latentbot | 516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Size

712KB
MD5

65c7200faac8b0de62432214cc3a0629
SHA1

0ad44042ddcf2b9ad73a99fe6fecc3fdb7bc6362
SHA256

516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33
SHA512

2b52aae864b764d4142f0a7ba5a944167568ad128445742e8ac92db45b0819246a8f51a93efba1741709e60f5a37f59d11489e0107dd2f2314b4b1c1204f5ae2
SSDEEP

12288:fOqBStmJ7uD4vqQOqCg/0+cdEuH8uitp4xieV31K93+:GCS8OTRdEuUpJGln

Score

10^/10

latentbot xtremerat discovery persistence rat spyware trojan upx

Malware Config

Extracted

Family

xtremerat

imaistroextr.zapto.org

Extracted

Family

latentbot

imaistroextr.zapto.org

Signatures

Detect XtremeRAT payload 12 IoCs

resource	yara_rule
behavioral1/memory/2400-3-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-5-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-15-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-13-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-8-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2400-19-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2720-28-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2148-32-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2148-34-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2148-40-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat
behavioral1/memory/2148-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp	family_xtremerat

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 28 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{4I122HE4-0SYK-S3P6-08L6-528050TSHWLY}	Server.exe

Executes dropped EXE 26 IoCs

pid	Process
2692	Server.exe
812	Server.exe
1572	Server.exe
2908	Server.exe
2184	Server.exe
1880	Server.exe
1716	Server.exe
268	Server.exe
2540	Server.exe
1644	Server.exe
2748	Server.exe
2704	Server.exe
2784	Server.exe
2852	Server.exe
1448	Server.exe
2080	Server.exe
2240	Server.exe
2804	Server.exe
1084	Server.exe
3024	Server.exe
1676	Server.exe
2296	Server.exe
2528	Server.exe
1552	Server.exe
2840	Server.exe
2388	Server.exe

Loads dropped DLL 14 IoCs

pid	Process
2148	explorer.exe
2148	explorer.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2692 set thread context of 2908	2692	Server.exe	38
PID 2908 set thread context of 1232	2908	Server.exe	40
PID 812 set thread context of 2184	812	Server.exe	41
PID 2184 set thread context of 2208	2184	Server.exe	43
PID 1572 set thread context of 1880	1572	Server.exe	44
PID 1716 set thread context of 2540	1716	Server.exe	47
PID 2540 set thread context of 996	2540	Server.exe	49
PID 268 set thread context of 1644	268	Server.exe	50
PID 2748 set thread context of 2852	2748	Server.exe	54
PID 2852 set thread context of 2888	2852	Server.exe	56
PID 2704 set thread context of 1448	2704	Server.exe	57
PID 1448 set thread context of 2856	1448	Server.exe	60
PID 2784 set thread context of 2240	2784	Server.exe	61
PID 2240 set thread context of 488	2240	Server.exe	63
PID 2080 set thread context of 2804	2080	Server.exe	64
PID 1084 set thread context of 2296	1084	Server.exe	68
PID 2296 set thread context of 2540	2296	Server.exe	70
PID 3024 set thread context of 1552	3024	Server.exe	72
PID 1676 set thread context of 2840	1676	Server.exe	73
PID 2528 set thread context of 2388	2528	Server.exe	74
PID 2388 set thread context of 1648	2388	Server.exe	76

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1232-76-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-85-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-84-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-83-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-80-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-78-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-86-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-87-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-89-0x0000000001610000-0x0000000001712000-memory.dmp	upx
behavioral1/memory/1232-88-0x0000000001610000-0x0000000001712000-memory.dmp	upx

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File created	C:\Windows\InstallDir\Server.exe	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe
File opened for modification	C:\Windows\InstallDir\Server.exe	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1232	explorer.exe
2208	explorer.exe
996	explorer.exe
2856	explorer.exe
488	explorer.exe
2540	explorer.exe
1648	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	explorer.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2148	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2148	explorer.exe
1232	explorer.exe
2208	explorer.exe
2208	explorer.exe
996	explorer.exe
2856	explorer.exe
2856	explorer.exe
488	explorer.exe
488	explorer.exe
2540	explorer.exe
1648	explorer.exe
1648	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2888	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2400	2584	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2720	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2720	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2848	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2848	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2848	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2848	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2148	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2148	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2148	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2148	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	34
PID 2400 wrote to memory of 2148	2400	65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe	34
PID 2148 wrote to memory of 2692	2148	explorer.exe	35
PID 2148 wrote to memory of 2692	2148	explorer.exe	35
PID 2148 wrote to memory of 2692	2148	explorer.exe	35
PID 2148 wrote to memory of 2692	2148	explorer.exe	35
PID 2720 wrote to memory of 812	2720	svchost.exe	36
PID 2720 wrote to memory of 812	2720	svchost.exe	36
PID 2720 wrote to memory of 812	2720	svchost.exe	36
PID 2720 wrote to memory of 812	2720	svchost.exe	36
PID 2720 wrote to memory of 1572	2720	svchost.exe	37
PID 2720 wrote to memory of 1572	2720	svchost.exe	37
PID 2720 wrote to memory of 1572	2720	svchost.exe	37
PID 2720 wrote to memory of 1572	2720	svchost.exe	37
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2692 wrote to memory of 2908	2692	Server.exe	38
PID 2908 wrote to memory of 1464	2908	Server.exe	39
PID 2908 wrote to memory of 1464	2908	Server.exe	39
PID 2908 wrote to memory of 1464	2908	Server.exe	39
PID 2908 wrote to memory of 1464	2908	Server.exe	39
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 2908 wrote to memory of 1232	2908	Server.exe	40
PID 812 wrote to memory of 2184	812	Server.exe	41
PID 812 wrote to memory of 2184	812	Server.exe	41

C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\65c7200faac8b0de62432214cc3a0629_JaffaCakes118.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2200
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1572
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1716
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1632
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:996
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:268
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2748
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2420
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Suspicious use of UnmapMainImage
        
        PID:2888
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2704
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:836
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2856
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2784
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1004
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:488
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2080
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2804
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1084
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2976
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2540
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3024
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1552
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1676
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2528
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2388
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:844
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1648
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\InstallDir\Server.exe
      "C:\Windows\InstallDir\Server.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\InstallDir\Server.exe
        
        C:\Windows\InstallDir\Server.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1464
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.cfg

Filesize
1KB

MD5
1f6e7e4cd377b79455e89ab9a7b7bac9

SHA1
aa88d75bd20f5a1ea37ee23c3f4bcb9e2ed8f111

SHA256
e26885e1b0a063bcb9d3cd88dab6e7e8298d00df6ff9417f17483eb41ab87897

SHA512
6847159db97675ba766ba5c63ef956a7672537f972d3feba2782144ec32ab707aec95bf42f1ddb161b20321b463096cd275ef54da3986c31206ffc4f20911980

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.dat

Filesize
2B

MD5
84cad01fdb44ae58dbe6c3973dcd87f5

SHA1
4700b42849fb35be323774820bf1bc8019d26c80

SHA256
8b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6

SHA512
6e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\jzyGf9e.xtr

Filesize
343KB

MD5
6426d400c96fb9ffef4eaa54f6647f4c

SHA1
70a37871aff432790b6adf7d3fc4eb929476e082

SHA256
98bba0cf4c57ecd35b227f45e4aa6dd50ef7cfb1160235cc14687c96eb09fa3c

SHA512
2c8b4d3ab066cbfca6cf0c8d89d5044152b5e3d7100249cbedd1c816e3a4a94efc8bc6b79c1dab4bdf96e3ce476d6caccf625cfbe0aff3bf5e7a29dfcfa948c5

Download Submit
C:\Windows\InstallDir\Server.exe

Filesize
712KB

MD5
65c7200faac8b0de62432214cc3a0629

SHA1
0ad44042ddcf2b9ad73a99fe6fecc3fdb7bc6362

SHA256
516a16adb1641127e455c30ddb243c853057e5d0f5a2d7918a52e0e0ca570d33

SHA512
2b52aae864b764d4142f0a7ba5a944167568ad128445742e8ac92db45b0819246a8f51a93efba1741709e60f5a37f59d11489e0107dd2f2314b4b1c1204f5ae2

Download Submit
memory/1232-84-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-78-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-88-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-89-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-87-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-86-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-75-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-76-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-80-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1232-85-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/1232-83-0x0000000001610000-0x0000000001712000-memory.dmp

Filesize
1.0MB

Download
memory/2148-40-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2148-47-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2148-34-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2148-32-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-5-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-13-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-1-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-3-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-2-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-11-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-15-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-19-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2400-8-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download
memory/2584-0-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/2584-48-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/2692-51-0x0000000023240000-0x000000002326F000-memory.dmp

Filesize
188KB

Download
memory/2720-28-0x0000000000C80000-0x0000000000CEE000-memory.dmp

Filesize
440KB

Download