Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe
-
Size
200KB
-
MD5
3bd77d78bd8637e06ed6356abfa9d196
-
SHA1
eff1a7b64280ae0a312669c8fd40c0d77dcb9216
-
SHA256
13bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b
-
SHA512
d7febc858fdf0b697623db6436ba907992c09fdce415d5a0175eb44df8127a54a984af116d9f972f82d3dab04de1e7f7b06e21712968e08179d77b40cd43e26f
-
SSDEEP
3072:v7PHhfEYrZL6nKclJRp6OeZroPoVDGOVAm6vZ8FH3FYwcE2oR2r0:jpfE8L6nKclJREAoVSOR6yx3wElR24
Malware Config
Extracted
xtremerat
momo44.no-ip.biz
Signatures
-
Detect XtremeRAT payload 16 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-13-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/1736-17-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2692-21-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2212-25-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2860-29-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2724-33-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2792-37-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2888-41-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2540-50-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2664-62-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/3024-66-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2240-70-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/1276-74-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/480-78-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/864-82-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat behavioral1/memory/2504-86-0x0000000000C80000-0x0000000000CA1000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Windows\\system32\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q} System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{O86F433A-0250-34MD-F405-MV783W3N6H4Q}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe restart" System.exe -
Executes dropped EXE 31 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 2700 System.exe 1364 System.exe 3060 System.exe 2264 System.exe 2924 System.exe 1972 System.exe 2120 System.exe 1800 System.exe 2112 System.exe 564 System.exe 576 System.exe 1296 System.exe 1524 System.exe 2860 System.exe 1304 System.exe 280 System.exe 2224 System.exe 1208 System.exe 352 System.exe 1976 System.exe 2120 System.exe 1888 System.exe 1956 System.exe 2384 System.exe 2504 System.exe 1240 System.exe 1432 System.exe 2104 System.exe 1588 System.exe 2992 System.exe 2608 System.exe -
Loads dropped DLL 48 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exepid process 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe 2700 System.exe 2700 System.exe 1364 System.exe 1364 System.exe 3060 System.exe 2264 System.exe 2264 System.exe 2924 System.exe 1972 System.exe 1972 System.exe 2120 System.exe 1800 System.exe 1800 System.exe 2112 System.exe 564 System.exe 564 System.exe 576 System.exe 1296 System.exe 1296 System.exe 1524 System.exe 2860 System.exe 2860 System.exe 1304 System.exe 280 System.exe 280 System.exe 2224 System.exe 1208 System.exe 1208 System.exe 352 System.exe 1976 System.exe 1976 System.exe 2120 System.exe 1888 System.exe 1888 System.exe 1956 System.exe 2384 System.exe 2384 System.exe 2504 System.exe 1240 System.exe 1240 System.exe 1432 System.exe 2104 System.exe 2104 System.exe 1588 System.exe 2992 System.exe 2992 System.exe -
Molebox Virtualization software 3 IoCs
Detects file using Molebox Virtualization software.
Processes:
resource yara_rule behavioral1/memory/2540-0-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox \Windows\SysWOW64\Install12\System.exe molebox behavioral1/memory/2700-55-0x0000000000C80000-0x0000000000CA1000-memory.dmp molebox -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exeSystem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Install12\\System.exe" 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Install12\\System.exe" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Install12\\System.exe" System.exe -
Drops file in System32 directory 49 IoCs
Processes:
System.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exe3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exeSystem.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File created C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe File opened for modification C:\Windows\SysWOW64\Install12\System.exe System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exeSystem.exedescription pid process target process PID 2540 wrote to memory of 1212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1736 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1736 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1736 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1736 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 1736 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2692 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2692 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2692 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2692 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2692 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2212 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2860 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2860 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2860 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2860 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2860 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2724 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2724 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2724 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2724 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2724 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2792 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2792 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2792 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2792 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2792 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2888 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2888 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2888 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2888 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2888 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2884 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2884 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2884 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2884 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe svchost.exe PID 2540 wrote to memory of 2700 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe System.exe PID 2540 wrote to memory of 2700 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe System.exe PID 2540 wrote to memory of 2700 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe System.exe PID 2540 wrote to memory of 2700 2540 3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe System.exe PID 2700 wrote to memory of 2664 2700 System.exe svchost.exe PID 2700 wrote to memory of 2664 2700 System.exe svchost.exe PID 2700 wrote to memory of 2664 2700 System.exe svchost.exe PID 2700 wrote to memory of 2664 2700 System.exe svchost.exe PID 2700 wrote to memory of 2664 2700 System.exe svchost.exe PID 2700 wrote to memory of 3024 2700 System.exe svchost.exe PID 2700 wrote to memory of 3024 2700 System.exe svchost.exe PID 2700 wrote to memory of 3024 2700 System.exe svchost.exe PID 2700 wrote to memory of 3024 2700 System.exe svchost.exe PID 2700 wrote to memory of 3024 2700 System.exe svchost.exe PID 2700 wrote to memory of 2240 2700 System.exe svchost.exe PID 2700 wrote to memory of 2240 2700 System.exe svchost.exe PID 2700 wrote to memory of 2240 2700 System.exe svchost.exe PID 2700 wrote to memory of 2240 2700 System.exe svchost.exe PID 2700 wrote to memory of 2240 2700 System.exe svchost.exe PID 2700 wrote to memory of 1276 2700 System.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd77d78bd8637e06ed6356abfa9d196_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1212
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1736
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2692
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2212
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2860
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2724
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2792
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2888
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2884
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2664
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3024
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2240
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1276
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:480
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:864
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2504
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:584
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1728
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1364 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1916
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1884
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2896
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:568
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2184
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:1772
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2208
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:404
-
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵PID:2788
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1540
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1436
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1480
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1640
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:908
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:236
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:1536
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:2396
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:3032
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2432
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2916
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2968
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1520
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2084
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2404
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2780
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2824
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:2732
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2196
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:3064
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2796
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2052
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2856
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2612
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2008
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:1988
-
C:\Windows\SysWOW64\svchost.exesvchost.exe7⤵PID:2420
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2332
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:3012
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2240
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:592
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:1588
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:1608
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2668
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2116
-
C:\Windows\SysWOW64\svchost.exesvchost.exe8⤵PID:2004
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1576
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2080
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1772
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1932
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2948
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2640
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1464
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:1240
-
C:\Windows\SysWOW64\svchost.exesvchost.exe9⤵PID:2248
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2500
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:1672
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:908
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2260
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2040
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:1432
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2360
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2348
-
C:\Windows\SysWOW64\svchost.exesvchost.exe10⤵PID:2380
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2432
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2376
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1956
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2264
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:1736
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2752
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2872
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2600
-
C:\Windows\SysWOW64\svchost.exesvchost.exe11⤵PID:2656
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1600
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:3064
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2052
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:760
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1172
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2012
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:2644
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1008
-
C:\Windows\SysWOW64\svchost.exesvchost.exe12⤵PID:1248
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"12⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:1288
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:280
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:1900
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:840
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:836
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:2492
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:2352
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:1944
-
C:\Windows\SysWOW64\svchost.exesvchost.exe13⤵PID:996
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1296 -
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1884
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:2080
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1660
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:776
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1668
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1540
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1536
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:1924
-
C:\Windows\SysWOW64\svchost.exesvchost.exe14⤵PID:2228
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:3044
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:908
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:1864
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:1800
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2976
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2084
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2568
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2928
-
C:\Windows\SysWOW64\svchost.exesvchost.exe15⤵PID:2772
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"15⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:1252
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:2912
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:2744
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:1560
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:2692
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:2856
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:2924
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:600
-
C:\Windows\SysWOW64\svchost.exesvchost.exe16⤵PID:1628
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:1544
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:1276
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2288
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:1516
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2504
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2056
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:992
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2232
-
C:\Windows\SysWOW64\svchost.exesvchost.exe17⤵PID:2868
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"17⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:372
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:1944
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:1224
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:1576
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:1308
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:784
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:2992
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:2396
-
C:\Windows\SysWOW64\svchost.exesvchost.exe18⤵PID:1496
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2984
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2320
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2088
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2500
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:1380
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2728
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2392
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2864
-
C:\Windows\SysWOW64\svchost.exesvchost.exe19⤵PID:2060
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"19⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2236
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2512
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2928
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2916
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2572
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:1736
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:2132
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:1372
-
C:\Windows\SysWOW64\svchost.exesvchost.exe20⤵PID:1580
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"20⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:532
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:1992
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:3004
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:2856
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:2900
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:1604
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:1764
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:2892
-
C:\Windows\SysWOW64\svchost.exesvchost.exe21⤵PID:1568
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"21⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:1180
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:592
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:2588
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:2940
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:2660
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:2032
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:624
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:1860
-
C:\Windows\SysWOW64\svchost.exesvchost.exe22⤵PID:1980
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"22⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:644
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:1784
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:1424
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:1224
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:2980
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:2172
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:620
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:3000
-
C:\Windows\SysWOW64\svchost.exesvchost.exe23⤵PID:1328
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"23⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2388
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2824
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:1924
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2716
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2728
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2224
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:3044
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:2888
-
C:\Windows\SysWOW64\svchost.exesvchost.exe24⤵PID:3048
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"24⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:2580
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:1624
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:2780
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:1648
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:2740
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:3024
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:1644
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:2744
-
C:\Windows\SysWOW64\svchost.exesvchost.exe25⤵PID:2576
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"25⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:2476
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:1068
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:1212
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:2416
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:3012
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:2496
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:760
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:2700
-
C:\Windows\SysWOW64\svchost.exesvchost.exe26⤵PID:684
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:1124
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:2288
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:992
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:1664
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:1976
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:2364
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:696
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:1944
-
C:\Windows\SysWOW64\svchost.exesvchost.exe27⤵PID:2396
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"27⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:2040
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:1784
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:280
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:2172
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:944
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:1520
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:1540
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:2500
-
C:\Windows\SysWOW64\svchost.exesvchost.exe28⤵PID:1500
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"28⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2272
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2736
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2728
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2888
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2600
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2612
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:2236
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:1368
-
C:\Windows\SysWOW64\svchost.exesvchost.exe29⤵PID:788
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"29⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:1260
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:2580
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:2712
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:1988
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:564
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:1992
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:600
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:1612
-
C:\Windows\SysWOW64\svchost.exesvchost.exe30⤵PID:2220
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"30⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:2816
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:2208
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:2496
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:2384
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:1916
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:1180
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:1584
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:952
-
C:\Windows\SysWOW64\svchost.exesvchost.exe31⤵PID:2352
-
C:\Users\Admin\AppData\Roaming\Install12\System.exe"C:\Users\Admin\AppData\Roaming\Install12\System.exe"31⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:592
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:1664
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:696
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:1072
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:836
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:1668
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:2260
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:1552
-
C:\Windows\SysWOW64\svchost.exesvchost.exe32⤵PID:2964
-
C:\Windows\SysWOW64\Install12\System.exe"C:\Windows\system32\Install12\System.exe"32⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\svchost.exesvchost.exe33⤵PID:1784
-
C:\Windows\SysWOW64\svchost.exesvchost.exe33⤵PID:3000
-
C:\Windows\SysWOW64\svchost.exesvchost.exe33⤵PID:1656
-
C:\Windows\SysWOW64\svchost.exesvchost.exe33⤵PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD572a5ebc90e1ed885685b92fcb655c834
SHA18b2657a5c5f003daef6f1f0f09f258f8c379e852
SHA2562de18ee84327e8591745134989a3dfafdeec78e8fa07cff9dc01faba4093a701
SHA512897c0551a8b11cfb54009e5191b25a9b7fee217b1cb96d617b21f12fee4b4ee84b068be702a6dde558d34c997a962f266c1338024e0ca4b1cf0fb95b5dd465a9
-
Filesize
200KB
MD53bd77d78bd8637e06ed6356abfa9d196
SHA1eff1a7b64280ae0a312669c8fd40c0d77dcb9216
SHA25613bf64ee0bd2893f76c4b5ddf18316528a7ec6d03b945f18f28102029317909b
SHA512d7febc858fdf0b697623db6436ba907992c09fdce415d5a0175eb44df8127a54a984af116d9f972f82d3dab04de1e7f7b06e21712968e08179d77b40cd43e26f