Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-11-2024 10:50
Static task
static1
Behavioral task
behavioral1
Sample
b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe
-
Size
60KB
-
MD5
b0c2efab0ab3ef4157cd97a2ff8f775e
-
SHA1
9bb85026c7a9037e3ae8634a66d3f954ef3f49c3
-
SHA256
69d873035398746e59c747af9920196bd9fc117ad25196475d64b5a96ff32ce2
-
SHA512
6d33f4eb4a0ea627fa351a13dff0f1281e916a8084362d9c2e981e284271bf1cca40fd2d1c8ac19ef3db5bb54377bdfe359be0151573220352e14bbcd3f9fb56
-
SSDEEP
768:l38+6jF/90iYiW1jQU9zKgEFQDqkldnBnibh9fOgKHcIS8YzXBBS8YzXB5zokH6:N3g4v1j1PEFQDqkFibT+UFruFrvoH
Malware Config
Signatures
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8} foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E368274-5GK3-2PEF-86BF-63DHA15WK8P8}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe restart" foul.exe -
Executes dropped EXE 28 IoCs
pid Process 2708 foul.exe 2056 foul.exe 2632 foul.exe 2512 foul.exe 1052 foul.exe 568 foul.exe 2620 foul.exe 2852 foul.exe 2200 foul.exe 848 foul.exe 2552 foul.exe 1236 foul.exe 1684 foul.exe 2180 foul.exe 664 foul.exe 748 foul.exe 2380 foul.exe 2716 foul.exe 2628 foul.exe 2752 foul.exe 2348 foul.exe 1356 foul.exe 1884 foul.exe 2640 foul.exe 2060 foul.exe 920 foul.exe 484 foul.exe 2152 foul.exe -
Loads dropped DLL 29 IoCs
pid Process 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe -
Adds Run key to start application 2 TTPs 60 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\toulse\\foul.exe" foul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 59 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foul.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2228 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 30 PID 2264 wrote to memory of 2228 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 30 PID 2264 wrote to memory of 2228 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 30 PID 2264 wrote to memory of 2228 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 30 PID 2264 wrote to memory of 2228 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 30 PID 2264 wrote to memory of 2772 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 31 PID 2264 wrote to memory of 2772 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 31 PID 2264 wrote to memory of 2772 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 31 PID 2264 wrote to memory of 2772 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 31 PID 2264 wrote to memory of 2772 2264 b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe 31 PID 2228 wrote to memory of 2708 2228 svchost.exe 32 PID 2228 wrote to memory of 2708 2228 svchost.exe 32 PID 2228 wrote to memory of 2708 2228 svchost.exe 32 PID 2228 wrote to memory of 2708 2228 svchost.exe 32 PID 2708 wrote to memory of 2988 2708 foul.exe 33 PID 2708 wrote to memory of 2988 2708 foul.exe 33 PID 2708 wrote to memory of 2988 2708 foul.exe 33 PID 2708 wrote to memory of 2988 2708 foul.exe 33 PID 2708 wrote to memory of 2988 2708 foul.exe 33 PID 2228 wrote to memory of 2056 2228 svchost.exe 34 PID 2228 wrote to memory of 2056 2228 svchost.exe 34 PID 2228 wrote to memory of 2056 2228 svchost.exe 34 PID 2228 wrote to memory of 2056 2228 svchost.exe 34 PID 2056 wrote to memory of 2600 2056 foul.exe 35 PID 2056 wrote to memory of 2600 2056 foul.exe 35 PID 2056 wrote to memory of 2600 2056 foul.exe 35 PID 2056 wrote to memory of 2600 2056 foul.exe 35 PID 2056 wrote to memory of 2600 2056 foul.exe 35 PID 2228 wrote to memory of 2632 2228 svchost.exe 36 PID 2228 wrote to memory of 2632 2228 svchost.exe 36 PID 2228 wrote to memory of 2632 2228 svchost.exe 36 PID 2228 wrote to memory of 2632 2228 svchost.exe 36 PID 2632 wrote to memory of 1228 2632 foul.exe 37 PID 2632 wrote to memory of 1228 2632 foul.exe 37 PID 2632 wrote to memory of 1228 2632 foul.exe 37 PID 2632 wrote to memory of 1228 2632 foul.exe 37 PID 2632 wrote to memory of 1228 2632 foul.exe 37 PID 2228 wrote to memory of 2512 2228 svchost.exe 38 PID 2228 wrote to memory of 2512 2228 svchost.exe 38 PID 2228 wrote to memory of 2512 2228 svchost.exe 38 PID 2228 wrote to memory of 2512 2228 svchost.exe 38 PID 2512 wrote to memory of 3064 2512 foul.exe 39 PID 2512 wrote to memory of 3064 2512 foul.exe 39 PID 2512 wrote to memory of 3064 2512 foul.exe 39 PID 2512 wrote to memory of 3064 2512 foul.exe 39 PID 2512 wrote to memory of 3064 2512 foul.exe 39 PID 2228 wrote to memory of 1052 2228 svchost.exe 40 PID 2228 wrote to memory of 1052 2228 svchost.exe 40 PID 2228 wrote to memory of 1052 2228 svchost.exe 40 PID 2228 wrote to memory of 1052 2228 svchost.exe 40 PID 1052 wrote to memory of 1588 1052 foul.exe 41 PID 1052 wrote to memory of 1588 1052 foul.exe 41 PID 1052 wrote to memory of 1588 1052 foul.exe 41 PID 1052 wrote to memory of 1588 1052 foul.exe 41 PID 1052 wrote to memory of 1588 1052 foul.exe 41 PID 2228 wrote to memory of 568 2228 svchost.exe 42 PID 2228 wrote to memory of 568 2228 svchost.exe 42 PID 2228 wrote to memory of 568 2228 svchost.exe 42 PID 2228 wrote to memory of 568 2228 svchost.exe 42 PID 568 wrote to memory of 1652 568 foul.exe 43 PID 568 wrote to memory of 1652 568 foul.exe 43 PID 568 wrote to memory of 1652 568 foul.exe 43 PID 568 wrote to memory of 1652 568 foul.exe 43 PID 568 wrote to memory of 1652 568 foul.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b0c2efab0ab3ef4157cd97a2ff8f775e_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2988
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2600
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1228
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:484
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1424
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2224
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2416
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2812
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:572
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:484 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
C:\Users\Admin\AppData\Roaming\toulse\foul.exe"C:\Users\Admin\AppData\Roaming\toulse\foul.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\svchost.exesvchost.exe4⤵
- System Location Discovery: System Language Discovery
PID:2320
-
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:2772
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD505ba495ba8b18b2e9604edc9eeda4879
SHA1360d315bd9af191e22cc3dfbf70a152afad7b1c3
SHA256370391eda0ea002f384f89cc43e1bf9ce0d88b08db7f9f1b85f17a4c1a1fb55b
SHA512bccc4c30be6606b79e24d4e4d80516cef0e718a87067153089765ce61bb68902f038e11789fcc70ee70ea42c7c0c291a81a26dcf74b606c722ac217c48675c22
-
Filesize
2B
MD584cad01fdb44ae58dbe6c3973dcd87f5
SHA14700b42849fb35be323774820bf1bc8019d26c80
SHA2568b1f194be530240c18bf0b1ee0d038e750fab8b24c6bd25c864297e5ebb41fa6
SHA5126e10d3ec4724c1aca9ff3f6a26292ba80065d18e8e9395f1474c0a298008f25e312e2f7024e7d10aab3264764e69a25553cc20afd23090f83921d20e42b989ab
-
Filesize
60KB
MD5b0c2efab0ab3ef4157cd97a2ff8f775e
SHA19bb85026c7a9037e3ae8634a66d3f954ef3f49c3
SHA25669d873035398746e59c747af9920196bd9fc117ad25196475d64b5a96ff32ce2
SHA5126d33f4eb4a0ea627fa351a13dff0f1281e916a8084362d9c2e981e284271bf1cca40fd2d1c8ac19ef3db5bb54377bdfe359be0151573220352e14bbcd3f9fb56