Analysis
-
max time kernel
102s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-08-2024 12:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe
-
Size
40KB
-
MD5
860032b2fc215e7a236cc9d8d9ca18ef
-
SHA1
2ee07b79a21ddb5477aefbe8278c2768b915f585
-
SHA256
821303f7b58dc753c603f72631b9900103b5bb549f362c9cdb0dbeea0fa77f83
-
SHA512
f25a1879e748b5dfd720bfaceb8a15af3d81e519d81a0ec48c5786936aa0e9613413a8ab909e2c73ef6c55327df9015c087809fd37ae75d378f63ad357dcfaa3
-
SSDEEP
384:BQot15+qFW2JIdEsCk566MwqhZFy1SeKxdRlKDfnKDzL50:aotjTFWcFqY6MeSeCRSy+
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system\\rundll32.exe," rundll32.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation rundll32.exe -
Deletes itself 1 IoCs
pid Process 3528 rundll32.exe -
Executes dropped EXE 64 IoCs
pid Process 3528 rundll32.exe 3340 daemon.exe 224 rundll32.exe 2136 daemon.exe 4960 rundll32.exe 4488 daemon.exe 3908 rundll32.exe 116 daemon.exe 2488 rundll32.exe 2624 daemon.exe 3484 rundll32.exe 2436 daemon.exe 4816 rundll32.exe 2000 daemon.exe 880 rundll32.exe 3248 daemon.exe 1060 rundll32.exe 1280 daemon.exe 3448 rundll32.exe 624 daemon.exe 3768 rundll32.exe 3168 daemon.exe 2580 rundll32.exe 1308 daemon.exe 1708 rundll32.exe 1120 daemon.exe 4868 rundll32.exe 2772 daemon.exe 4240 rundll32.exe 1100 daemon.exe 4480 rundll32.exe 968 daemon.exe 5060 rundll32.exe 3356 daemon.exe 5040 rundll32.exe 4280 daemon.exe 4888 rundll32.exe 4536 daemon.exe 2676 rundll32.exe 2000 daemon.exe 2344 rundll32.exe 3240 daemon.exe 3640 rundll32.exe 4404 daemon.exe 1772 rundll32.exe 3204 daemon.exe 3280 rundll32.exe 3240 daemon.exe 3940 rundll32.exe 5144 daemon.exe 5232 rundll32.exe 5308 daemon.exe 5376 rundll32.exe 5456 daemon.exe 5524 rundll32.exe 5600 daemon.exe 5668 rundll32.exe 5744 daemon.exe 5808 rundll32.exe 5948 daemon.exe 6028 rundll32.exe 6104 daemon.exe 5152 rundll32.exe 5292 daemon.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\system\rundll32.exe daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\system\rundll32.exe daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini rundll32.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\system.ini rundll32.exe File opened for modification C:\Windows\system.ini daemon.exe File created C:\Windows\system\rundll32.exe daemon.exe File opened for modification C:\Windows\system.ini daemon.exe File opened for modification C:\Windows\Driver\daemon.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daemon.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4524 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe 3528 rundll32.exe 3340 daemon.exe 224 rundll32.exe 2136 daemon.exe 4960 rundll32.exe 4488 daemon.exe 3908 rundll32.exe 116 daemon.exe 2488 rundll32.exe 2624 daemon.exe 3484 rundll32.exe 2436 daemon.exe 4816 rundll32.exe 2000 daemon.exe 880 rundll32.exe 3248 daemon.exe 1060 rundll32.exe 1280 daemon.exe 3448 rundll32.exe 624 daemon.exe 3768 rundll32.exe 3168 daemon.exe 2580 rundll32.exe 1308 daemon.exe 1708 rundll32.exe 1120 daemon.exe 4868 rundll32.exe 2772 daemon.exe 4240 rundll32.exe 1100 daemon.exe 4480 rundll32.exe 968 daemon.exe 5060 rundll32.exe 3356 daemon.exe 5040 rundll32.exe 4280 daemon.exe 4888 rundll32.exe 4536 daemon.exe 2676 rundll32.exe 2000 daemon.exe 2344 rundll32.exe 3240 daemon.exe 3640 rundll32.exe 4404 daemon.exe 1772 rundll32.exe 3204 daemon.exe 3280 rundll32.exe 3240 daemon.exe 3940 rundll32.exe 5144 daemon.exe 5232 rundll32.exe 5308 daemon.exe 5376 rundll32.exe 5456 daemon.exe 5524 rundll32.exe 5600 daemon.exe 5668 rundll32.exe 5744 daemon.exe 5808 rundll32.exe 5948 daemon.exe 6028 rundll32.exe 6104 daemon.exe 5152 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4524 wrote to memory of 3528 4524 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe 86 PID 4524 wrote to memory of 3528 4524 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe 86 PID 4524 wrote to memory of 3528 4524 860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe 86 PID 3528 wrote to memory of 3340 3528 rundll32.exe 88 PID 3528 wrote to memory of 3340 3528 rundll32.exe 88 PID 3528 wrote to memory of 3340 3528 rundll32.exe 88 PID 3340 wrote to memory of 224 3340 daemon.exe 89 PID 3340 wrote to memory of 224 3340 daemon.exe 89 PID 3340 wrote to memory of 224 3340 daemon.exe 89 PID 224 wrote to memory of 2136 224 rundll32.exe 90 PID 224 wrote to memory of 2136 224 rundll32.exe 90 PID 224 wrote to memory of 2136 224 rundll32.exe 90 PID 2136 wrote to memory of 4960 2136 daemon.exe 91 PID 2136 wrote to memory of 4960 2136 daemon.exe 91 PID 2136 wrote to memory of 4960 2136 daemon.exe 91 PID 4960 wrote to memory of 4488 4960 rundll32.exe 92 PID 4960 wrote to memory of 4488 4960 rundll32.exe 92 PID 4960 wrote to memory of 4488 4960 rundll32.exe 92 PID 4488 wrote to memory of 3908 4488 daemon.exe 93 PID 4488 wrote to memory of 3908 4488 daemon.exe 93 PID 4488 wrote to memory of 3908 4488 daemon.exe 93 PID 3908 wrote to memory of 116 3908 rundll32.exe 94 PID 3908 wrote to memory of 116 3908 rundll32.exe 94 PID 3908 wrote to memory of 116 3908 rundll32.exe 94 PID 116 wrote to memory of 2488 116 daemon.exe 95 PID 116 wrote to memory of 2488 116 daemon.exe 95 PID 116 wrote to memory of 2488 116 daemon.exe 95 PID 2488 wrote to memory of 2624 2488 rundll32.exe 96 PID 2488 wrote to memory of 2624 2488 rundll32.exe 96 PID 2488 wrote to memory of 2624 2488 rundll32.exe 96 PID 2624 wrote to memory of 3484 2624 daemon.exe 97 PID 2624 wrote to memory of 3484 2624 daemon.exe 97 PID 2624 wrote to memory of 3484 2624 daemon.exe 97 PID 3484 wrote to memory of 2436 3484 rundll32.exe 98 PID 3484 wrote to memory of 2436 3484 rundll32.exe 98 PID 3484 wrote to memory of 2436 3484 rundll32.exe 98 PID 2436 wrote to memory of 4816 2436 daemon.exe 99 PID 2436 wrote to memory of 4816 2436 daemon.exe 99 PID 2436 wrote to memory of 4816 2436 daemon.exe 99 PID 4816 wrote to memory of 2000 4816 rundll32.exe 100 PID 4816 wrote to memory of 2000 4816 rundll32.exe 100 PID 4816 wrote to memory of 2000 4816 rundll32.exe 100 PID 2000 wrote to memory of 880 2000 daemon.exe 101 PID 2000 wrote to memory of 880 2000 daemon.exe 101 PID 2000 wrote to memory of 880 2000 daemon.exe 101 PID 880 wrote to memory of 3248 880 rundll32.exe 102 PID 880 wrote to memory of 3248 880 rundll32.exe 102 PID 880 wrote to memory of 3248 880 rundll32.exe 102 PID 3248 wrote to memory of 1060 3248 daemon.exe 103 PID 3248 wrote to memory of 1060 3248 daemon.exe 103 PID 3248 wrote to memory of 1060 3248 daemon.exe 103 PID 1060 wrote to memory of 1280 1060 rundll32.exe 104 PID 1060 wrote to memory of 1280 1060 rundll32.exe 104 PID 1060 wrote to memory of 1280 1060 rundll32.exe 104 PID 1280 wrote to memory of 3448 1280 daemon.exe 105 PID 1280 wrote to memory of 3448 1280 daemon.exe 105 PID 1280 wrote to memory of 3448 1280 daemon.exe 105 PID 3448 wrote to memory of 624 3448 rundll32.exe 106 PID 3448 wrote to memory of 624 3448 rundll32.exe 106 PID 3448 wrote to memory of 624 3448 rundll32.exe 106 PID 624 wrote to memory of 3768 624 daemon.exe 107 PID 624 wrote to memory of 3768 624 daemon.exe 107 PID 624 wrote to memory of 3768 624 daemon.exe 107 PID 3768 wrote to memory of 3168 3768 rundll32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\860032b2fc215e7a236cc9d8d9ca18ef_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"15⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s18⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3168 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"27⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1120 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4240 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4480 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3356 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5040 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4280 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s38⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4888 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s42⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3640 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"45⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s46⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1772 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"47⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3204 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s48⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3280 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s50⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5144 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s52⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5232 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5308 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s54⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5376 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5456 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s56⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5600 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s58⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5668 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5744 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s60⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5808 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5948 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6028 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6104 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s64⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5152 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5292 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s66⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"67⤵PID:5472
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s68⤵PID:5640
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"69⤵PID:2064
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s70⤵
- Modifies WinLogon for persistence
PID:5884 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"71⤵PID:5976
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s72⤵PID:4932
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"73⤵PID:4736
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s74⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"75⤵PID:5544
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s76⤵PID:5728
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"77⤵PID:5932
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s78⤵PID:6092
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"79⤵PID:2376
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s80⤵
- Drops file in Windows directory
PID:5508 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"81⤵PID:5788
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s82⤵PID:6100
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"83⤵
- Checks computer location settings
PID:5104 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s84⤵PID:5724
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"85⤵
- Drops file in Windows directory
PID:5876 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s86⤵
- Checks computer location settings
PID:4304 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"87⤵
- Checks computer location settings
- Drops file in Windows directory
PID:5456 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s88⤵PID:6152
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"89⤵PID:6232
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s90⤵
- Modifies WinLogon for persistence
PID:6296 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"91⤵PID:6372
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s92⤵
- Modifies WinLogon for persistence
PID:6436 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"93⤵
- Checks computer location settings
PID:6516 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s94⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in Windows directory
PID:6580 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"95⤵
- Checks computer location settings
PID:6656 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s96⤵PID:6720
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"97⤵PID:6800
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s98⤵
- Modifies WinLogon for persistence
PID:6864 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"99⤵
- System Location Discovery: System Language Discovery
PID:6940 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s100⤵PID:7004
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"101⤵PID:7080
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s102⤵
- Modifies WinLogon for persistence
PID:7144 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"103⤵
- System Location Discovery: System Language Discovery
PID:6204 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s104⤵
- Drops file in Windows directory
PID:6280 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"105⤵PID:6412
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s106⤵
- Drops file in Windows directory
PID:6512 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"107⤵PID:6644
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s108⤵
- Checks computer location settings
PID:6736 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"109⤵
- Checks computer location settings
PID:6860 -
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s110⤵
- System Location Discovery: System Language Discovery
PID:6984 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"111⤵PID:7088
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s112⤵PID:3192
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"113⤵PID:6312
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s114⤵PID:6504
-
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"115⤵PID:6712
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s116⤵
- Modifies WinLogon for persistence
PID:6832 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"117⤵PID:7072
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s118⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:7120 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"119⤵PID:6488
-
C:\Windows\system\rundll32.exe"C:\Windows\system\rundll32.exe" -s120⤵
- Modifies WinLogon for persistence
- Checks computer location settings
PID:6676 -
C:\Windows\Driver\daemon.exe"C:\Windows\Driver\daemon.exe"121⤵
- Checks computer location settings
PID:6796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-