Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 09:17
Behavioral task
behavioral1
Sample
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe
-
Size
265KB
-
MD5
5fe4b627f39be0d3564a4c62f2a58092
-
SHA1
c27d905048c7efd621d235d4fe0d1a85de4ca9a6
-
SHA256
951544b64107ec4f35fab90b0ac447f0656627da1d996a0ecc461b8dd4ed601f
-
SHA512
5abc8d04823188d8f13d41f3b708546460011be9558a48c0363b615cc6c777e9b69c9021bc7cc6040769629ade00ed474e88b5b465c21d42a9c72054c4657518
-
SSDEEP
6144:k9KeKBw8v92A7BBc4/JDvmx9+UeRUqJtyH7xOc6H5c6HcT66vlmr:f1Bv/Geja
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe family_neshta C:\Windows\svchost.com family_neshta behavioral2/memory/4912-30-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1944-34-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4612-42-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4900-46-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/840-54-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2616-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1176-66-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2580-77-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4184-78-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3024-82-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1300-90-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4256-101-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3692-102-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1468-113-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/392-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4020-145-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2844-146-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2004-157-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1040-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1240-163-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe family_neshta behavioral2/memory/4004-186-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE family_neshta behavioral2/memory/1248-210-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2356-239-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2764-247-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4612-264-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2108-266-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2692-277-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/836-279-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/408-285-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4064-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4516-296-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1116-303-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1632-304-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4204-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/412-312-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4668-319-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4496-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1904-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2964-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1864-330-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2480-336-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1828-343-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/720-344-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2688-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4424-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3608-354-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2908-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4812-362-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1908-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4924-375-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4304-376-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1020-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 5FE4B6~1.EXE -
Executes dropped EXE 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exesvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEpid process 2800 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 2732 svchost.exe 1316 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 4244 svchost.exe 4912 svchost.com 1944 5FE4B6~1.EXE 4612 svchost.com 4900 5FE4B6~1.EXE 840 svchost.com 2616 5FE4B6~1.EXE 1176 svchost.com 2580 5FE4B6~1.EXE 4184 svchost.com 3024 5FE4B6~1.EXE 1300 svchost.com 4256 5FE4B6~1.EXE 3692 svchost.com 1468 5FE4B6~1.EXE 392 svchost.com 4020 5FE4B6~1.EXE 2844 svchost.com 2004 5FE4B6~1.EXE 1040 svchost.com 1240 5FE4B6~1.EXE 4004 svchost.com 1248 5FE4B6~1.EXE 2356 svchost.com 2764 5FE4B6~1.EXE 4612 svchost.com 2108 5FE4B6~1.EXE 2692 svchost.com 836 5FE4B6~1.EXE 408 svchost.com 4064 5FE4B6~1.EXE 4516 svchost.com 1116 5FE4B6~1.EXE 1632 svchost.com 4204 5FE4B6~1.EXE 412 svchost.com 4668 5FE4B6~1.EXE 4496 svchost.com 1904 5FE4B6~1.EXE 2964 svchost.com 1864 5FE4B6~1.EXE 2480 svchost.com 1828 5FE4B6~1.EXE 720 svchost.com 2688 5FE4B6~1.EXE 4424 svchost.com 3608 5FE4B6~1.EXE 2908 svchost.com 4812 5FE4B6~1.EXE 1908 svchost.com 4924 5FE4B6~1.EXE 4304 svchost.com 1020 5FE4B6~1.EXE 2340 svchost.com 2776 5FE4B6~1.EXE 3196 svchost.com 4868 5FE4B6~1.EXE 3128 svchost.com 4452 5FE4B6~1.EXE 2248 svchost.com 2684 5FE4B6~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe svchost.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com5FE4B6~1.EXEsvchost.comsvchost.comsvchost.com5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.comsvchost.comsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.comsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEsvchost.com5FE4B6~1.EXE5FE4B6~1.EXEdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 5FE4B6~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 5FE4B6~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
Processes:
5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXE5FE4B6~1.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings 5FE4B6~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.exe5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exesvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEsvchost.com5FE4B6~1.EXEdescription pid process target process PID 4456 wrote to memory of 2800 4456 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 4456 wrote to memory of 2800 4456 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 4456 wrote to memory of 2800 4456 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2800 wrote to memory of 2732 2800 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2800 wrote to memory of 2732 2800 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2800 wrote to memory of 2732 2800 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.exe PID 2732 wrote to memory of 1316 2732 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2732 wrote to memory of 1316 2732 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 2732 wrote to memory of 1316 2732 svchost.exe 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe PID 1316 wrote to memory of 4912 1316 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 1316 wrote to memory of 4912 1316 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 1316 wrote to memory of 4912 1316 5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe svchost.com PID 4912 wrote to memory of 1944 4912 svchost.com 5FE4B6~1.EXE PID 4912 wrote to memory of 1944 4912 svchost.com 5FE4B6~1.EXE PID 4912 wrote to memory of 1944 4912 svchost.com 5FE4B6~1.EXE PID 1944 wrote to memory of 4612 1944 5FE4B6~1.EXE svchost.com PID 1944 wrote to memory of 4612 1944 5FE4B6~1.EXE svchost.com PID 1944 wrote to memory of 4612 1944 5FE4B6~1.EXE svchost.com PID 4612 wrote to memory of 4900 4612 svchost.com 5FE4B6~1.EXE PID 4612 wrote to memory of 4900 4612 svchost.com 5FE4B6~1.EXE PID 4612 wrote to memory of 4900 4612 svchost.com 5FE4B6~1.EXE PID 4900 wrote to memory of 840 4900 5FE4B6~1.EXE svchost.com PID 4900 wrote to memory of 840 4900 5FE4B6~1.EXE svchost.com PID 4900 wrote to memory of 840 4900 5FE4B6~1.EXE svchost.com PID 840 wrote to memory of 2616 840 svchost.com 5FE4B6~1.EXE PID 840 wrote to memory of 2616 840 svchost.com 5FE4B6~1.EXE PID 840 wrote to memory of 2616 840 svchost.com 5FE4B6~1.EXE PID 2616 wrote to memory of 1176 2616 5FE4B6~1.EXE svchost.com PID 2616 wrote to memory of 1176 2616 5FE4B6~1.EXE svchost.com PID 2616 wrote to memory of 1176 2616 5FE4B6~1.EXE svchost.com PID 1176 wrote to memory of 2580 1176 svchost.com 5FE4B6~1.EXE PID 1176 wrote to memory of 2580 1176 svchost.com 5FE4B6~1.EXE PID 1176 wrote to memory of 2580 1176 svchost.com 5FE4B6~1.EXE PID 2580 wrote to memory of 4184 2580 5FE4B6~1.EXE svchost.com PID 2580 wrote to memory of 4184 2580 5FE4B6~1.EXE svchost.com PID 2580 wrote to memory of 4184 2580 5FE4B6~1.EXE svchost.com PID 4184 wrote to memory of 3024 4184 svchost.com 5FE4B6~1.EXE PID 4184 wrote to memory of 3024 4184 svchost.com 5FE4B6~1.EXE PID 4184 wrote to memory of 3024 4184 svchost.com 5FE4B6~1.EXE PID 3024 wrote to memory of 1300 3024 5FE4B6~1.EXE svchost.com PID 3024 wrote to memory of 1300 3024 5FE4B6~1.EXE svchost.com PID 3024 wrote to memory of 1300 3024 5FE4B6~1.EXE svchost.com PID 1300 wrote to memory of 4256 1300 svchost.com 5FE4B6~1.EXE PID 1300 wrote to memory of 4256 1300 svchost.com 5FE4B6~1.EXE PID 1300 wrote to memory of 4256 1300 svchost.com 5FE4B6~1.EXE PID 4256 wrote to memory of 3692 4256 5FE4B6~1.EXE svchost.com PID 4256 wrote to memory of 3692 4256 5FE4B6~1.EXE svchost.com PID 4256 wrote to memory of 3692 4256 5FE4B6~1.EXE svchost.com PID 3692 wrote to memory of 1468 3692 svchost.com 5FE4B6~1.EXE PID 3692 wrote to memory of 1468 3692 svchost.com 5FE4B6~1.EXE PID 3692 wrote to memory of 1468 3692 svchost.com 5FE4B6~1.EXE PID 1468 wrote to memory of 392 1468 5FE4B6~1.EXE svchost.com PID 1468 wrote to memory of 392 1468 5FE4B6~1.EXE svchost.com PID 1468 wrote to memory of 392 1468 5FE4B6~1.EXE svchost.com PID 392 wrote to memory of 4020 392 svchost.com 5FE4B6~1.EXE PID 392 wrote to memory of 4020 392 svchost.com 5FE4B6~1.EXE PID 392 wrote to memory of 4020 392 svchost.com 5FE4B6~1.EXE PID 4020 wrote to memory of 2844 4020 5FE4B6~1.EXE svchost.com PID 4020 wrote to memory of 2844 4020 5FE4B6~1.EXE svchost.com PID 4020 wrote to memory of 2844 4020 5FE4B6~1.EXE svchost.com PID 2844 wrote to memory of 2004 2844 svchost.com 5FE4B6~1.EXE PID 2844 wrote to memory of 2004 2844 svchost.com 5FE4B6~1.EXE PID 2844 wrote to memory of 2004 2844 svchost.com 5FE4B6~1.EXE PID 2004 wrote to memory of 1040 2004 5FE4B6~1.EXE svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5fe4b627f39be0d3564a4c62f2a58092_JaffaCakes118.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"25⤵
- Executes dropped EXE
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE26⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:1248 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"27⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE28⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"29⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE30⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"31⤵
- Executes dropped EXE
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE32⤵
- Executes dropped EXE
PID:836 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"33⤵
- Executes dropped EXE
PID:408 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE34⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"35⤵
- Executes dropped EXE
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE36⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1116 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"37⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE38⤵
- Executes dropped EXE
PID:4204 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"39⤵
- Executes dropped EXE
PID:412 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE40⤵
- Checks computer location settings
- Executes dropped EXE
PID:4668 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"41⤵
- Executes dropped EXE
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE42⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"43⤵
- Executes dropped EXE
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE44⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"45⤵
- Executes dropped EXE
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"47⤵
- Executes dropped EXE
PID:720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE48⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"49⤵
- Executes dropped EXE
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3608 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE52⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"53⤵
- Executes dropped EXE
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE54⤵
- Executes dropped EXE
- Modifies registry class
PID:4924 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE56⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE58⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"59⤵
- Executes dropped EXE
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE60⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4868 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"61⤵
- Executes dropped EXE
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE62⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE64⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"65⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE66⤵
- Modifies registry class
PID:4956 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"67⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE68⤵PID:1512
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"69⤵
- Drops file in Windows directory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE70⤵
- Modifies registry class
PID:3596 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"71⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE72⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5056 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"73⤵
- Drops file in Windows directory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE74⤵
- Checks computer location settings
- Modifies registry class
PID:2104 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"75⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE76⤵
- Checks computer location settings
- Drops file in Windows directory
PID:3832 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"77⤵
- Drops file in Windows directory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE78⤵
- Checks computer location settings
- Modifies registry class
PID:2412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"79⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE80⤵
- Modifies registry class
PID:4724 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"81⤵PID:2868
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE82⤵
- Checks computer location settings
PID:4680 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"83⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE84⤵
- Modifies registry class
PID:4112 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"85⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE86⤵
- Checks computer location settings
PID:468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"87⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE88⤵
- Checks computer location settings
- Modifies registry class
PID:3404 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"89⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE90⤵
- Modifies registry class
PID:2340 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"91⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE92⤵
- Checks computer location settings
PID:3168 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"93⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE94⤵
- Checks computer location settings
PID:4400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"95⤵
- Drops file in Windows directory
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE96⤵
- Modifies registry class
PID:4452 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"97⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE98⤵PID:4964
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"99⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE100⤵
- Modifies registry class
PID:1116 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"101⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE102⤵
- Drops file in Windows directory
PID:3612 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"103⤵PID:1512
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE104⤵
- Modifies registry class
PID:412 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"105⤵
- Drops file in Windows directory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE106⤵
- Modifies registry class
PID:2192 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"107⤵
- Drops file in Windows directory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE108⤵
- Modifies registry class
PID:3652 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"109⤵PID:2008
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE110⤵
- Checks computer location settings
PID:1864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"111⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE112⤵
- Checks computer location settings
PID:4052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"113⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE114⤵PID:2980
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"115⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE116⤵
- Checks computer location settings
PID:5092 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"117⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE118⤵
- Checks computer location settings
- Modifies registry class
PID:180 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"119⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE120⤵
- Checks computer location settings
- Modifies registry class
PID:2096 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE"121⤵
- Drops file in Windows directory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\5FE4B6~1.EXE122⤵PID:2868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-