metasploit | 1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Size

193KB
MD5

f34361ec2b5f66bdc4569591a444d556
SHA1

66fe2e16bba3e729a02e657df7a70884de61e410
SHA256

1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566
SHA512

ad4e0067d94d241c3d3f97af1b3c09ed3e2f6a408c9a017a2a2dd947145f48da552235700b9db710799d5148c9e68fb2eb95abbb201f743826b7151116da7d38
SSDEEP

6144:Jy77SwIUtvbXC7ONW2EjFbnWViSNjjDA5:M7SdU4i6ZWRNj45

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Deletes itself 1 IoCs

pid	Process
2780	CtDrvDxh.exe

Executes dropped EXE 64 IoCs

pid	Process
2364	CtDrvDxh.exe
2780	CtDrvDxh.exe
2768	CtDrvDxh.exe
2636	CtDrvDxh.exe
1708	CtDrvDxh.exe
1264	CtDrvDxh.exe
2996	CtDrvDxh.exe
2844	CtDrvDxh.exe
2728	CtDrvDxh.exe
2268	CtDrvDxh.exe
996	CtDrvDxh.exe
2348	CtDrvDxh.exe
1348	CtDrvDxh.exe
2188	CtDrvDxh.exe
984	CtDrvDxh.exe
744	CtDrvDxh.exe
860	CtDrvDxh.exe
768	CtDrvDxh.exe
2608	CtDrvDxh.exe
2420	CtDrvDxh.exe
2272	CtDrvDxh.exe
2736	CtDrvDxh.exe
2912	CtDrvDxh.exe
2664	CtDrvDxh.exe
1760	CtDrvDxh.exe
2836	CtDrvDxh.exe
2840	CtDrvDxh.exe
2996	CtDrvDxh.exe
1260	CtDrvDxh.exe
2072	CtDrvDxh.exe
2984	CtDrvDxh.exe
948	CtDrvDxh.exe
956	CtDrvDxh.exe
1304	CtDrvDxh.exe
2084	CtDrvDxh.exe
2540	CtDrvDxh.exe
2276	CtDrvDxh.exe
1624	CtDrvDxh.exe
2424	CtDrvDxh.exe
1316	CtDrvDxh.exe
1736	CtDrvDxh.exe
1740	CtDrvDxh.exe
544	CtDrvDxh.exe
2896	CtDrvDxh.exe
2892	CtDrvDxh.exe
2688	CtDrvDxh.exe
2676	CtDrvDxh.exe
1324	CtDrvDxh.exe
2812	CtDrvDxh.exe
2400	CtDrvDxh.exe
1040	CtDrvDxh.exe
2728	CtDrvDxh.exe
348	CtDrvDxh.exe
996	CtDrvDxh.exe
2528	CtDrvDxh.exe
932	CtDrvDxh.exe
828	CtDrvDxh.exe
792	CtDrvDxh.exe
2244	CtDrvDxh.exe
592	CtDrvDxh.exe
2408	CtDrvDxh.exe
668	CtDrvDxh.exe
876	CtDrvDxh.exe
2968	CtDrvDxh.exe

Loads dropped DLL 64 IoCs

pid	Process
3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
2364	CtDrvDxh.exe
2780	CtDrvDxh.exe
2780	CtDrvDxh.exe
2636	CtDrvDxh.exe
2636	CtDrvDxh.exe
1264	CtDrvDxh.exe
1264	CtDrvDxh.exe
2844	CtDrvDxh.exe
2844	CtDrvDxh.exe
2268	CtDrvDxh.exe
2268	CtDrvDxh.exe
2348	CtDrvDxh.exe
2348	CtDrvDxh.exe
2188	CtDrvDxh.exe
2188	CtDrvDxh.exe
744	CtDrvDxh.exe
744	CtDrvDxh.exe
768	CtDrvDxh.exe
768	CtDrvDxh.exe
2420	CtDrvDxh.exe
2420	CtDrvDxh.exe
2736	CtDrvDxh.exe
2736	CtDrvDxh.exe
2664	CtDrvDxh.exe
2664	CtDrvDxh.exe
2836	CtDrvDxh.exe
2836	CtDrvDxh.exe
2996	CtDrvDxh.exe
2996	CtDrvDxh.exe
2072	CtDrvDxh.exe
2072	CtDrvDxh.exe
948	CtDrvDxh.exe
948	CtDrvDxh.exe
1304	CtDrvDxh.exe
1304	CtDrvDxh.exe
2540	CtDrvDxh.exe
2540	CtDrvDxh.exe
1624	CtDrvDxh.exe
1624	CtDrvDxh.exe
1316	CtDrvDxh.exe
1316	CtDrvDxh.exe
1740	CtDrvDxh.exe
1740	CtDrvDxh.exe
2896	CtDrvDxh.exe
2896	CtDrvDxh.exe
2688	CtDrvDxh.exe
2688	CtDrvDxh.exe
1324	CtDrvDxh.exe
1324	CtDrvDxh.exe
2400	CtDrvDxh.exe
2400	CtDrvDxh.exe
2728	CtDrvDxh.exe
2728	CtDrvDxh.exe
996	CtDrvDxh.exe
996	CtDrvDxh.exe
932	CtDrvDxh.exe
932	CtDrvDxh.exe
792	CtDrvDxh.exe
792	CtDrvDxh.exe
592	CtDrvDxh.exe
592	CtDrvDxh.exe
668	CtDrvDxh.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvDxh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe
File created	C:\Windows\SysWOW64\CtDrvDxh.exe	CtDrvDxh.exe

Suspicious use of SetThreadContext 49 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 2364 set thread context of 2780	2364	CtDrvDxh.exe	32
PID 2768 set thread context of 2636	2768	CtDrvDxh.exe	34
PID 1708 set thread context of 1264	1708	CtDrvDxh.exe	36
PID 2996 set thread context of 2844	2996	CtDrvDxh.exe	38
PID 2728 set thread context of 2268	2728	CtDrvDxh.exe	41
PID 996 set thread context of 2348	996	CtDrvDxh.exe	43
PID 1348 set thread context of 2188	1348	CtDrvDxh.exe	45
PID 984 set thread context of 744	984	CtDrvDxh.exe	47
PID 860 set thread context of 768	860	CtDrvDxh.exe	49
PID 2608 set thread context of 2420	2608	CtDrvDxh.exe	51
PID 2272 set thread context of 2736	2272	CtDrvDxh.exe	53
PID 2912 set thread context of 2664	2912	CtDrvDxh.exe	55
PID 1760 set thread context of 2836	1760	CtDrvDxh.exe	57
PID 2840 set thread context of 2996	2840	CtDrvDxh.exe	59
PID 1260 set thread context of 2072	1260	CtDrvDxh.exe	61
PID 2984 set thread context of 948	2984	CtDrvDxh.exe	63
PID 956 set thread context of 1304	956	CtDrvDxh.exe	65
PID 2084 set thread context of 2540	2084	CtDrvDxh.exe	67
PID 2276 set thread context of 1624	2276	CtDrvDxh.exe	69
PID 2424 set thread context of 1316	2424	CtDrvDxh.exe	71
PID 1736 set thread context of 1740	1736	CtDrvDxh.exe	73
PID 544 set thread context of 2896	544	CtDrvDxh.exe	75
PID 2892 set thread context of 2688	2892	CtDrvDxh.exe	77
PID 2676 set thread context of 1324	2676	CtDrvDxh.exe	79
PID 2812 set thread context of 2400	2812	CtDrvDxh.exe	81
PID 1040 set thread context of 2728	1040	CtDrvDxh.exe	83
PID 348 set thread context of 996	348	CtDrvDxh.exe	85
PID 2528 set thread context of 932	2528	CtDrvDxh.exe	87
PID 828 set thread context of 792	828	CtDrvDxh.exe	89
PID 2244 set thread context of 592	2244	CtDrvDxh.exe	91
PID 2408 set thread context of 668	2408	CtDrvDxh.exe	93
PID 876 set thread context of 2968	876	CtDrvDxh.exe	95
PID 1996 set thread context of 2908	1996	CtDrvDxh.exe	97
PID 2412 set thread context of 2184	2412	CtDrvDxh.exe	99
PID 1992 set thread context of 1484	1992	CtDrvDxh.exe	101
PID 2820 set thread context of 2864	2820	CtDrvDxh.exe	103
PID 924 set thread context of 2856	924	CtDrvDxh.exe	105
PID 1488 set thread context of 1308	1488	CtDrvDxh.exe	107
PID 3048 set thread context of 304	3048	CtDrvDxh.exe	109
PID 1712 set thread context of 884	1712	CtDrvDxh.exe	111
PID 2032 set thread context of 2208	2032	CtDrvDxh.exe	113
PID 2100 set thread context of 2240	2100	CtDrvDxh.exe	115
PID 1548 set thread context of 2232	1548	CtDrvDxh.exe	117
PID 2148 set thread context of 2760	2148	CtDrvDxh.exe	119
PID 2580 set thread context of 2656	2580	CtDrvDxh.exe	121
PID 2696 set thread context of 2940	2696	CtDrvDxh.exe	123
PID 1872 set thread context of 552	1872	CtDrvDxh.exe	125
PID 2044 set thread context of 2360	2044	CtDrvDxh.exe	127

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-4-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-14-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-13-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-12-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3000-30-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2780-43-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2780-42-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2780-45-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2780-44-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2780-49-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2636-61-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2636-62-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2636-63-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2636-64-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2636-70-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1264-82-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1264-90-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2844-102-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2844-109-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2268-129-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2348-143-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2348-149-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2188-168-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/744-182-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/744-188-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/768-200-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/768-207-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2420-222-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2420-227-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2736-239-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2736-248-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2664-258-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2664-268-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2836-282-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2836-285-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2996-295-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2996-301-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2072-314-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2072-317-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/948-328-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/948-333-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1304-343-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1304-349-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2540-362-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2540-365-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1624-376-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1624-381-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1316-392-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1316-397-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1740-407-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1740-413-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2896-426-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2896-429-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2688-444-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1324-457-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1324-460-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2400-473-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2400-476-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2728-487-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2728-492-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvDxh.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
2780	CtDrvDxh.exe
2636	CtDrvDxh.exe
1264	CtDrvDxh.exe
2844	CtDrvDxh.exe
2268	CtDrvDxh.exe
2348	CtDrvDxh.exe
2188	CtDrvDxh.exe
744	CtDrvDxh.exe
768	CtDrvDxh.exe
2420	CtDrvDxh.exe
2736	CtDrvDxh.exe
2664	CtDrvDxh.exe
2836	CtDrvDxh.exe
2996	CtDrvDxh.exe
2072	CtDrvDxh.exe
948	CtDrvDxh.exe
1304	CtDrvDxh.exe
2540	CtDrvDxh.exe
1624	CtDrvDxh.exe
1316	CtDrvDxh.exe
1740	CtDrvDxh.exe
2896	CtDrvDxh.exe
2688	CtDrvDxh.exe
1324	CtDrvDxh.exe
2400	CtDrvDxh.exe
2728	CtDrvDxh.exe
996	CtDrvDxh.exe
932	CtDrvDxh.exe
792	CtDrvDxh.exe
592	CtDrvDxh.exe
668	CtDrvDxh.exe
2968	CtDrvDxh.exe
2908	CtDrvDxh.exe
2184	CtDrvDxh.exe
1484	CtDrvDxh.exe
2864	CtDrvDxh.exe
2856	CtDrvDxh.exe
1308	CtDrvDxh.exe
304	CtDrvDxh.exe
884	CtDrvDxh.exe
2208	CtDrvDxh.exe
2240	CtDrvDxh.exe
2232	CtDrvDxh.exe
2760	CtDrvDxh.exe
2656	CtDrvDxh.exe
2940	CtDrvDxh.exe
552	CtDrvDxh.exe
2360	CtDrvDxh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3056 wrote to memory of 3000	3056	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	30
PID 3000 wrote to memory of 2364	3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2364	3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2364	3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2364	3000	f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe	31
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2364 wrote to memory of 2780	2364	CtDrvDxh.exe	32
PID 2780 wrote to memory of 2768	2780	CtDrvDxh.exe	33
PID 2780 wrote to memory of 2768	2780	CtDrvDxh.exe	33
PID 2780 wrote to memory of 2768	2780	CtDrvDxh.exe	33
PID 2780 wrote to memory of 2768	2780	CtDrvDxh.exe	33
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2768 wrote to memory of 2636	2768	CtDrvDxh.exe	34
PID 2636 wrote to memory of 1708	2636	CtDrvDxh.exe	35
PID 2636 wrote to memory of 1708	2636	CtDrvDxh.exe	35
PID 2636 wrote to memory of 1708	2636	CtDrvDxh.exe	35
PID 2636 wrote to memory of 1708	2636	CtDrvDxh.exe	35
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1708 wrote to memory of 1264	1708	CtDrvDxh.exe	36
PID 1264 wrote to memory of 2996	1264	CtDrvDxh.exe	37
PID 1264 wrote to memory of 2996	1264	CtDrvDxh.exe	37
PID 1264 wrote to memory of 2996	1264	CtDrvDxh.exe	37
PID 1264 wrote to memory of 2996	1264	CtDrvDxh.exe	37
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2996 wrote to memory of 2844	2996	CtDrvDxh.exe	38
PID 2844 wrote to memory of 2728	2844	CtDrvDxh.exe	40
PID 2844 wrote to memory of 2728	2844	CtDrvDxh.exe	40
PID 2844 wrote to memory of 2728	2844	CtDrvDxh.exe	40
PID 2844 wrote to memory of 2728	2844	CtDrvDxh.exe	40
PID 2728 wrote to memory of 2268	2728	CtDrvDxh.exe	41
PID 2728 wrote to memory of 2268	2728	CtDrvDxh.exe	41
PID 2728 wrote to memory of 2268	2728	CtDrvDxh.exe	41
PID 2728 wrote to memory of 2268	2728	CtDrvDxh.exe	41

C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f34361ec2b5f66bdc4569591a444d556_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\CtDrvDxh.exe
    "C:\Windows\system32\CtDrvDxh.exe" C:\Users\Admin\AppData\Local\Temp\F34361~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\CtDrvDxh.exe
      "C:\Windows\system32\CtDrvDxh.exe" C:\Users\Admin\AppData\Local\Temp\F34361~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:996
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:744
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2608
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2272
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2664
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1260
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2984
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:956
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1304
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2276
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1316
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2676
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1324
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1040
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:348
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2528
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:932
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2244
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:592
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:668
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:876
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        68⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2908
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        70⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        72⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        73⤵
        Suspicious use of SetThreadContext
        
        PID:2820
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        74⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        78⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        79⤵
        Suspicious use of SetThreadContext
        
        PID:3048
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        80⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:304
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        82⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:884
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        84⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        86⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1548
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        88⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        90⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2580
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        92⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        93⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        96⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:552
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2044
        
        C:\Windows\SysWOW64\CtDrvDxh.exe
        
        "C:\Windows\system32\CtDrvDxh.exe" C:\Windows\SysWOW64\CtDrvDxh.exe
        98⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\CtDrvDxh.exe

Filesize
193KB

MD5
f34361ec2b5f66bdc4569591a444d556

SHA1
66fe2e16bba3e729a02e657df7a70884de61e410

SHA256
1f4b3f0512bea37cab96565fe336363c7d0f10261510aca157cddfb1684bc566

SHA512
ad4e0067d94d241c3d3f97af1b3c09ed3e2f6a408c9a017a2a2dd947145f48da552235700b9db710799d5148c9e68fb2eb95abbb201f743826b7151116da7d38

Download Submit
memory/304-695-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/304-692-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/552-822-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/552-819-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/592-553-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/668-564-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/668-569-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/744-182-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/744-188-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/768-200-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/768-207-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/792-538-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/884-708-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/884-711-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/932-523-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/948-333-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/948-328-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/996-508-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/996-505-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1264-90-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1264-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1304-349-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1304-343-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1308-679-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1308-676-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1316-397-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1316-392-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1324-460-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1324-457-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1484-629-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1484-632-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1624-376-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1624-381-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1708-79-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1740-413-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1740-407-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2072-314-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2072-317-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2184-616-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2184-613-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2188-168-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-727-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-724-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2232-756-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2232-759-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2240-738-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2240-743-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2268-129-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2348-143-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2348-149-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2360-835-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2364-40-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2400-476-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2400-473-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-222-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-227-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2540-362-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2540-365-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-64-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-70-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-62-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2656-790-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2664-258-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2664-268-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2688-444-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2728-492-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2728-487-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2736-239-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2736-248-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2760-771-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2760-775-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2768-59-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2780-43-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2780-42-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2780-45-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2780-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2780-49-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2836-285-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2836-282-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2844-109-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2844-102-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2856-663-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2864-641-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2864-648-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2896-429-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2896-426-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2908-600-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2940-806-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2940-803-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2968-585-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2968-582-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2996-295-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2996-301-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-4-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-30-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-12-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-14-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3000-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-10-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download