Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe
-
Size
252KB
-
MD5
a02b961480e8b7fc9313c6e2ae480442
-
SHA1
fa6243f289015a1a78a5fd28f3eba56d07c33f6b
-
SHA256
be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
-
SHA512
c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792
-
SSDEEP
6144:b1Wj/JCXHjMc5qKeMuFFKN0jb2ZlhdBJVjY/eRUExoJyOYHB7qY8zIK0GznuAXyk:pWj
Malware Config
Signatures
-
Detects Andromeda payload. 2 IoCs
resource yara_rule behavioral2/memory/3152-18-0x00000000009F0000-0x00000000009F5000-memory.dmp family_andromeda behavioral2/memory/3152-43-0x00000000009F0000-0x00000000009F5000-memory.dmp family_andromeda -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\54572 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msemxwub.com" svchost.exe -
Executes dropped EXE 29 IoCs
pid Process 2800 49662594.exe 4300 49662594.exe 2384 49662594.exe 1932 49662594.exe 3256 49662594.exe 4748 49662594.exe 2772 49662594.exe 2556 49662594.exe 976 49662594.exe 744 49662594.exe 2308 49662594.exe 3780 49662594.exe 4288 49662594.exe 1288 49662594.exe 2976 49662594.exe 2240 49662594.exe 2260 49662594.exe 2220 49662594.exe 624 49662594.exe 4216 49662594.exe 4984 49662594.exe 884 49662594.exe 3028 49662594.exe 3192 49662594.exe 2868 49662594.exe 3864 49662594.exe 3920 49662594.exe 3928 49662594.exe 4972 49662594.exe -
Maps connected drives based on registry 3 TTPs 58 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum 49662594.exe -
Suspicious use of SetThreadContext 58 IoCs
description pid Process procid_target PID 2396 set thread context of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 set thread context of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 set thread context of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 set thread context of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 set thread context of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 set thread context of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 set thread context of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 set thread context of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 set thread context of 3256 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 113 PID 2396 set thread context of 1728 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 114 PID 2396 set thread context of 4748 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 118 PID 2396 set thread context of 3432 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 119 PID 2396 set thread context of 2772 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 122 PID 2396 set thread context of 636 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 123 PID 2396 set thread context of 2556 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 125 PID 2396 set thread context of 1968 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 126 PID 2396 set thread context of 976 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 130 PID 2396 set thread context of 1324 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 131 PID 2396 set thread context of 744 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 133 PID 2396 set thread context of 3232 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 134 PID 2396 set thread context of 2308 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 136 PID 2396 set thread context of 4668 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 137 PID 2396 set thread context of 3780 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 139 PID 2396 set thread context of 2528 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 140 PID 2396 set thread context of 4288 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 142 PID 2396 set thread context of 1336 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 143 PID 2396 set thread context of 1288 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 145 PID 2396 set thread context of 1916 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 146 PID 2396 set thread context of 2976 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 149 PID 2396 set thread context of 4540 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 150 PID 2396 set thread context of 2240 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 152 PID 2396 set thread context of 1744 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 153 PID 2396 set thread context of 2260 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 155 PID 2396 set thread context of 2568 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 156 PID 2396 set thread context of 2220 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 158 PID 2396 set thread context of 764 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 159 PID 2396 set thread context of 624 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 161 PID 2396 set thread context of 2148 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 162 PID 2396 set thread context of 4216 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 164 PID 2396 set thread context of 2992 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 165 PID 2396 set thread context of 4984 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 167 PID 2396 set thread context of 1508 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 168 PID 2396 set thread context of 884 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 178 PID 2396 set thread context of 416 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 179 PID 2396 set thread context of 3028 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 181 PID 2396 set thread context of 1552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 182 PID 2396 set thread context of 3192 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 184 PID 2396 set thread context of 2604 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 185 PID 2396 set thread context of 2868 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 187 PID 2396 set thread context of 4476 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 188 PID 2396 set thread context of 3864 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 190 PID 2396 set thread context of 1948 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 191 PID 2396 set thread context of 3920 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 193 PID 2396 set thread context of 1804 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 194 PID 2396 set thread context of 3928 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 199 PID 2396 set thread context of 3436 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 200 PID 2396 set thread context of 4972 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 202 PID 2396 set thread context of 3132 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 203 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\LOCALS~1\Temp\msemxwub.com svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49662594.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 2800 49662594.exe 2800 49662594.exe 4300 49662594.exe 4300 49662594.exe 2384 49662594.exe 2384 49662594.exe 1932 49662594.exe 1932 49662594.exe 3256 49662594.exe 3256 49662594.exe 4748 49662594.exe 4748 49662594.exe 2772 49662594.exe 2772 49662594.exe 2556 49662594.exe 2556 49662594.exe 976 49662594.exe 976 49662594.exe 744 49662594.exe 744 49662594.exe 2308 49662594.exe 2308 49662594.exe 3780 49662594.exe 3780 49662594.exe 4288 49662594.exe 4288 49662594.exe 1288 49662594.exe 1288 49662594.exe 2976 49662594.exe 2976 49662594.exe 2240 49662594.exe 2240 49662594.exe 2260 49662594.exe 2260 49662594.exe 2220 49662594.exe 2220 49662594.exe 624 49662594.exe 624 49662594.exe 4216 49662594.exe 4216 49662594.exe 4984 49662594.exe 4984 49662594.exe 884 49662594.exe 884 49662594.exe 3028 49662594.exe 3028 49662594.exe 3192 49662594.exe 3192 49662594.exe 2868 49662594.exe 2868 49662594.exe 3864 49662594.exe 3864 49662594.exe 3920 49662594.exe 3920 49662594.exe 3928 49662594.exe 3928 49662594.exe 4972 49662594.exe 4972 49662594.exe -
Suspicious behavior: MapViewOfSection 58 IoCs
pid Process 2800 49662594.exe 2800 49662594.exe 4300 49662594.exe 4300 49662594.exe 2384 49662594.exe 2384 49662594.exe 1932 49662594.exe 1932 49662594.exe 3256 49662594.exe 3256 49662594.exe 4748 49662594.exe 4748 49662594.exe 2772 49662594.exe 2772 49662594.exe 2556 49662594.exe 2556 49662594.exe 976 49662594.exe 976 49662594.exe 744 49662594.exe 744 49662594.exe 2308 49662594.exe 2308 49662594.exe 3780 49662594.exe 3780 49662594.exe 4288 49662594.exe 4288 49662594.exe 1288 49662594.exe 1288 49662594.exe 2976 49662594.exe 2976 49662594.exe 2240 49662594.exe 2240 49662594.exe 2260 49662594.exe 2260 49662594.exe 2220 49662594.exe 2220 49662594.exe 624 49662594.exe 624 49662594.exe 4216 49662594.exe 4216 49662594.exe 4984 49662594.exe 4984 49662594.exe 884 49662594.exe 884 49662594.exe 3028 49662594.exe 3028 49662594.exe 3192 49662594.exe 3192 49662594.exe 2868 49662594.exe 2868 49662594.exe 3864 49662594.exe 3864 49662594.exe 3920 49662594.exe 3920 49662594.exe 3928 49662594.exe 3928 49662594.exe 4972 49662594.exe 4972 49662594.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 4456 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3468 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 4996 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3552 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1728 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3432 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 636 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1968 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1324 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3232 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 4668 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2528 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1336 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1916 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 4540 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1744 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2568 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 764 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2148 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2992 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1508 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 416 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1552 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 2604 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 4476 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1948 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 1804 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3436 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 3132 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 2800 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 91 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2396 wrote to memory of 4456 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 92 PID 2800 wrote to memory of 3152 2800 49662594.exe 93 PID 2800 wrote to memory of 3152 2800 49662594.exe 93 PID 2800 wrote to memory of 3152 2800 49662594.exe 93 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 4300 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 98 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 2396 wrote to memory of 3468 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 99 PID 4300 wrote to memory of 1428 4300 49662594.exe 100 PID 4300 wrote to memory of 1428 4300 49662594.exe 100 PID 4300 wrote to memory of 1428 4300 49662594.exe 100 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 2384 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 101 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2396 wrote to memory of 4996 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 102 PID 2384 wrote to memory of 4976 2384 49662594.exe 103 PID 2384 wrote to memory of 4976 2384 49662594.exe 103 PID 2384 wrote to memory of 4976 2384 49662594.exe 103 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 1932 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 105 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106 PID 2396 wrote to memory of 3552 2396 a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- Adds policy Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3152
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4456
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3468
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4996
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1932 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3256 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4748 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2772 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:1636
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:636
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2556 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4384
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:976 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2576
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:744 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3232
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2308 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4668
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3780 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:4504
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4288 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3316
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1288 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:1948
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2976 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:728
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2240 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2260 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:4256
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4704
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:624 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4216 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4848
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4984 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵PID:4272
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:884 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:416
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3028 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4276
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3192 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:532
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2868 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4676
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3864 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3920 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3928 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2228
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"C:\Users\Admin\AppData\Roaming\49662594\49662594.exe"2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4972 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2908
-
-
-
C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a02b961480e8b7fc9313c6e2ae480442_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:81⤵PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5a02b961480e8b7fc9313c6e2ae480442
SHA1fa6243f289015a1a78a5fd28f3eba56d07c33f6b
SHA256be090c085eab0d51085dbb9f2db28a5f117351ebb980b372efc2ce2cf419b120
SHA512c721a7eb719be9b57716f9ab739a65cf89bf88db2681964017a41c84fc734954b1d87b30881631f355f82c2dab1dff3d209d078e490960dc0e1691c6d1505792