Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 17:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe
-
Size
43KB
-
MD5
08034160c327bb95906ebe7bf1dfe448
-
SHA1
9c464ea0b72cf03864e8b006f58646cb04dc00b9
-
SHA256
92d09a697a2e51dcd1ce9d5245e4598da8e074604eb1425b6e7e4347f3ef64df
-
SHA512
05846c34cf499d3ff1525f24bba984df06edd6e3d0e4153c2634dc73eca8ce432041ebf4adaf6b1894050602c325fe62ee7235338ee3ef9a9e4b92daf24635be
-
SSDEEP
768:3PJadenAqtYQnaXH96rV2kllriFqR7Atmqfvfj7sMC72ZWzFwKF/Kppl8:3PnAClrVLTrEqNAxvXsf7rzV/KpX8
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2908 thienvu1996.exe 2264 thienvu1996.exe 2836 thienvu1996.exe 2672 thienvu1996.exe 2748 thienvu1996.exe 2684 thienvu1996.exe 2792 thienvu1996.exe 1148 thienvu1996.exe 2788 thienvu1996.exe 2616 thienvu1996.exe 2664 thienvu1996.exe 2576 thienvu1996.exe 2524 thienvu1996.exe 2584 thienvu1996.exe 3024 thienvu1996.exe 1640 thienvu1996.exe 1104 thienvu1996.exe 2068 thienvu1996.exe 2488 thienvu1996.exe 2392 thienvu1996.exe 2972 thienvu1996.exe 3052 thienvu1996.exe 3048 thienvu1996.exe 2056 thienvu1996.exe 2080 thienvu1996.exe 1460 thienvu1996.exe 1468 thienvu1996.exe 1464 thienvu1996.exe 1296 thienvu1996.exe 2180 thienvu1996.exe 1728 thienvu1996.exe 1880 thienvu1996.exe 1708 thienvu1996.exe 2508 thienvu1996.exe 2084 thienvu1996.exe 2336 thienvu1996.exe 2036 thienvu1996.exe 1956 thienvu1996.exe 540 thienvu1996.exe 332 thienvu1996.exe 1132 thienvu1996.exe 1252 thienvu1996.exe 324 thienvu1996.exe 1476 thienvu1996.exe 1276 thienvu1996.exe 1608 thienvu1996.exe 2496 thienvu1996.exe 1472 thienvu1996.exe 444 thienvu1996.exe 1240 thienvu1996.exe 2000 thienvu1996.exe 2296 thienvu1996.exe 1536 thienvu1996.exe 1180 thienvu1996.exe 1552 thienvu1996.exe 1100 thienvu1996.exe 1204 thienvu1996.exe 340 thienvu1996.exe 1776 thienvu1996.exe 1080 thienvu1996.exe 2932 thienvu1996.exe 380 thienvu1996.exe 716 thienvu1996.exe 2220 thienvu1996.exe -
Loads dropped DLL 64 IoCs
pid Process 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 2908 thienvu1996.exe 2908 thienvu1996.exe 2264 thienvu1996.exe 2264 thienvu1996.exe 2836 thienvu1996.exe 2836 thienvu1996.exe 2672 thienvu1996.exe 2672 thienvu1996.exe 2748 thienvu1996.exe 2748 thienvu1996.exe 2684 thienvu1996.exe 2684 thienvu1996.exe 2792 thienvu1996.exe 2792 thienvu1996.exe 1148 thienvu1996.exe 1148 thienvu1996.exe 2788 thienvu1996.exe 2788 thienvu1996.exe 2616 thienvu1996.exe 2616 thienvu1996.exe 2664 thienvu1996.exe 2664 thienvu1996.exe 2576 thienvu1996.exe 2576 thienvu1996.exe 2524 thienvu1996.exe 2524 thienvu1996.exe 2584 thienvu1996.exe 2584 thienvu1996.exe 3024 thienvu1996.exe 3024 thienvu1996.exe 1640 thienvu1996.exe 1640 thienvu1996.exe 1104 thienvu1996.exe 1104 thienvu1996.exe 2068 thienvu1996.exe 2068 thienvu1996.exe 2488 thienvu1996.exe 2488 thienvu1996.exe 2392 thienvu1996.exe 2392 thienvu1996.exe 2972 thienvu1996.exe 2972 thienvu1996.exe 3052 thienvu1996.exe 3052 thienvu1996.exe 3048 thienvu1996.exe 3048 thienvu1996.exe 2056 thienvu1996.exe 2056 thienvu1996.exe 2080 thienvu1996.exe 2080 thienvu1996.exe 1460 thienvu1996.exe 1460 thienvu1996.exe 1468 thienvu1996.exe 1468 thienvu1996.exe 1464 thienvu1996.exe 1464 thienvu1996.exe 1296 thienvu1996.exe 1296 thienvu1996.exe 2180 thienvu1996.exe 2180 thienvu1996.exe 1728 thienvu1996.exe 1728 thienvu1996.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thienvu1996 = "C:\\Windows\\system32\\thienvu1996.exe" thienvu1996.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" thienvu1996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" thienvu1996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Impersonate = "0" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Shutdown = "WLEShutdown" thienvu1996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StartScreenSaver = "WLEStartScreenSaver" thienvu1996.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Shutdown = "WLEShutdown" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Unlock = "WLEUnlock" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StopScreenSaver = "WLEStopScreenSaver" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Shutdown = "WLEShutdown" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" thienvu1996.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996 thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Unlock = "WLEUnlock" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" thienvu1996.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996 thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Unlock = "WLEUnlock" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Lock = "WLELock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Unlock = "WLEUnlock" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StopScreenSaver = "WLEStopScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Shutdown = "WLEShutdown" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Shutdown = "WLEShutdown" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" thienvu1996.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StartScreenSaver = "WLEStartScreenSaver" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Startup = "WLEStartup" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996 thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" thienvu1996.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\DllName = "thienvu1996.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\StopScreenSaver = "WLEStopScreenSaver" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logon = "WLELogon" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Asynchronous = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\thienvu1996\Logoff = "WLELogoff" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify thienvu1996.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe Process not Found File created C:\Windows\SysWOW64\thienvu1996.exe thienvu1996.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1124 wrote to memory of 2908 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 28 PID 1124 wrote to memory of 2908 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 28 PID 1124 wrote to memory of 2908 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 28 PID 1124 wrote to memory of 2908 1124 08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe 28 PID 2908 wrote to memory of 2264 2908 thienvu1996.exe 29 PID 2908 wrote to memory of 2264 2908 thienvu1996.exe 29 PID 2908 wrote to memory of 2264 2908 thienvu1996.exe 29 PID 2908 wrote to memory of 2264 2908 thienvu1996.exe 29 PID 2264 wrote to memory of 2836 2264 thienvu1996.exe 30 PID 2264 wrote to memory of 2836 2264 thienvu1996.exe 30 PID 2264 wrote to memory of 2836 2264 thienvu1996.exe 30 PID 2264 wrote to memory of 2836 2264 thienvu1996.exe 30 PID 2836 wrote to memory of 2672 2836 thienvu1996.exe 31 PID 2836 wrote to memory of 2672 2836 thienvu1996.exe 31 PID 2836 wrote to memory of 2672 2836 thienvu1996.exe 31 PID 2836 wrote to memory of 2672 2836 thienvu1996.exe 31 PID 2672 wrote to memory of 2748 2672 thienvu1996.exe 32 PID 2672 wrote to memory of 2748 2672 thienvu1996.exe 32 PID 2672 wrote to memory of 2748 2672 thienvu1996.exe 32 PID 2672 wrote to memory of 2748 2672 thienvu1996.exe 32 PID 2748 wrote to memory of 2684 2748 thienvu1996.exe 33 PID 2748 wrote to memory of 2684 2748 thienvu1996.exe 33 PID 2748 wrote to memory of 2684 2748 thienvu1996.exe 33 PID 2748 wrote to memory of 2684 2748 thienvu1996.exe 33 PID 2684 wrote to memory of 2792 2684 thienvu1996.exe 34 PID 2684 wrote to memory of 2792 2684 thienvu1996.exe 34 PID 2684 wrote to memory of 2792 2684 thienvu1996.exe 34 PID 2684 wrote to memory of 2792 2684 thienvu1996.exe 34 PID 2792 wrote to memory of 1148 2792 thienvu1996.exe 35 PID 2792 wrote to memory of 1148 2792 thienvu1996.exe 35 PID 2792 wrote to memory of 1148 2792 thienvu1996.exe 35 PID 2792 wrote to memory of 1148 2792 thienvu1996.exe 35 PID 1148 wrote to memory of 2788 1148 thienvu1996.exe 36 PID 1148 wrote to memory of 2788 1148 thienvu1996.exe 36 PID 1148 wrote to memory of 2788 1148 thienvu1996.exe 36 PID 1148 wrote to memory of 2788 1148 thienvu1996.exe 36 PID 2788 wrote to memory of 2616 2788 thienvu1996.exe 37 PID 2788 wrote to memory of 2616 2788 thienvu1996.exe 37 PID 2788 wrote to memory of 2616 2788 thienvu1996.exe 37 PID 2788 wrote to memory of 2616 2788 thienvu1996.exe 37 PID 2616 wrote to memory of 2664 2616 thienvu1996.exe 38 PID 2616 wrote to memory of 2664 2616 thienvu1996.exe 38 PID 2616 wrote to memory of 2664 2616 thienvu1996.exe 38 PID 2616 wrote to memory of 2664 2616 thienvu1996.exe 38 PID 2664 wrote to memory of 2576 2664 thienvu1996.exe 39 PID 2664 wrote to memory of 2576 2664 thienvu1996.exe 39 PID 2664 wrote to memory of 2576 2664 thienvu1996.exe 39 PID 2664 wrote to memory of 2576 2664 thienvu1996.exe 39 PID 2576 wrote to memory of 2524 2576 thienvu1996.exe 40 PID 2576 wrote to memory of 2524 2576 thienvu1996.exe 40 PID 2576 wrote to memory of 2524 2576 thienvu1996.exe 40 PID 2576 wrote to memory of 2524 2576 thienvu1996.exe 40 PID 2524 wrote to memory of 2584 2524 thienvu1996.exe 41 PID 2524 wrote to memory of 2584 2524 thienvu1996.exe 41 PID 2524 wrote to memory of 2584 2524 thienvu1996.exe 41 PID 2524 wrote to memory of 2584 2524 thienvu1996.exe 41 PID 2584 wrote to memory of 3024 2584 thienvu1996.exe 42 PID 2584 wrote to memory of 3024 2584 thienvu1996.exe 42 PID 2584 wrote to memory of 3024 2584 thienvu1996.exe 42 PID 2584 wrote to memory of 3024 2584 thienvu1996.exe 42 PID 3024 wrote to memory of 1640 3024 thienvu1996.exe 43 PID 3024 wrote to memory of 1640 3024 thienvu1996.exe 43 PID 3024 wrote to memory of 1640 3024 thienvu1996.exe 43 PID 3024 wrote to memory of 1640 3024 thienvu1996.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\08034160c327bb95906ebe7bf1dfe448_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1640 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1464 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe33⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe35⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe36⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2336 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe38⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe39⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe40⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe41⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe42⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe43⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe44⤵
- Executes dropped EXE
- Modifies WinLogon
PID:324 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe45⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe46⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe47⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe48⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe49⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe50⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe51⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe52⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe53⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe54⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe55⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe56⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe57⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe58⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe59⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe60⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe61⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe62⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe63⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe64⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe65⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe66⤵PID:2924
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe67⤵PID:792
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe68⤵PID:864
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe69⤵PID:2128
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe70⤵PID:2208
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe71⤵PID:2256
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe72⤵PID:1632
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe73⤵PID:1744
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe74⤵PID:2880
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe75⤵PID:2360
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe76⤵PID:1116
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe77⤵PID:1736
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe78⤵PID:2168
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe79⤵PID:2044
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe80⤵PID:1592
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe81⤵PID:1596
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe82⤵PID:2988
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe83⤵PID:2668
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe84⤵PID:2760
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe85⤵PID:2652
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe86⤵
- Modifies WinLogon
PID:2744 -
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe87⤵PID:1352
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe88⤵PID:2856
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe89⤵PID:2696
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe90⤵PID:2532
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe91⤵PID:2600
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe92⤵PID:2252
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe93⤵PID:2884
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe94⤵PID:2108
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe95⤵PID:1856
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe96⤵PID:2184
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe97⤵PID:2868
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe98⤵PID:3084
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe99⤵PID:3100
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe100⤵PID:3116
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe101⤵PID:3132
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe102⤵PID:3148
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe103⤵PID:3164
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe104⤵PID:3184
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe105⤵PID:3196
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe106⤵PID:3212
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe107⤵PID:3228
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe108⤵PID:3248
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe109⤵PID:3264
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe110⤵PID:3280
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe111⤵PID:3296
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe112⤵PID:3312
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe113⤵PID:3328
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe114⤵PID:3344
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe115⤵PID:3364
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe116⤵PID:3380
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe117⤵PID:3396
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe118⤵PID:3412
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe119⤵PID:3428
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe120⤵PID:3444
-
C:\Windows\SysWOW64\thienvu1996.exeC:\Windows\system32\thienvu1996.exe121⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:3460
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-