darkcomet | d8ba821aa37d8c83ee00f809de729197eb340e17348274eec26469a3be34f894

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Size

467KB
MD5

a91672ac89d1826a72f3f71e57f5b13d
SHA1

25c842879a8658dd70658b7ffd5669b98cc61f0d
SHA256

d8ba821aa37d8c83ee00f809de729197eb340e17348274eec26469a3be34f894
SHA512

dfa07f9ea006ac36cb4ab36a6d4e10249d0452fbec7a677b66b23c1d91ef4e803cc019446d7309f49db844675e978a74f9cb28fe5e2289c77dd37681e2b8e13d
SSDEEP

12288:tpW7YfiziEBcpY08g0CSbEcZt7fsmrwN0DCHh:PfGigo8gXMwNwCB

Score

10^/10

darkcomet new_server_crypter discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

New_server_Crypter

leetaka1337.no-ip.org:1604

Mutex

DC_MUTEX-K01XBXU

Attributes

InstallPath
MSDCSC\winhost.exe
gencode
cattbKvVMm69
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 23 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe"	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
2720	STUB.EXE
2632	winhost.exe
2580	winhost.exe
476	STUB.EXE
1412	winhost.exe
2804	winhost.exe
2520	STUB.EXE
1720	winhost.exe
1944	winhost.exe
1872	STUB.EXE
2308	winhost.exe
348	winhost.exe
1848	STUB.EXE
2168	winhost.exe
1812	winhost.exe
1712	STUB.EXE
2840	winhost.exe
2356	winhost.exe
292	STUB.EXE
1544	winhost.exe
2192	winhost.exe
2616	STUB.EXE
2468	winhost.exe
2600	winhost.exe
2732	STUB.EXE
1080	winhost.exe
540	winhost.exe
2640	STUB.EXE
1948	winhost.exe
2364	winhost.exe
2224	STUB.EXE
2024	winhost.exe
2156	winhost.exe
1460	STUB.EXE
1288	winhost.exe
1728	winhost.exe
2060	STUB.EXE
2076	winhost.exe
1436	winhost.exe
1368	STUB.EXE
2888	winhost.exe
1272	winhost.exe
1260	STUB.EXE
1224	winhost.exe
2388	winhost.exe
2748	STUB.EXE
2800	winhost.exe
2712	winhost.exe
2508	STUB.EXE
2940	winhost.exe
960	winhost.exe
1332	STUB.EXE
2816	winhost.exe
2212	winhost.exe
356	STUB.EXE
1624	winhost.exe
2528	winhost.exe
1856	STUB.EXE
2324	winhost.exe
2316	winhost.exe
2868	STUB.EXE
1116	winhost.exe
448	winhost.exe
2444	STUB.EXE

Loads dropped DLL 64 IoCs

pid	Process
3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
2580	winhost.exe
2580	winhost.exe
2580	winhost.exe
2804	winhost.exe
2804	winhost.exe
2804	winhost.exe
1944	winhost.exe
1944	winhost.exe
1944	winhost.exe
348	winhost.exe
348	winhost.exe
348	winhost.exe
1812	winhost.exe
1812	winhost.exe
1812	winhost.exe
2356	winhost.exe
2356	winhost.exe
2356	winhost.exe
2192	winhost.exe
2192	winhost.exe
2192	winhost.exe
2600	winhost.exe
2600	winhost.exe
2600	winhost.exe
540	winhost.exe
540	winhost.exe
540	winhost.exe
2364	winhost.exe
2364	winhost.exe
2364	winhost.exe
2156	winhost.exe
2156	winhost.exe
2156	winhost.exe
1728	winhost.exe
1728	winhost.exe
1728	winhost.exe
1436	winhost.exe
1436	winhost.exe
1436	winhost.exe
1272	winhost.exe
1272	winhost.exe
1272	winhost.exe
2388	winhost.exe
2388	winhost.exe
2388	winhost.exe
2712	winhost.exe
2712	winhost.exe
2712	winhost.exe
960	winhost.exe
960	winhost.exe
960	winhost.exe
2212	winhost.exe
2212	winhost.exe
2212	winhost.exe
2528	winhost.exe
2528	winhost.exe
2528	winhost.exe
2316	winhost.exe
2316	winhost.exe
2316	winhost.exe
448	winhost.exe

Adds Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe"	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe"	winhost.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\winhost.exe	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\winhost.exe	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDCSC\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\	winhost.exe
File created	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe	winhost.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2632 set thread context of 2580	2632	winhost.exe	31
PID 1412 set thread context of 2804	1412	winhost.exe	34
PID 1720 set thread context of 1944	1720	winhost.exe	37
PID 2308 set thread context of 348	2308	winhost.exe	40
PID 2168 set thread context of 1812	2168	winhost.exe	43
PID 2840 set thread context of 2356	2840	winhost.exe	46
PID 1544 set thread context of 2192	1544	winhost.exe	49
PID 2468 set thread context of 2600	2468	winhost.exe	52
PID 1080 set thread context of 540	1080	winhost.exe	55
PID 1948 set thread context of 2364	1948	winhost.exe	58
PID 2024 set thread context of 2156	2024	winhost.exe	61
PID 1288 set thread context of 1728	1288	winhost.exe	64
PID 2076 set thread context of 1436	2076	winhost.exe	67
PID 2888 set thread context of 1272	2888	winhost.exe	70
PID 1224 set thread context of 2388	1224	winhost.exe	73
PID 2800 set thread context of 2712	2800	winhost.exe	78
PID 2940 set thread context of 960	2940	winhost.exe	81
PID 2816 set thread context of 2212	2816	winhost.exe	84
PID 1624 set thread context of 2528	1624	winhost.exe	87
PID 2324 set thread context of 2316	2324	winhost.exe	90
PID 1116 set thread context of 448	1116	winhost.exe	93
PID 940 set thread context of 1796	940	winhost.exe	96

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3004-7-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-11-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-13-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-5-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-14-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-17-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-15-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-16-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/3004-40-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2580-49-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2580-51-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2580-50-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2804-79-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2804-78-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/2804-77-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1944-108-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1944-107-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1944-106-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/348-136-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/348-135-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/348-134-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1812-162-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1812-164-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1812-163-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	STUB.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeSecurityPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeBackupPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeRestorePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeShutdownPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeUndockPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: 33	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: 34	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: 35	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Token: SeDebugPrivilege	2632	winhost.exe
Token: SeIncreaseQuotaPrivilege	2580	winhost.exe
Token: SeSecurityPrivilege	2580	winhost.exe
Token: SeTakeOwnershipPrivilege	2580	winhost.exe
Token: SeLoadDriverPrivilege	2580	winhost.exe
Token: SeSystemProfilePrivilege	2580	winhost.exe
Token: SeSystemtimePrivilege	2580	winhost.exe
Token: SeProfSingleProcessPrivilege	2580	winhost.exe
Token: SeIncBasePriorityPrivilege	2580	winhost.exe
Token: SeCreatePagefilePrivilege	2580	winhost.exe
Token: SeBackupPrivilege	2580	winhost.exe
Token: SeRestorePrivilege	2580	winhost.exe
Token: SeShutdownPrivilege	2580	winhost.exe
Token: SeDebugPrivilege	2580	winhost.exe
Token: SeSystemEnvironmentPrivilege	2580	winhost.exe
Token: SeChangeNotifyPrivilege	2580	winhost.exe
Token: SeRemoteShutdownPrivilege	2580	winhost.exe
Token: SeUndockPrivilege	2580	winhost.exe
Token: SeManageVolumePrivilege	2580	winhost.exe
Token: SeImpersonatePrivilege	2580	winhost.exe
Token: SeCreateGlobalPrivilege	2580	winhost.exe
Token: 33	2580	winhost.exe
Token: 34	2580	winhost.exe
Token: 35	2580	winhost.exe
Token: SeDebugPrivilege	1412	winhost.exe
Token: SeIncreaseQuotaPrivilege	2804	winhost.exe
Token: SeSecurityPrivilege	2804	winhost.exe
Token: SeTakeOwnershipPrivilege	2804	winhost.exe
Token: SeLoadDriverPrivilege	2804	winhost.exe
Token: SeSystemProfilePrivilege	2804	winhost.exe
Token: SeSystemtimePrivilege	2804	winhost.exe
Token: SeProfSingleProcessPrivilege	2804	winhost.exe
Token: SeIncBasePriorityPrivilege	2804	winhost.exe
Token: SeCreatePagefilePrivilege	2804	winhost.exe
Token: SeBackupPrivilege	2804	winhost.exe
Token: SeRestorePrivilege	2804	winhost.exe
Token: SeShutdownPrivilege	2804	winhost.exe
Token: SeDebugPrivilege	2804	winhost.exe
Token: SeSystemEnvironmentPrivilege	2804	winhost.exe
Token: SeChangeNotifyPrivilege	2804	winhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 2920 wrote to memory of 3004	2920	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	28
PID 3004 wrote to memory of 2720	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2720	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2720	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2720	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2632	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2632	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2632	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2632	3004	a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2632 wrote to memory of 2580	2632	winhost.exe	31
PID 2580 wrote to memory of 476	2580	winhost.exe	32
PID 2580 wrote to memory of 476	2580	winhost.exe	32
PID 2580 wrote to memory of 476	2580	winhost.exe	32
PID 2580 wrote to memory of 476	2580	winhost.exe	32
PID 2580 wrote to memory of 1412	2580	winhost.exe	33
PID 2580 wrote to memory of 1412	2580	winhost.exe	33
PID 2580 wrote to memory of 1412	2580	winhost.exe	33
PID 2580 wrote to memory of 1412	2580	winhost.exe	33
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 1412 wrote to memory of 2804	1412	winhost.exe	34
PID 2804 wrote to memory of 2520	2804	winhost.exe	35
PID 2804 wrote to memory of 2520	2804	winhost.exe	35
PID 2804 wrote to memory of 2520	2804	winhost.exe	35
PID 2804 wrote to memory of 2520	2804	winhost.exe	35
PID 2804 wrote to memory of 1720	2804	winhost.exe	36
PID 2804 wrote to memory of 1720	2804	winhost.exe	36
PID 2804 wrote to memory of 1720	2804	winhost.exe	36
PID 2804 wrote to memory of 1720	2804	winhost.exe	36
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1720 wrote to memory of 1944	1720	winhost.exe	37
PID 1944 wrote to memory of 1872	1944	winhost.exe	38
PID 1944 wrote to memory of 1872	1944	winhost.exe	38
PID 1944 wrote to memory of 1872	1944	winhost.exe	38
PID 1944 wrote to memory of 1872	1944	winhost.exe	38
PID 1944 wrote to memory of 2308	1944	winhost.exe	39
PID 1944 wrote to memory of 2308	1944	winhost.exe	39
PID 1944 wrote to memory of 2308	1944	winhost.exe	39
PID 1944 wrote to memory of 2308	1944	winhost.exe	39

C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\STUB.EXE
    "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\MSDCSC\winhost.exe
    "C:\Windows\system32\MSDCSC\winhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\MSDCSC\winhost.exe
      C:\Windows\SysWOW64\MSDCSC\winhost.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:476
    - - C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        14⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:292
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        16⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        18⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        20⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        22⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        24⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        26⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        28⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        30⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1224
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        32⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        34⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        36⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        37⤵
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        38⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:356
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        40⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        42⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1116
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        44⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        45⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"
        45⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe
        46⤵
        Modifies WinLogon for persistence
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\STUB.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\STUB.EXE"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        "C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        
        C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe
        48⤵
        
        PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\STUB.EXE

Filesize
47KB

MD5
6e9ee67b3cceaf1fc3bd53a9c33a3cc7

SHA1
1ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03

SHA256
e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb

SHA512
6ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c

Download Submit
\Windows\SysWOW64\MSDCSC\winhost.exe

Filesize
467KB

MD5
a91672ac89d1826a72f3f71e57f5b13d

SHA1
25c842879a8658dd70658b7ffd5669b98cc61f0d

SHA256
d8ba821aa37d8c83ee00f809de729197eb340e17348274eec26469a3be34f894

SHA512
dfa07f9ea006ac36cb4ab36a6d4e10249d0452fbec7a677b66b23c1d91ef4e803cc019446d7309f49db844675e978a74f9cb28fe5e2289c77dd37681e2b8e13d

Download Submit
memory/348-135-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/348-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/348-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/348-134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1812-162-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1812-158-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-164-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1812-163-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1944-106-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1944-107-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1944-108-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1944-102-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2580-51-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2580-50-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2580-49-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2720-33-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-34-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-31-0x0000000074911000-0x0000000074912000-memory.dmp

Filesize
4KB

Download
memory/2720-32-0x0000000074910000-0x0000000074EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2804-77-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2804-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-79-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2804-78-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2920-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2920-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-12-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/3004-18-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-14-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-5-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-13-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-11-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-7-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-15-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-4-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-16-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3004-40-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads