Analysis
-
max time kernel
142s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 09:17
Behavioral task
behavioral1
Sample
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
-
Size
265KB
-
MD5
5fe4b627f39be0d3564a4c62f2a58092
-
SHA1
c27d905048c7efd621d235d4fe0d1a85de4ca9a6
-
SHA256
951544b64107ec4f35fab90b0ac447f0656627da1d996a0ecc461b8dd4ed601f
-
SHA512
5abc8d04823188d8f13d41f3b708546460011be9558a48c0363b615cc6c777e9b69c9021bc7cc6040769629ade00ed474e88b5b465c21d42a9c72054c4657518
-
SSDEEP
6144:k9KeKBw8v92A7BBc4/JDvmx9+UeRUqJtyH7xOc6H5c6HcT66vlmr:f1Bv/Geja
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta behavioral1/memory/3024-53-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2256-52-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2752-65-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2624-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2632-80-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2764-79-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2812-94-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2540-93-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta behavioral1/memory/2496-117-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3008-116-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta behavioral1/memory/864-153-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2552-152-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1152-139-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1176-138-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1752-165-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2676-164-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe family_neshta behavioral1/memory/2196-176-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2980-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1832-190-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/696-189-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/532-211-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/952-212-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1516-230-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2012-229-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2376-251-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/784-252-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1936-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1764-280-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2900-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1708-287-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2428-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3012-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2264-313-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1972-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2612-321-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2872-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2016-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2320-329-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2756-337-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2620-345-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2708-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2540-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2604-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2788-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2352-361-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1488-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1508-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1800-377-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1172-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1608-385-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1660-384-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2996-392-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exesvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEpid process 2896 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2432 svchost.exe 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2924 svchost.exe 3024 svchost.com 2256 5FE4B6~1.EXE 2624 svchost.com 2752 5FE4B6~1.EXE 2632 svchost.com 2764 5FE4B6~1.EXE 2812 svchost.com 2540 5FE4B6~1.EXE 2496 svchost.com 3008 5FE4B6~1.EXE 1152 svchost.com 1176 5FE4B6~1.EXE 864 svchost.com 2552 5FE4B6~1.EXE 1752 svchost.com 2676 5FE4B6~1.EXE 2980 svchost.com 2196 5FE4B6~1.EXE 1832 svchost.com 696 5FE4B6~1.EXE 532 svchost.com 952 5FE4B6~1.EXE 1516 svchost.com 2012 5FE4B6~1.EXE 784 svchost.com 2376 5FE4B6~1.EXE 1764 svchost.com 1936 5FE4B6~1.EXE 2900 svchost.com 1708 5FE4B6~1.EXE 2428 svchost.com 3012 5FE4B6~1.EXE 2264 svchost.com 1972 5FE4B6~1.EXE 2612 svchost.com 2872 5FE4B6~1.EXE 2320 svchost.com 2016 5FE4B6~1.EXE 2756 svchost.com 2820 5FE4B6~1.EXE 2620 svchost.com 2708 5FE4B6~1.EXE 2604 svchost.com 2540 5FE4B6~1.EXE 2352 svchost.com 2788 5FE4B6~1.EXE 1508 svchost.com 1488 5FE4B6~1.EXE 1800 svchost.com 1172 5FE4B6~1.EXE 1608 svchost.com 1660 5FE4B6~1.EXE 2736 svchost.com 2996 5FE4B6~1.EXE 2748 svchost.com 2156 5FE4B6~1.EXE 1200 svchost.com 2024 5FE4B6~1.EXE 2944 svchost.com 2368 5FE4B6~1.EXE -
Loads dropped DLL 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.com5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.compid process 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2432 svchost.exe 2432 svchost.exe 3024 svchost.com 3024 svchost.com 2624 svchost.com 2624 svchost.com 2632 svchost.com 2632 svchost.com 2812 svchost.com 2812 svchost.com 2496 svchost.com 2496 svchost.com 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 1152 svchost.com 1152 svchost.com 864 svchost.com 864 svchost.com 1752 svchost.com 1752 svchost.com 2980 svchost.com 2980 svchost.com 1832 svchost.com 1832 svchost.com 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 532 svchost.com 532 svchost.com 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 1516 svchost.com 1516 svchost.com 784 svchost.com 784 svchost.com 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 1764 svchost.com 1764 svchost.com 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2900 svchost.com 2900 svchost.com 2428 svchost.com 2428 svchost.com 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2264 svchost.com 2264 svchost.com 2612 svchost.com 2612 svchost.com 2320 svchost.com 2320 svchost.com 2756 svchost.com 2756 svchost.com 2620 svchost.com 2620 svchost.com 2604 svchost.com 2604 svchost.com 2352 svchost.com 2352 svchost.com 1508 svchost.com 1508 svchost.com 1800 svchost.com 1800 svchost.com 1608 svchost.com 1608 svchost.com 2736 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com5FE4B6~1.EXEsvchost.comsvchost.comsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEdescription pid process target process PID 1628 wrote to memory of 2896 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 1628 wrote to memory of 2896 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 1628 wrote to memory of 2896 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 1628 wrote to memory of 2896 1628 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2896 wrote to memory of 2432 2896 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2896 wrote to memory of 2432 2896 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2896 wrote to memory of 2432 2896 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2896 wrote to memory of 2432 2896 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2432 wrote to memory of 2424 2432 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2432 wrote to memory of 2424 2432 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2432 wrote to memory of 2424 2432 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2432 wrote to memory of 2424 2432 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2424 wrote to memory of 3024 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 2424 wrote to memory of 3024 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 2424 wrote to memory of 3024 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 2424 wrote to memory of 3024 2424 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 3024 wrote to memory of 2256 3024 svchost.com 5FE4B6~1.EXE PID 3024 wrote to memory of 2256 3024 svchost.com 5FE4B6~1.EXE PID 3024 wrote to memory of 2256 3024 svchost.com 5FE4B6~1.EXE PID 3024 wrote to memory of 2256 3024 svchost.com 5FE4B6~1.EXE PID 2256 wrote to memory of 2624 2256 5FE4B6~1.EXE svchost.com PID 2256 wrote to memory of 2624 2256 5FE4B6~1.EXE svchost.com PID 2256 wrote to memory of 2624 2256 5FE4B6~1.EXE svchost.com PID 2256 wrote to memory of 2624 2256 5FE4B6~1.EXE svchost.com PID 2624 wrote to memory of 2752 2624 svchost.com 5FE4B6~1.EXE PID 2624 wrote to memory of 2752 2624 svchost.com 5FE4B6~1.EXE PID 2624 wrote to memory of 2752 2624 svchost.com 5FE4B6~1.EXE PID 2624 wrote to memory of 2752 2624 svchost.com 5FE4B6~1.EXE PID 2752 wrote to memory of 2632 2752 5FE4B6~1.EXE svchost.com PID 2752 wrote to memory of 2632 2752 5FE4B6~1.EXE svchost.com PID 2752 wrote to memory of 2632 2752 5FE4B6~1.EXE svchost.com PID 2752 wrote to memory of 2632 2752 5FE4B6~1.EXE svchost.com PID 2632 wrote to memory of 2764 2632 svchost.com 5FE4B6~1.EXE PID 2632 wrote to memory of 2764 2632 svchost.com 5FE4B6~1.EXE PID 2632 wrote to memory of 2764 2632 svchost.com 5FE4B6~1.EXE PID 2632 wrote to memory of 2764 2632 svchost.com 5FE4B6~1.EXE PID 2764 wrote to memory of 2812 2764 5FE4B6~1.EXE svchost.com PID 2764 wrote to memory of 2812 2764 5FE4B6~1.EXE svchost.com PID 2764 wrote to memory of 2812 2764 5FE4B6~1.EXE svchost.com PID 2764 wrote to memory of 2812 2764 5FE4B6~1.EXE svchost.com PID 2812 wrote to memory of 2540 2812 svchost.com 5FE4B6~1.EXE PID 2812 wrote to memory of 2540 2812 svchost.com 5FE4B6~1.EXE PID 2812 wrote to memory of 2540 2812 svchost.com 5FE4B6~1.EXE PID 2812 wrote to memory of 2540 2812 svchost.com 5FE4B6~1.EXE PID 2540 wrote to memory of 2496 2540 5FE4B6~1.EXE svchost.com PID 2540 wrote to memory of 2496 2540 5FE4B6~1.EXE svchost.com PID 2540 wrote to memory of 2496 2540 5FE4B6~1.EXE svchost.com PID 2540 wrote to memory of 2496 2540 5FE4B6~1.EXE svchost.com PID 2496 wrote to memory of 3008 2496 svchost.com 5FE4B6~1.EXE PID 2496 wrote to memory of 3008 2496 svchost.com 5FE4B6~1.EXE PID 2496 wrote to memory of 3008 2496 svchost.com 5FE4B6~1.EXE PID 2496 wrote to memory of 3008 2496 svchost.com 5FE4B6~1.EXE PID 3008 wrote to memory of 1152 3008 5FE4B6~1.EXE svchost.com PID 3008 wrote to memory of 1152 3008 5FE4B6~1.EXE svchost.com PID 3008 wrote to memory of 1152 3008 5FE4B6~1.EXE svchost.com PID 3008 wrote to memory of 1152 3008 5FE4B6~1.EXE svchost.com PID 1152 wrote to memory of 1176 1152 svchost.com 5FE4B6~1.EXE PID 1152 wrote to memory of 1176 1152 svchost.com 5FE4B6~1.EXE PID 1152 wrote to memory of 1176 1152 svchost.com 5FE4B6~1.EXE PID 1152 wrote to memory of 1176 1152 svchost.com 5FE4B6~1.EXE PID 1176 wrote to memory of 864 1176 5FE4B6~1.EXE svchost.com PID 1176 wrote to memory of 864 1176 5FE4B6~1.EXE svchost.com PID 1176 wrote to memory of 864 1176 5FE4B6~1.EXE svchost.com PID 1176 wrote to memory of 864 1176 5FE4B6~1.EXE svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE18⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE20⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2676 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2196 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE24⤵
- Executes dropped EXE
PID:696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE26⤵
- Executes dropped EXE
PID:952 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE28⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE30⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE32⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE34⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE36⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"37⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE38⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1972 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE40⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"41⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE42⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"43⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE44⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"45⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE46⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"47⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE48⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"49⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE50⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE52⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"53⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE54⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"55⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"57⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE58⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"59⤵
- Executes dropped EXE
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE60⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"61⤵
- Executes dropped EXE
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE62⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE64⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"65⤵PID:344
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE66⤵PID:1556
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"67⤵
- Drops file in Windows directory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE68⤵PID:2052
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"69⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE70⤵PID:916
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"71⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE72⤵PID:1516
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"73⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE74⤵PID:2084
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"75⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE76⤵PID:660
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"77⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE78⤵
- Drops file in Windows directory
PID:2440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"79⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE80⤵PID:1932
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"81⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE82⤵PID:1668
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"83⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE84⤵PID:2908
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"85⤵PID:2912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE86⤵PID:2116
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"87⤵
- Drops file in Windows directory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE88⤵
- Drops file in Windows directory
PID:2252 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"89⤵
- Drops file in Windows directory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE90⤵PID:2716
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"91⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE92⤵PID:2792
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"93⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE94⤵PID:2828
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"95⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE96⤵PID:2812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"97⤵PID:2620
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE98⤵PID:1844
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"99⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE100⤵PID:2968
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"101⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE102⤵PID:1696
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"103⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE104⤵PID:2044
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"105⤵
- Drops file in Windows directory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE106⤵PID:1244
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"107⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE108⤵PID:2736
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"109⤵PID:2664
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE110⤵PID:2680
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"111⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE112⤵PID:2552
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"113⤵
- Drops file in Windows directory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE114⤵PID:2132
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"115⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE116⤵
- Drops file in Windows directory
PID:1080 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"117⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE118⤵PID:1368
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"119⤵
- Drops file in Windows directory
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE120⤵PID:712
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"121⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE122⤵PID:2164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-