416
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe120⤵PID:1684
-
C:\Windows\SysWOW64\host.exeC:\Windows\system32\host.exe121⤵PID:648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-