Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2024 21:02
Behavioral task
behavioral1
Sample
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe
-
Size
895KB
-
MD5
5da6ffa89ab8c653c1d2f39758adabd9
-
SHA1
cf20033c301276560af0a941035541d610725bb2
-
SHA256
f356ecfae5a3d9082c3df1b263d04118ee2180313c9d69c0183d04ddc2d5ef30
-
SHA512
72617deb693d82f653d8309bf28941cb8d2902df570f25224cf6e528e968ae2fa30e366ff75b20e905d98a8ea66d35f1cdf6f47d419bca8295b6097aa3a912c0
-
SSDEEP
12288:TE1Fb5andiwUz5TzCLgdRkk+eO56IPujrY2p8VJJFR8D//GqjLY8TsKdwEZ:TE1vRW15dPL2p8VJruDntjLNT
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe family_neshta C:\Windows\svchost.com family_neshta behavioral2/memory/1596-16-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3472-26-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1224-28-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2916-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/220-40-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1844-50-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1008-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/816-56-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2308-64-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1220-74-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4804-76-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2244-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1840-88-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/428-98-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta behavioral2/memory/3656-120-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2992-131-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1928-132-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4872-142-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3388-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe family_neshta behavioral2/memory/4400-166-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE family_neshta behavioral2/memory/2492-242-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4392-249-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3476-257-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4248-259-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3472-265-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3264-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4924-273-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4644-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/664-281-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/524-283-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4428-289-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2672-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2872-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3900-299-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2684-305-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3896-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1304-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3468-315-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4148-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4764-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4436-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4012-331-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1936-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3804-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5DA6FF~1.EXE5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 5DA6FF~1.EXE -
Executes dropped EXE 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.compid process 3764 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 1596 svchost.com 3472 5DA6FF~1.EXE 1224 svchost.com 2916 5DA6FF~1.EXE 220 svchost.com 1844 5DA6FF~1.EXE 1008 svchost.com 816 5DA6FF~1.EXE 2308 svchost.com 1220 5DA6FF~1.EXE 4804 svchost.com 2244 5DA6FF~1.EXE 1840 svchost.com 428 5DA6FF~1.EXE 3656 svchost.com 2992 5DA6FF~1.EXE 1928 svchost.com 4872 5DA6FF~1.EXE 3388 svchost.com 4400 5DA6FF~1.EXE 2492 svchost.com 4392 5DA6FF~1.EXE 3476 svchost.com 4248 5DA6FF~1.EXE 3472 svchost.com 3264 5DA6FF~1.EXE 4924 svchost.com 4644 5DA6FF~1.EXE 664 svchost.com 524 5DA6FF~1.EXE 4428 svchost.com 2672 5DA6FF~1.EXE 2872 svchost.com 3900 5DA6FF~1.EXE 2684 svchost.com 3896 5DA6FF~1.EXE 1304 svchost.com 3468 5DA6FF~1.EXE 4148 svchost.com 4764 5DA6FF~1.EXE 4436 svchost.com 4012 5DA6FF~1.EXE 1936 svchost.com 3804 5DA6FF~1.EXE 2928 svchost.com 3320 5DA6FF~1.EXE 4384 svchost.com 3132 5DA6FF~1.EXE 336 svchost.com 3528 5DA6FF~1.EXE 4912 svchost.com 4424 5DA6FF~1.EXE 3620 svchost.com 952 5DA6FF~1.EXE 3480 svchost.com 4352 5DA6FF~1.EXE 2932 svchost.com 3712 5DA6FF~1.EXE 760 svchost.com 1628 5DA6FF~1.EXE 4768 svchost.com 4248 5DA6FF~1.EXE 1224 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\svchost.com 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys 5DA6FF~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
5DA6FF~1.EXE5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXE5DA6FF~1.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings 5DA6FF~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exesvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEsvchost.com5DA6FF~1.EXEdescription pid process target process PID 1792 wrote to memory of 3764 1792 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 1792 wrote to memory of 3764 1792 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 1792 wrote to memory of 3764 1792 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe PID 3764 wrote to memory of 1596 3764 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3764 wrote to memory of 1596 3764 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 3764 wrote to memory of 1596 3764 5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe svchost.com PID 1596 wrote to memory of 3472 1596 svchost.com svchost.com PID 1596 wrote to memory of 3472 1596 svchost.com svchost.com PID 1596 wrote to memory of 3472 1596 svchost.com svchost.com PID 3472 wrote to memory of 1224 3472 5DA6FF~1.EXE svchost.com PID 3472 wrote to memory of 1224 3472 5DA6FF~1.EXE svchost.com PID 3472 wrote to memory of 1224 3472 5DA6FF~1.EXE svchost.com PID 1224 wrote to memory of 2916 1224 svchost.com 5DA6FF~1.EXE PID 1224 wrote to memory of 2916 1224 svchost.com 5DA6FF~1.EXE PID 1224 wrote to memory of 2916 1224 svchost.com 5DA6FF~1.EXE PID 2916 wrote to memory of 220 2916 5DA6FF~1.EXE svchost.com PID 2916 wrote to memory of 220 2916 5DA6FF~1.EXE svchost.com PID 2916 wrote to memory of 220 2916 5DA6FF~1.EXE svchost.com PID 220 wrote to memory of 1844 220 svchost.com 5DA6FF~1.EXE PID 220 wrote to memory of 1844 220 svchost.com 5DA6FF~1.EXE PID 220 wrote to memory of 1844 220 svchost.com 5DA6FF~1.EXE PID 1844 wrote to memory of 1008 1844 5DA6FF~1.EXE svchost.com PID 1844 wrote to memory of 1008 1844 5DA6FF~1.EXE svchost.com PID 1844 wrote to memory of 1008 1844 5DA6FF~1.EXE svchost.com PID 1008 wrote to memory of 816 1008 svchost.com 5DA6FF~1.EXE PID 1008 wrote to memory of 816 1008 svchost.com 5DA6FF~1.EXE PID 1008 wrote to memory of 816 1008 svchost.com 5DA6FF~1.EXE PID 816 wrote to memory of 2308 816 5DA6FF~1.EXE svchost.com PID 816 wrote to memory of 2308 816 5DA6FF~1.EXE svchost.com PID 816 wrote to memory of 2308 816 5DA6FF~1.EXE svchost.com PID 2308 wrote to memory of 1220 2308 svchost.com 5DA6FF~1.EXE PID 2308 wrote to memory of 1220 2308 svchost.com 5DA6FF~1.EXE PID 2308 wrote to memory of 1220 2308 svchost.com 5DA6FF~1.EXE PID 1220 wrote to memory of 4804 1220 5DA6FF~1.EXE svchost.com PID 1220 wrote to memory of 4804 1220 5DA6FF~1.EXE svchost.com PID 1220 wrote to memory of 4804 1220 5DA6FF~1.EXE svchost.com PID 4804 wrote to memory of 2244 4804 svchost.com 5DA6FF~1.EXE PID 4804 wrote to memory of 2244 4804 svchost.com 5DA6FF~1.EXE PID 4804 wrote to memory of 2244 4804 svchost.com 5DA6FF~1.EXE PID 2244 wrote to memory of 1840 2244 5DA6FF~1.EXE svchost.com PID 2244 wrote to memory of 1840 2244 5DA6FF~1.EXE svchost.com PID 2244 wrote to memory of 1840 2244 5DA6FF~1.EXE svchost.com PID 1840 wrote to memory of 428 1840 svchost.com 5DA6FF~1.EXE PID 1840 wrote to memory of 428 1840 svchost.com 5DA6FF~1.EXE PID 1840 wrote to memory of 428 1840 svchost.com 5DA6FF~1.EXE PID 428 wrote to memory of 3656 428 5DA6FF~1.EXE svchost.com PID 428 wrote to memory of 3656 428 5DA6FF~1.EXE svchost.com PID 428 wrote to memory of 3656 428 5DA6FF~1.EXE svchost.com PID 3656 wrote to memory of 2992 3656 svchost.com 5DA6FF~1.EXE PID 3656 wrote to memory of 2992 3656 svchost.com 5DA6FF~1.EXE PID 3656 wrote to memory of 2992 3656 svchost.com 5DA6FF~1.EXE PID 2992 wrote to memory of 1928 2992 5DA6FF~1.EXE svchost.com PID 2992 wrote to memory of 1928 2992 5DA6FF~1.EXE svchost.com PID 2992 wrote to memory of 1928 2992 5DA6FF~1.EXE svchost.com PID 1928 wrote to memory of 4872 1928 svchost.com 5DA6FF~1.EXE PID 1928 wrote to memory of 4872 1928 svchost.com 5DA6FF~1.EXE PID 1928 wrote to memory of 4872 1928 svchost.com 5DA6FF~1.EXE PID 4872 wrote to memory of 3388 4872 5DA6FF~1.EXE svchost.com PID 4872 wrote to memory of 3388 4872 5DA6FF~1.EXE svchost.com PID 4872 wrote to memory of 3388 4872 5DA6FF~1.EXE svchost.com PID 3388 wrote to memory of 4400 3388 svchost.com 5DA6FF~1.EXE PID 3388 wrote to memory of 4400 3388 svchost.com 5DA6FF~1.EXE PID 3388 wrote to memory of 4400 3388 svchost.com 5DA6FF~1.EXE PID 4400 wrote to memory of 2492 4400 5DA6FF~1.EXE svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5da6ffa89ab8c653c1d2f39758adabd9_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE24⤵
- Executes dropped EXE
PID:4392 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"25⤵
- Executes dropped EXE
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE26⤵
- Executes dropped EXE
- Modifies registry class
PID:4248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"27⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE28⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"29⤵
- Executes dropped EXE
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:4644 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"31⤵
- Executes dropped EXE
PID:664 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE32⤵
- Checks computer location settings
- Executes dropped EXE
PID:524 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"33⤵
- Executes dropped EXE
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE34⤵
- Checks computer location settings
- Executes dropped EXE
PID:2672 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"35⤵
- Executes dropped EXE
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE36⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"37⤵
- Executes dropped EXE
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE38⤵
- Executes dropped EXE
- Modifies registry class
PID:3896 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"39⤵
- Executes dropped EXE
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE40⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"41⤵
- Executes dropped EXE
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:4764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"43⤵
- Executes dropped EXE
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE44⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"45⤵
- Executes dropped EXE
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE46⤵
- Executes dropped EXE
PID:3804 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"47⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
PID:3320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"49⤵
- Executes dropped EXE
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE50⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"51⤵
- Executes dropped EXE
PID:336 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE52⤵
- Executes dropped EXE
PID:3528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"53⤵
- Executes dropped EXE
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE54⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"55⤵
- Executes dropped EXE
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE56⤵
- Executes dropped EXE
PID:952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"57⤵
- Executes dropped EXE
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE58⤵
- Checks computer location settings
- Executes dropped EXE
PID:4352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"59⤵
- Executes dropped EXE
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE60⤵
- Executes dropped EXE
PID:3712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"61⤵
- Executes dropped EXE
PID:760 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE62⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"63⤵
- Executes dropped EXE
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE64⤵
- Executes dropped EXE
PID:4248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"65⤵
- Executes dropped EXE
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE66⤵PID:744
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"67⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE68⤵PID:2500
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"69⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE70⤵
- Modifies registry class
PID:4460 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"71⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE72⤵PID:2308
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"73⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE74⤵
- Modifies registry class
PID:1128 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"75⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE76⤵
- Checks computer location settings
PID:2220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"77⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE78⤵PID:4148
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"79⤵PID:2520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE80⤵PID:2664
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"81⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE82⤵PID:3112
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"83⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE84⤵PID:748
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"85⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE86⤵
- Checks computer location settings
PID:4252 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"87⤵
- Drops file in Windows directory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE88⤵PID:3316
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"89⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE90⤵
- Modifies registry class
PID:3528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"91⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE92⤵PID:2848
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"93⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE94⤵
- Drops file in Windows directory
- Modifies registry class
PID:2212 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"95⤵PID:2812
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE96⤵PID:3876
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"97⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE98⤵
- Drops file in Windows directory
PID:4416 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"99⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE100⤵PID:3776
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"101⤵
- Drops file in Windows directory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE102⤵
- Checks computer location settings
- Modifies registry class
PID:3580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"103⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE104⤵PID:4768
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"105⤵
- Drops file in Windows directory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE106⤵PID:2384
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"107⤵PID:624
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE108⤵PID:5100
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"109⤵PID:816
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE110⤵PID:5104
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"111⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE112⤵
- Checks computer location settings
PID:1220 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"113⤵PID:4548
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE114⤵
- Checks computer location settings
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"115⤵PID:2684
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE116⤵
- Modifies registry class
PID:5068 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"117⤵PID:4664
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE118⤵
- Modifies registry class
PID:1720 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"119⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE120⤵PID:3596
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE"121⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5DA6FF~1.EXE122⤵PID:3560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-