Analysis
-
max time kernel
38s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 21:02
Behavioral task
behavioral1
Sample
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
-
Size
895KB
-
MD5
5da6ffa89ab8c653c1d2f39758adabd9
-
SHA1
cf20033c301276560af0a941035541d610725bb2
-
SHA256
f356ecfae5a3d9082c3df1b263d04118ee2180313c9d69c0183d04ddc2d5ef30
-
SHA512
72617deb693d82f653d8309bf28941cb8d2902df570f25224cf6e528e968ae2fa30e366ff75b20e905d98a8ea66d35f1cdf6f47d419bca8295b6097aa3a912c0
-
SSDEEP
12288:TE1Fb5andiwUz5TzCLgdRkk+eO56IPujrY2p8VJJFR8D//GqjLY8TsKdwEZ:TE1vRW15dPL2p8VJruDntjLNT
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta behavioral1/memory/2608-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2904-44-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3064-31-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-59-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2488-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2108-72-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2568-73-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2700-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2388-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2288-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE family_neshta behavioral1/memory/1900-141-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/960-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta behavioral1/memory/1656-114-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2084-155-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1220-157-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1104-178-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1760-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-192-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/936-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2156-210-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/984-209-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2128-228-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2908-227-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2368-253-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2132-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-271-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1672-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2436-286-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2756-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2688-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1732-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2660-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2060-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2328-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2468-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2108-325-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2396-324-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2580-115-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1728-86-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1740-85-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2472-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/824-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2740-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2812-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1828-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1656-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2308-361-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2180-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1796-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2588-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2184-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1632-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/612-388-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.compid process 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 3064 svchost.com 2700 5DA6FF~1.EXE 2904 svchost.com 2608 5DA6FF~1.EXE 2880 svchost.com 2488 5DA6FF~1.EXE 2568 svchost.com 2108 5DA6FF~1.EXE 1728 svchost.com 1740 5DA6FF~1.EXE 2388 svchost.com 2288 5DA6FF~1.EXE 2580 svchost.com 1656 5DA6FF~1.EXE 960 svchost.com 1900 5DA6FF~1.EXE 2084 svchost.com 1220 5DA6FF~1.EXE 1104 svchost.com 1760 5DA6FF~1.EXE 3008 svchost.com 936 5DA6FF~1.EXE 2156 svchost.com 984 5DA6FF~1.EXE 2128 svchost.com 2908 5DA6FF~1.EXE 2368 svchost.com 2132 5DA6FF~1.EXE 1672 svchost.com 3024 5DA6FF~1.EXE 2436 svchost.com 2756 5DA6FF~1.EXE 1732 svchost.com 2688 5DA6FF~1.EXE 2660 svchost.com 2060 5DA6FF~1.EXE 2820 svchost.com 2880 5DA6FF~1.EXE 2328 svchost.com 2468 5DA6FF~1.EXE 2108 svchost.com 2396 5DA6FF~1.EXE 2472 svchost.com 824 5DA6FF~1.EXE 2740 svchost.com 2812 5DA6FF~1.EXE 1828 svchost.com 1656 5DA6FF~1.EXE 2308 svchost.com 2180 5DA6FF~1.EXE 2588 svchost.com 1796 5DA6FF~1.EXE 2184 svchost.com 1632 5DA6FF~1.EXE 612 svchost.com 1652 5DA6FF~1.EXE 1328 svchost.com 812 5DA6FF~1.EXE 1104 svchost.com 820 5DA6FF~1.EXE 1336 svchost.com 1540 5DA6FF~1.EXE 1528 svchost.com -
Loads dropped DLL 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.compid process 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 3064 svchost.com 3064 svchost.com 2904 svchost.com 2904 svchost.com 2880 svchost.com 2880 svchost.com 2568 svchost.com 2568 svchost.com 1728 svchost.com 1728 svchost.com 2388 svchost.com 2388 svchost.com 2580 svchost.com 2580 svchost.com 960 svchost.com 960 svchost.com 2084 svchost.com 2084 svchost.com 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 1104 svchost.com 1104 svchost.com 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 3008 svchost.com 3008 svchost.com 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 2156 svchost.com 2156 svchost.com 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 2128 svchost.com 2128 svchost.com 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 2368 svchost.com 2368 svchost.com 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 1672 svchost.com 1672 svchost.com 2436 svchost.com 2436 svchost.com 1732 svchost.com 1732 svchost.com 2660 svchost.com 2660 svchost.com 2820 svchost.com 2820 svchost.com 2328 svchost.com 2328 svchost.com 2108 svchost.com 2108 svchost.com 2472 svchost.com 2472 svchost.com 2740 svchost.com 2740 svchost.com 1828 svchost.com 1828 svchost.com 2308 svchost.com 2308 svchost.com 2588 svchost.com 2588 svchost.com 2184 svchost.com 2184 svchost.com 612 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEdescription ioc process File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEdescription pid process target process PID 2220 wrote to memory of 3036 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 2220 wrote to memory of 3036 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 2220 wrote to memory of 3036 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 2220 wrote to memory of 3036 2220 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 3036 wrote to memory of 3064 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3036 wrote to memory of 3064 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3036 wrote to memory of 3064 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3036 wrote to memory of 3064 3036 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3064 wrote to memory of 2700 3064 svchost.com 5DA6FF~1.EXE PID 3064 wrote to memory of 2700 3064 svchost.com 5DA6FF~1.EXE PID 3064 wrote to memory of 2700 3064 svchost.com 5DA6FF~1.EXE PID 3064 wrote to memory of 2700 3064 svchost.com 5DA6FF~1.EXE PID 2700 wrote to memory of 2904 2700 5DA6FF~1.EXE svchost.com PID 2700 wrote to memory of 2904 2700 5DA6FF~1.EXE svchost.com PID 2700 wrote to memory of 2904 2700 5DA6FF~1.EXE svchost.com PID 2700 wrote to memory of 2904 2700 5DA6FF~1.EXE svchost.com PID 2904 wrote to memory of 2608 2904 svchost.com 5DA6FF~1.EXE PID 2904 wrote to memory of 2608 2904 svchost.com 5DA6FF~1.EXE PID 2904 wrote to memory of 2608 2904 svchost.com 5DA6FF~1.EXE PID 2904 wrote to memory of 2608 2904 svchost.com 5DA6FF~1.EXE PID 2608 wrote to memory of 2880 2608 5DA6FF~1.EXE 5DA6FF~1.EXE PID 2608 wrote to memory of 2880 2608 5DA6FF~1.EXE 5DA6FF~1.EXE PID 2608 wrote to memory of 2880 2608 5DA6FF~1.EXE 5DA6FF~1.EXE PID 2608 wrote to memory of 2880 2608 5DA6FF~1.EXE 5DA6FF~1.EXE PID 2880 wrote to memory of 2488 2880 svchost.com 5DA6FF~1.EXE PID 2880 wrote to memory of 2488 2880 svchost.com 5DA6FF~1.EXE PID 2880 wrote to memory of 2488 2880 svchost.com 5DA6FF~1.EXE PID 2880 wrote to memory of 2488 2880 svchost.com 5DA6FF~1.EXE PID 2488 wrote to memory of 2568 2488 5DA6FF~1.EXE svchost.com PID 2488 wrote to memory of 2568 2488 5DA6FF~1.EXE svchost.com PID 2488 wrote to memory of 2568 2488 5DA6FF~1.EXE svchost.com PID 2488 wrote to memory of 2568 2488 5DA6FF~1.EXE svchost.com PID 2568 wrote to memory of 2108 2568 svchost.com svchost.com PID 2568 wrote to memory of 2108 2568 svchost.com svchost.com PID 2568 wrote to memory of 2108 2568 svchost.com svchost.com PID 2568 wrote to memory of 2108 2568 svchost.com svchost.com PID 2108 wrote to memory of 1728 2108 5DA6FF~1.EXE svchost.com PID 2108 wrote to memory of 1728 2108 5DA6FF~1.EXE svchost.com PID 2108 wrote to memory of 1728 2108 5DA6FF~1.EXE svchost.com PID 2108 wrote to memory of 1728 2108 5DA6FF~1.EXE svchost.com PID 1728 wrote to memory of 1740 1728 svchost.com 5DA6FF~1.EXE PID 1728 wrote to memory of 1740 1728 svchost.com 5DA6FF~1.EXE PID 1728 wrote to memory of 1740 1728 svchost.com 5DA6FF~1.EXE PID 1728 wrote to memory of 1740 1728 svchost.com 5DA6FF~1.EXE PID 1740 wrote to memory of 2388 1740 5DA6FF~1.EXE svchost.com PID 1740 wrote to memory of 2388 1740 5DA6FF~1.EXE svchost.com PID 1740 wrote to memory of 2388 1740 5DA6FF~1.EXE svchost.com PID 1740 wrote to memory of 2388 1740 5DA6FF~1.EXE svchost.com PID 2388 wrote to memory of 2288 2388 svchost.com svchost.com PID 2388 wrote to memory of 2288 2388 svchost.com svchost.com PID 2388 wrote to memory of 2288 2388 svchost.com svchost.com PID 2388 wrote to memory of 2288 2388 svchost.com svchost.com PID 2288 wrote to memory of 2580 2288 5DA6FF~1.EXE svchost.com PID 2288 wrote to memory of 2580 2288 5DA6FF~1.EXE svchost.com PID 2288 wrote to memory of 2580 2288 5DA6FF~1.EXE svchost.com PID 2288 wrote to memory of 2580 2288 5DA6FF~1.EXE svchost.com PID 2580 wrote to memory of 1656 2580 svchost.com 5DA6FF~1.EXE PID 2580 wrote to memory of 1656 2580 svchost.com 5DA6FF~1.EXE PID 2580 wrote to memory of 1656 2580 svchost.com 5DA6FF~1.EXE PID 2580 wrote to memory of 1656 2580 svchost.com 5DA6FF~1.EXE PID 1656 wrote to memory of 960 1656 5DA6FF~1.EXE 5DA6FF~1.EXE PID 1656 wrote to memory of 960 1656 5DA6FF~1.EXE 5DA6FF~1.EXE PID 1656 wrote to memory of 960 1656 5DA6FF~1.EXE 5DA6FF~1.EXE PID 1656 wrote to memory of 960 1656 5DA6FF~1.EXE 5DA6FF~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE18⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE20⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE22⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE24⤵
- Executes dropped EXE
PID:936 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE26⤵
- Executes dropped EXE
PID:984 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE28⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE30⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE32⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE34⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE36⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE38⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE40⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE42⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE44⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE46⤵
- Executes dropped EXE
PID:824 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE48⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE50⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE52⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE54⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE56⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE58⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"59⤵
- Executes dropped EXE
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE60⤵
- Executes dropped EXE
PID:812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"61⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE62⤵
- Executes dropped EXE
PID:820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"63⤵
- Executes dropped EXE
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE64⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"65⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE66⤵PID:536
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"67⤵
- Drops file in Windows directory
PID:732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE68⤵PID:3068
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"69⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE70⤵PID:924
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"71⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE72⤵PID:2884
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"73⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE74⤵PID:1596
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"75⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE76⤵PID:2584
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"77⤵PID:3032
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE78⤵
- Drops file in Windows directory
PID:2648 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"79⤵PID:2708
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE80⤵PID:2436
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"81⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE82⤵
- Drops file in Windows directory
PID:1912 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"83⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE84⤵PID:2520
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"85⤵
- Drops file in Windows directory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE86⤵PID:2056
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"87⤵
- Drops file in Windows directory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE88⤵PID:2476
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"89⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE90⤵PID:1928
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"91⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE92⤵PID:2472
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"93⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE94⤵
- Drops file in Windows directory
PID:2740 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"95⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE96⤵PID:1828
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"97⤵
- Drops file in Windows directory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE98⤵PID:960
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"99⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE100⤵PID:1796
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"101⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE102⤵
- Drops file in Windows directory
PID:2068 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"103⤵PID:2200
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE104⤵PID:2924
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"105⤵PID:612
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE106⤵PID:1844
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"107⤵
- Drops file in Windows directory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE108⤵PID:1856
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"109⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE110⤵PID:1756
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"111⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE112⤵PID:2156
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"113⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE114⤵PID:732
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"115⤵
- Drops file in Windows directory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE116⤵PID:1776
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"117⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE118⤵PID:2228
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"119⤵PID:2884
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE120⤵PID:1700
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"121⤵PID:2408
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE122⤵
- Drops file in Windows directory
PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-