Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe
-
Size
72KB
-
MD5
9694c58f605a5ba69806c27a56df07f0
-
SHA1
c10bfcf737966b18f5d98202e662848ccbe6b8cc
-
SHA256
fd4dea59ed40ec256b74c5eaf9f4225dce2b5748b28ff3735642c841d2fc5619
-
SHA512
a7a71355ca9e950c03248e8fdd16c0d1f59f66af1a2245e13994b95f0b1898f40f7b2d85f45ec148c662eb070b8cc35f91f4ed45caa9f933fc94891dffa09923
-
SSDEEP
384:kdccNLu5/ShfsLdccNLu5/ShfsGJDolEJZpHAvWm1OukV:kdJNa5LdJNa5moCLpgvWmXkV
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 13640 cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 764 RAVTLMON.exe 2488 RAVTLMON.exe 3052 RAVTLMON.exe 2164 RAVTLMON.exe 2688 RAVTLMON.exe 2712 RAVTLMON.exe 2844 RAVTLMON.exe 2708 RAVTLMON.exe 2704 RAVTLMON.exe 2976 RAVTLMON.exe 2584 RAVTLMON.exe 2724 RAVTLMON.exe 2696 RAVTLMON.exe 2548 RAVTLMON.exe 2592 RAVTLMON.exe 2672 RAVTLMON.exe 2600 RAVTLMON.exe 2128 RAVTLMON.exe 816 RAVTLMON.exe 1172 RAVTLMON.exe 2772 RAVTLMON.exe 1872 RAVTLMON.exe 2880 RAVTLMON.exe 1212 RAVTLMON.exe 1280 RAVTLMON.exe 1996 RAVTLMON.exe 1472 RAVTLMON.exe 1512 RAVTLMON.exe 2024 RAVTLMON.exe 1040 RAVTLMON.exe 1868 RAVTLMON.exe 2404 RAVTLMON.exe 1880 RAVTLMON.exe 2000 RAVTLMON.exe 2520 RAVTLMON.exe 2588 RAVTLMON.exe 2016 RAVTLMON.exe 3048 RAVTLMON.exe 1980 RAVTLMON.exe 1976 RAVTLMON.exe 3008 RAVTLMON.exe 3004 RAVTLMON.exe 2084 RAVTLMON.exe 2092 RAVTLMON.exe 1204 RAVTLMON.exe 2196 RAVTLMON.exe 2140 RAVTLMON.exe 2376 RAVTLMON.exe 2936 RAVTLMON.exe 2920 RAVTLMON.exe 2904 RAVTLMON.exe 1084 RAVTLMON.exe 1412 RAVTLMON.exe 1832 RAVTLMON.exe 952 RAVTLMON.exe 1608 RAVTLMON.exe 1720 RAVTLMON.exe 2324 RAVTLMON.exe 888 RAVTLMON.exe 1988 RAVTLMON.exe 1320 RAVTLMON.exe 796 RAVTLMON.exe 2156 RAVTLMON.exe 2224 RAVTLMON.exe -
Loads dropped DLL 64 IoCs
pid Process 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 764 RAVTLMON.exe 764 RAVTLMON.exe 2488 RAVTLMON.exe 2488 RAVTLMON.exe 3052 RAVTLMON.exe 3052 RAVTLMON.exe 2164 RAVTLMON.exe 2164 RAVTLMON.exe 2688 RAVTLMON.exe 2688 RAVTLMON.exe 2712 RAVTLMON.exe 2712 RAVTLMON.exe 2844 RAVTLMON.exe 2844 RAVTLMON.exe 2708 RAVTLMON.exe 2708 RAVTLMON.exe 2704 RAVTLMON.exe 2704 RAVTLMON.exe 2976 RAVTLMON.exe 2976 RAVTLMON.exe 2584 RAVTLMON.exe 2584 RAVTLMON.exe 2724 RAVTLMON.exe 2724 RAVTLMON.exe 2696 RAVTLMON.exe 2696 RAVTLMON.exe 2548 RAVTLMON.exe 2548 RAVTLMON.exe 2592 RAVTLMON.exe 2592 RAVTLMON.exe 2672 RAVTLMON.exe 2672 RAVTLMON.exe 2600 RAVTLMON.exe 2600 RAVTLMON.exe 2128 RAVTLMON.exe 2128 RAVTLMON.exe 816 RAVTLMON.exe 816 RAVTLMON.exe 1172 RAVTLMON.exe 1172 RAVTLMON.exe 2772 RAVTLMON.exe 2772 RAVTLMON.exe 1872 RAVTLMON.exe 1872 RAVTLMON.exe 2880 RAVTLMON.exe 2880 RAVTLMON.exe 1212 RAVTLMON.exe 1212 RAVTLMON.exe 1280 RAVTLMON.exe 1280 RAVTLMON.exe 1996 RAVTLMON.exe 1996 RAVTLMON.exe 1472 RAVTLMON.exe 1472 RAVTLMON.exe 1512 RAVTLMON.exe 1512 RAVTLMON.exe 2024 RAVTLMON.exe 2024 RAVTLMON.exe 1040 RAVTLMON.exe 1040 RAVTLMON.exe 1868 RAVTLMON.exe 1868 RAVTLMON.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RAVTLMON = "C:\\Windows\\system32\\RAVTLMON.exe" RAVTLMON.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe Process not Found File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe File created C:\Windows\SysWOW64\RAVTLMON.exe RAVTLMON.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RAVTLMON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 764 RAVTLMON.exe 2488 RAVTLMON.exe 3052 RAVTLMON.exe 2164 RAVTLMON.exe 2688 RAVTLMON.exe 2712 RAVTLMON.exe 2844 RAVTLMON.exe 2708 RAVTLMON.exe 2704 RAVTLMON.exe 2976 RAVTLMON.exe 2584 RAVTLMON.exe 2724 RAVTLMON.exe 2696 RAVTLMON.exe 2548 RAVTLMON.exe 2592 RAVTLMON.exe 2672 RAVTLMON.exe 2600 RAVTLMON.exe 2128 RAVTLMON.exe 816 RAVTLMON.exe 1172 RAVTLMON.exe 2772 RAVTLMON.exe 1872 RAVTLMON.exe 2880 RAVTLMON.exe 1212 RAVTLMON.exe 1280 RAVTLMON.exe 1996 RAVTLMON.exe 1472 RAVTLMON.exe 1512 RAVTLMON.exe 2024 RAVTLMON.exe 1040 RAVTLMON.exe 1868 RAVTLMON.exe 2404 RAVTLMON.exe 1880 RAVTLMON.exe 2000 RAVTLMON.exe 2520 RAVTLMON.exe 2588 RAVTLMON.exe 2016 RAVTLMON.exe 3048 RAVTLMON.exe 1980 RAVTLMON.exe 1976 RAVTLMON.exe 3008 RAVTLMON.exe 3004 RAVTLMON.exe 2084 RAVTLMON.exe 2092 RAVTLMON.exe 1204 RAVTLMON.exe 2196 RAVTLMON.exe 2140 RAVTLMON.exe 2376 RAVTLMON.exe 2936 RAVTLMON.exe 2920 RAVTLMON.exe 2904 RAVTLMON.exe 1084 RAVTLMON.exe 1412 RAVTLMON.exe 1832 RAVTLMON.exe 952 RAVTLMON.exe 1608 RAVTLMON.exe 1720 RAVTLMON.exe 2324 RAVTLMON.exe 888 RAVTLMON.exe 1988 RAVTLMON.exe 1320 RAVTLMON.exe 796 RAVTLMON.exe 2156 RAVTLMON.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2088 wrote to memory of 764 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 31 PID 2088 wrote to memory of 764 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 31 PID 2088 wrote to memory of 764 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 31 PID 2088 wrote to memory of 764 2088 9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe 31 PID 764 wrote to memory of 2488 764 RAVTLMON.exe 32 PID 764 wrote to memory of 2488 764 RAVTLMON.exe 32 PID 764 wrote to memory of 2488 764 RAVTLMON.exe 32 PID 764 wrote to memory of 2488 764 RAVTLMON.exe 32 PID 2488 wrote to memory of 3052 2488 RAVTLMON.exe 33 PID 2488 wrote to memory of 3052 2488 RAVTLMON.exe 33 PID 2488 wrote to memory of 3052 2488 RAVTLMON.exe 33 PID 2488 wrote to memory of 3052 2488 RAVTLMON.exe 33 PID 3052 wrote to memory of 2164 3052 RAVTLMON.exe 34 PID 3052 wrote to memory of 2164 3052 RAVTLMON.exe 34 PID 3052 wrote to memory of 2164 3052 RAVTLMON.exe 34 PID 3052 wrote to memory of 2164 3052 RAVTLMON.exe 34 PID 2164 wrote to memory of 2688 2164 RAVTLMON.exe 35 PID 2164 wrote to memory of 2688 2164 RAVTLMON.exe 35 PID 2164 wrote to memory of 2688 2164 RAVTLMON.exe 35 PID 2164 wrote to memory of 2688 2164 RAVTLMON.exe 35 PID 2688 wrote to memory of 2712 2688 RAVTLMON.exe 36 PID 2688 wrote to memory of 2712 2688 RAVTLMON.exe 36 PID 2688 wrote to memory of 2712 2688 RAVTLMON.exe 36 PID 2688 wrote to memory of 2712 2688 RAVTLMON.exe 36 PID 2712 wrote to memory of 2844 2712 RAVTLMON.exe 37 PID 2712 wrote to memory of 2844 2712 RAVTLMON.exe 37 PID 2712 wrote to memory of 2844 2712 RAVTLMON.exe 37 PID 2712 wrote to memory of 2844 2712 RAVTLMON.exe 37 PID 2844 wrote to memory of 2708 2844 RAVTLMON.exe 38 PID 2844 wrote to memory of 2708 2844 RAVTLMON.exe 38 PID 2844 wrote to memory of 2708 2844 RAVTLMON.exe 38 PID 2844 wrote to memory of 2708 2844 RAVTLMON.exe 38 PID 2708 wrote to memory of 2704 2708 RAVTLMON.exe 39 PID 2708 wrote to memory of 2704 2708 RAVTLMON.exe 39 PID 2708 wrote to memory of 2704 2708 RAVTLMON.exe 39 PID 2708 wrote to memory of 2704 2708 RAVTLMON.exe 39 PID 2704 wrote to memory of 2976 2704 RAVTLMON.exe 40 PID 2704 wrote to memory of 2976 2704 RAVTLMON.exe 40 PID 2704 wrote to memory of 2976 2704 RAVTLMON.exe 40 PID 2704 wrote to memory of 2976 2704 RAVTLMON.exe 40 PID 2976 wrote to memory of 2584 2976 RAVTLMON.exe 41 PID 2976 wrote to memory of 2584 2976 RAVTLMON.exe 41 PID 2976 wrote to memory of 2584 2976 RAVTLMON.exe 41 PID 2976 wrote to memory of 2584 2976 RAVTLMON.exe 41 PID 2584 wrote to memory of 2724 2584 RAVTLMON.exe 42 PID 2584 wrote to memory of 2724 2584 RAVTLMON.exe 42 PID 2584 wrote to memory of 2724 2584 RAVTLMON.exe 42 PID 2584 wrote to memory of 2724 2584 RAVTLMON.exe 42 PID 2724 wrote to memory of 2696 2724 RAVTLMON.exe 43 PID 2724 wrote to memory of 2696 2724 RAVTLMON.exe 43 PID 2724 wrote to memory of 2696 2724 RAVTLMON.exe 43 PID 2724 wrote to memory of 2696 2724 RAVTLMON.exe 43 PID 2696 wrote to memory of 2548 2696 RAVTLMON.exe 44 PID 2696 wrote to memory of 2548 2696 RAVTLMON.exe 44 PID 2696 wrote to memory of 2548 2696 RAVTLMON.exe 44 PID 2696 wrote to memory of 2548 2696 RAVTLMON.exe 44 PID 2548 wrote to memory of 2592 2548 RAVTLMON.exe 45 PID 2548 wrote to memory of 2592 2548 RAVTLMON.exe 45 PID 2548 wrote to memory of 2592 2548 RAVTLMON.exe 45 PID 2548 wrote to memory of 2592 2548 RAVTLMON.exe 45 PID 2592 wrote to memory of 2672 2592 RAVTLMON.exe 46 PID 2592 wrote to memory of 2672 2592 RAVTLMON.exe 46 PID 2592 wrote to memory of 2672 2592 RAVTLMON.exe 46 PID 2592 wrote to memory of 2672 2592 RAVTLMON.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9694c58f605a5ba69806c27a56df07f0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:816 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1172 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2772 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2880 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1212 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1280 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1472 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1040 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe33⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2404 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe34⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1880 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe36⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe37⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe38⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2016 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe39⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe40⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe41⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe42⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3008 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3004 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe44⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe45⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe46⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1204 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe47⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe48⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe49⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe50⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe51⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2920 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe52⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2904 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe53⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1084 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe54⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1412 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe55⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe56⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe57⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1608 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe58⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe59⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2324 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe60⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1988 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe62⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe63⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:796 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe64⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2156 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe65⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe66⤵PID:1436
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe67⤵PID:2288
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe68⤵PID:1148
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe69⤵PID:2036
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe70⤵PID:2388
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe71⤵PID:2020
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe72⤵PID:1964
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe73⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe74⤵PID:2744
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe75⤵PID:1728
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe76⤵PID:2124
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe77⤵PID:2120
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe78⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe79⤵PID:996
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe80⤵PID:1892
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe81⤵PID:2476
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe82⤵PID:2984
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe83⤵PID:2112
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe84⤵PID:1644
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe85⤵PID:876
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe86⤵PID:1060
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe87⤵PID:304
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe88⤵PID:1760
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe89⤵PID:1488
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe90⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe91⤵PID:2972
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe92⤵PID:3016
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe93⤵PID:1324
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe94⤵PID:2060
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe95⤵PID:1596
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe96⤵PID:1064
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe97⤵PID:2480
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe98⤵PID:1408
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe99⤵PID:2268
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe100⤵PID:2292
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe101⤵PID:2680
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe102⤵PID:2832
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe103⤵PID:2864
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe104⤵PID:2684
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe105⤵PID:2860
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe106⤵PID:2136
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe107⤵PID:2752
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe108⤵PID:2636
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe109⤵PID:2604
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe110⤵PID:2544
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe111⤵PID:2580
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe112⤵PID:2064
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe113⤵PID:3068
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe114⤵PID:568
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe115⤵PID:2080
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe116⤵PID:1104
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe117⤵PID:2788
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe118⤵PID:980
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe119⤵PID:3080
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe120⤵PID:3092
-
C:\Windows\SysWOW64\RAVTLMON.exeC:\Windows\system32\RAVTLMON.exe121⤵
- Drops file in System32 directory
PID:3104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-