Analysis
-
max time kernel
48s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2024, 05:28
Behavioral task
behavioral1
Sample
609697fba4402399e86da1e79536e86c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
609697fba4402399e86da1e79536e86c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
609697fba4402399e86da1e79536e86c_JaffaCakes118.exe
-
Size
123KB
-
MD5
609697fba4402399e86da1e79536e86c
-
SHA1
22718666ec8cdfe5c44c53eae03914975af3ad93
-
SHA256
779972f313c94c8e9dcd6b10910234c88595454bde125f9e649bac57a3a232ca
-
SHA512
5450d90a8c3b676c5690dc32a1b3d2ead9cd827a769f1d22f764b36986f71a271ec4b6c68b59332be1aeb856ef7a220a88154b87ce249e6e5c23330c96368852
-
SSDEEP
3072:sr85C8FhumEpJvOTpoZK7hxhJXq6GQhfH:k94UpJvgpoJB4
Score
10/10
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
resource yara_rule behavioral2/files/0x0007000000023c89-13.dat family_neshta behavioral2/memory/1304-19-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3604-31-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/5008-32-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1528-44-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/3624-45-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/320-57-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/4052-58-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2352-62-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/5052-70-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x000600000002021b-77.dat family_neshta behavioral2/files/0x0006000000020223-81.dat family_neshta behavioral2/files/0x0006000000020217-86.dat family_neshta behavioral2/memory/212-90-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x0001000000020299-106.dat family_neshta behavioral2/memory/2244-104-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x000400000002030e-120.dat family_neshta behavioral2/files/0x0006000000020232-122.dat family_neshta behavioral2/memory/5052-118-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x0001000000020294-117.dat family_neshta behavioral2/files/0x000400000002034d-115.dat family_neshta behavioral2/files/0x00010000000202ac-110.dat family_neshta behavioral2/memory/1016-124-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4564-135-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/2244-137-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x000400000002033b-108.dat family_neshta behavioral2/files/0x000100000002022a-103.dat family_neshta behavioral2/files/0x000400000002033a-88.dat family_neshta behavioral2/memory/4732-138-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4564-142-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/4048-151-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x0002000000020312-155.dat family_neshta behavioral2/files/0x00010000000225de-159.dat family_neshta behavioral2/files/0x00010000000214e0-169.dat family_neshta behavioral2/files/0x00010000000214df-167.dat family_neshta behavioral2/files/0x00010000000214e1-171.dat family_neshta behavioral2/files/0x0001000000022f7e-186.dat family_neshta behavioral2/memory/1828-191-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1732-213-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x0001000000016850-198.dat family_neshta behavioral2/files/0x00010000000167c6-193.dat family_neshta behavioral2/files/0x00010000000167c8-217.dat family_neshta behavioral2/files/0x0001000000016800-228.dat family_neshta behavioral2/files/0x00010000000167c0-234.dat family_neshta behavioral2/memory/4948-235-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2928-247-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/files/0x00010000000167e5-240.dat family_neshta behavioral2/memory/3484-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3616-282-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/3916-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1748-307-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/2200-309-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3252-318-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/3968-332-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2352-347-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/3084-350-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4336-358-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/4952-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4808-362-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/1160-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3716-376-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/2192-377-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4812-384-0x0000000000400000-0x000000000041E000-memory.dmp family_neshta behavioral2/memory/4148-385-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 609697~1.EXE -
Executes dropped EXE 64 IoCs
pid Process 4048 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 1304 svchost.com 3604 609697~1.EXE 5008 svchost.com 1528 609697~1.EXE 3624 svchost.com 320 609697~1.EXE 4052 svchost.com 2352 609697~1.EXE 212 svchost.com 5052 609697~1.EXE 1016 svchost.com 2244 609697~1.EXE 4732 svchost.com 4564 609697~1.EXE 1828 svchost.com 1732 609697~1.EXE 4948 svchost.com 2928 609697~1.EXE 3484 svchost.com 3616 609697~1.EXE 3916 svchost.com 1748 609697~1.EXE 2200 svchost.com 3252 609697~1.EXE 3968 svchost.com 2352 609697~1.EXE 3084 svchost.com 4336 609697~1.EXE 4952 svchost.com 4808 609697~1.EXE 1160 svchost.com 3716 609697~1.EXE 2192 svchost.com 4812 609697~1.EXE 4148 svchost.com 4468 609697~1.EXE 4388 svchost.com 1420 609697~1.EXE 4456 svchost.com 4444 609697~1.EXE 4236 svchost.com 1480 609697~1.EXE 4824 svchost.com 400 609697~1.EXE 1428 svchost.com 936 609697~1.EXE 2620 svchost.com 2712 609697~1.EXE 4612 svchost.com 2344 609697~1.EXE 5084 svchost.com 4352 609697~1.EXE 2708 svchost.com 3164 609697~1.EXE 1140 svchost.com 1712 609697~1.EXE 3192 svchost.com 4492 609697~1.EXE 4464 svchost.com 4540 609697~1.EXE 2244 svchost.com 792 609697~1.EXE 3452 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys 609697~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 609697~1.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings 609697~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 4048 2260 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 85 PID 2260 wrote to memory of 4048 2260 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 85 PID 2260 wrote to memory of 4048 2260 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 85 PID 4048 wrote to memory of 1304 4048 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 87 PID 4048 wrote to memory of 1304 4048 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 87 PID 4048 wrote to memory of 1304 4048 609697fba4402399e86da1e79536e86c_JaffaCakes118.exe 87 PID 1304 wrote to memory of 3604 1304 svchost.com 88 PID 1304 wrote to memory of 3604 1304 svchost.com 88 PID 1304 wrote to memory of 3604 1304 svchost.com 88 PID 3604 wrote to memory of 5008 3604 609697~1.EXE 89 PID 3604 wrote to memory of 5008 3604 609697~1.EXE 89 PID 3604 wrote to memory of 5008 3604 609697~1.EXE 89 PID 5008 wrote to memory of 1528 5008 svchost.com 90 PID 5008 wrote to memory of 1528 5008 svchost.com 90 PID 5008 wrote to memory of 1528 5008 svchost.com 90 PID 1528 wrote to memory of 3624 1528 609697~1.EXE 91 PID 1528 wrote to memory of 3624 1528 609697~1.EXE 91 PID 1528 wrote to memory of 3624 1528 609697~1.EXE 91 PID 3624 wrote to memory of 320 3624 svchost.com 92 PID 3624 wrote to memory of 320 3624 svchost.com 92 PID 3624 wrote to memory of 320 3624 svchost.com 92 PID 320 wrote to memory of 4052 320 609697~1.EXE 93 PID 320 wrote to memory of 4052 320 609697~1.EXE 93 PID 320 wrote to memory of 4052 320 609697~1.EXE 93 PID 4052 wrote to memory of 2352 4052 svchost.com 113 PID 4052 wrote to memory of 2352 4052 svchost.com 113 PID 4052 wrote to memory of 2352 4052 svchost.com 113 PID 2352 wrote to memory of 212 2352 609697~1.EXE 95 PID 2352 wrote to memory of 212 2352 609697~1.EXE 95 PID 2352 wrote to memory of 212 2352 609697~1.EXE 95 PID 212 wrote to memory of 5052 212 svchost.com 96 PID 212 wrote to memory of 5052 212 svchost.com 96 PID 212 wrote to memory of 5052 212 svchost.com 96 PID 5052 wrote to memory of 1016 5052 609697~1.EXE 97 PID 5052 wrote to memory of 1016 5052 609697~1.EXE 97 PID 5052 wrote to memory of 1016 5052 609697~1.EXE 97 PID 1016 wrote to memory of 2244 1016 svchost.com 152 PID 1016 wrote to memory of 2244 1016 svchost.com 152 PID 1016 wrote to memory of 2244 1016 svchost.com 152 PID 2244 wrote to memory of 4732 2244 609697~1.EXE 99 PID 2244 wrote to memory of 4732 2244 609697~1.EXE 99 PID 2244 wrote to memory of 4732 2244 609697~1.EXE 99 PID 4732 wrote to memory of 4564 4732 svchost.com 100 PID 4732 wrote to memory of 4564 4732 svchost.com 100 PID 4732 wrote to memory of 4564 4732 svchost.com 100 PID 4564 wrote to memory of 1828 4564 609697~1.EXE 102 PID 4564 wrote to memory of 1828 4564 609697~1.EXE 102 PID 4564 wrote to memory of 1828 4564 609697~1.EXE 102 PID 1828 wrote to memory of 1732 1828 svchost.com 103 PID 1828 wrote to memory of 1732 1828 svchost.com 103 PID 1828 wrote to memory of 1732 1828 svchost.com 103 PID 1732 wrote to memory of 4948 1732 609697~1.EXE 104 PID 1732 wrote to memory of 4948 1732 609697~1.EXE 104 PID 1732 wrote to memory of 4948 1732 609697~1.EXE 104 PID 4948 wrote to memory of 2928 4948 svchost.com 105 PID 4948 wrote to memory of 2928 4948 svchost.com 105 PID 4948 wrote to memory of 2928 4948 svchost.com 105 PID 2928 wrote to memory of 3484 2928 609697~1.EXE 106 PID 2928 wrote to memory of 3484 2928 609697~1.EXE 106 PID 2928 wrote to memory of 3484 2928 609697~1.EXE 106 PID 3484 wrote to memory of 3616 3484 svchost.com 107 PID 3484 wrote to memory of 3616 3484 svchost.com 107 PID 3484 wrote to memory of 3616 3484 svchost.com 107 PID 3616 wrote to memory of 3916 3616 609697~1.EXE 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\609697fba4402399e86da1e79536e86c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\609697fba4402399e86da1e79536e86c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697fba4402399e86da1e79536e86c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\609697fba4402399e86da1e79536e86c_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"19⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"23⤵
- Executes dropped EXE
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE24⤵
- Executes dropped EXE
- Modifies registry class
PID:1748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"25⤵
- Executes dropped EXE
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE26⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"27⤵
- Executes dropped EXE
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE28⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"29⤵
- Executes dropped EXE
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE30⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"31⤵
- Executes dropped EXE
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE32⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4808 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"33⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE34⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3716 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"35⤵
- Executes dropped EXE
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE36⤵
- Executes dropped EXE
PID:4812 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"37⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"39⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE40⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE42⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4444 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"43⤵
- Executes dropped EXE
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE44⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"45⤵
- Executes dropped EXE
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE46⤵
- Executes dropped EXE
PID:400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"47⤵
- Executes dropped EXE
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE48⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE50⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"51⤵
- Executes dropped EXE
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE52⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"53⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE54⤵
- Executes dropped EXE
- Modifies registry class
PID:4352 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"55⤵
- Executes dropped EXE
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE56⤵
- Executes dropped EXE
PID:3164 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"57⤵
- Executes dropped EXE
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE58⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"59⤵
- Executes dropped EXE
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE60⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"61⤵
- Executes dropped EXE
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE62⤵
- Checks computer location settings
- Executes dropped EXE
PID:4540 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"63⤵
- Executes dropped EXE
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE64⤵
- Executes dropped EXE
PID:792 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"65⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE66⤵
- Checks computer location settings
PID:4772 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"67⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE68⤵
- Checks computer location settings
- Modifies registry class
PID:1920 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE70⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3864 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"71⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"73⤵
- Drops file in Windows directory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE74⤵
- Checks computer location settings
- Modifies registry class
PID:4372 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"75⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE76⤵PID:2184
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"77⤵PID:1084
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE78⤵PID:1368
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"79⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE80⤵
- Checks computer location settings
PID:2660 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"81⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1748 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"83⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE84⤵PID:1196
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"85⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE86⤵
- Modifies registry class
PID:3020 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"87⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE88⤵
- Drops file in Windows directory
PID:2776 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"89⤵PID:1136
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE90⤵PID:1716
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"91⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE92⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3716 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"93⤵
- Drops file in Windows directory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE94⤵
- Checks computer location settings
PID:3440 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"95⤵
- Drops file in Windows directory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE96⤵
- Checks computer location settings
- Modifies registry class
PID:2616 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"97⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE98⤵PID:4516
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"99⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE100⤵
- Modifies registry class
PID:756 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"101⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE102⤵
- Drops file in Windows directory
PID:1424 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"103⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE104⤵
- System Location Discovery: System Language Discovery
PID:3588 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"105⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE106⤵
- Drops file in Windows directory
- Modifies registry class
PID:1976 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"107⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE108⤵PID:936
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"109⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE110⤵PID:2184
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"111⤵PID:840
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE112⤵PID:1812
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"113⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE114⤵PID:2116
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"115⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE116⤵
- Drops file in Windows directory
PID:3212 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"117⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE118⤵
- Modifies registry class
PID:4856 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"119⤵
- Drops file in Windows directory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE120⤵
- Modifies registry class
PID:3696 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\609697~1.EXE"121⤵PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-