Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 10:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe
-
Size
17KB
-
MD5
b0c5094c2c677da2735dd39b7752e600
-
SHA1
fc2accd937bbb23e1117b3ca0d0ebd9a075fa37d
-
SHA256
c97e3b54f054fe14af64f9912fde6aaa69e9863e2bc0f7aff7df8cd47e11722d
-
SHA512
e2dfb1179e53b03309fa9a9fbfefb3cca7b0779ebe816cd5d57059cdea9b5248e8fa200d4cabc9752e4fcf9efc1c826969e3e73c8648331db28bc28ca56e3b87
-
SSDEEP
384:u/aI71le/ABYoKNMjbruXtXTwDGaHoPEMa7De:fI71leYBY7N6KXtXKGWoPEb
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad wininet.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysRun = "{D7FFD784-5276-42D1-887B-00267870A4C7}" wininet.exe -
Executes dropped EXE 64 IoCs
Processes:
wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exepid Process 1784 wininet.exe 4580 wininet.exe 3644 wininet.exe 4504 wininet.exe 2296 wininet.exe 4672 wininet.exe 5080 wininet.exe 4284 wininet.exe 2352 wininet.exe 2060 wininet.exe 4312 wininet.exe 3004 wininet.exe 4324 wininet.exe 2760 wininet.exe 4816 wininet.exe 4968 wininet.exe 4100 wininet.exe 3288 wininet.exe 1864 wininet.exe 760 wininet.exe 2936 wininet.exe 1492 wininet.exe 4344 wininet.exe 1868 wininet.exe 3216 wininet.exe 3636 wininet.exe 3760 wininet.exe 4912 wininet.exe 3012 wininet.exe 1464 wininet.exe 4172 wininet.exe 1472 wininet.exe 4460 wininet.exe 4636 wininet.exe 3696 wininet.exe 3416 wininet.exe 3748 wininet.exe 4532 wininet.exe 1088 wininet.exe 932 wininet.exe 1428 wininet.exe 1856 wininet.exe 4512 wininet.exe 2412 wininet.exe 4336 wininet.exe 464 wininet.exe 4700 wininet.exe 4032 wininet.exe 4220 wininet.exe 4176 wininet.exe 4132 wininet.exe 2072 wininet.exe 5040 wininet.exe 4868 wininet.exe 224 wininet.exe 400 wininet.exe 3600 wininet.exe 3596 wininet.exe 3284 wininet.exe 2004 wininet.exe 4684 wininet.exe 1304 wininet.exe 3328 wininet.exe 4440 wininet.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 64 IoCs
Processes:
wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedescription ioc Process File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File created C:\Windows\SysWOW64\wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File created C:\Windows\SysWOW64\wininet.exe File created C:\Windows\SysWOW64\wininet.exe wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe File opened for modification C:\Windows\SysWOW64\svshost.dll wininet.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininet.exe -
Modifies registry class 64 IoCs
Processes:
wininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32 wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" wininet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D7FFD784-5276-42D1-887B-00267870A4C7}\InProcServer32\ = "C:\\Windows\\SysWow64\\svshost.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exewininet.exedescription pid Process procid_target PID 3392 wrote to memory of 1784 3392 b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe 83 PID 3392 wrote to memory of 1784 3392 b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe 83 PID 3392 wrote to memory of 1784 3392 b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe 83 PID 1784 wrote to memory of 4580 1784 wininet.exe 84 PID 1784 wrote to memory of 4580 1784 wininet.exe 84 PID 1784 wrote to memory of 4580 1784 wininet.exe 84 PID 4580 wrote to memory of 3644 4580 wininet.exe 85 PID 4580 wrote to memory of 3644 4580 wininet.exe 85 PID 4580 wrote to memory of 3644 4580 wininet.exe 85 PID 3644 wrote to memory of 4504 3644 wininet.exe 86 PID 3644 wrote to memory of 4504 3644 wininet.exe 86 PID 3644 wrote to memory of 4504 3644 wininet.exe 86 PID 4504 wrote to memory of 2296 4504 wininet.exe 87 PID 4504 wrote to memory of 2296 4504 wininet.exe 87 PID 4504 wrote to memory of 2296 4504 wininet.exe 87 PID 2296 wrote to memory of 4672 2296 wininet.exe 88 PID 2296 wrote to memory of 4672 2296 wininet.exe 88 PID 2296 wrote to memory of 4672 2296 wininet.exe 88 PID 4672 wrote to memory of 5080 4672 wininet.exe 89 PID 4672 wrote to memory of 5080 4672 wininet.exe 89 PID 4672 wrote to memory of 5080 4672 wininet.exe 89 PID 5080 wrote to memory of 4284 5080 wininet.exe 90 PID 5080 wrote to memory of 4284 5080 wininet.exe 90 PID 5080 wrote to memory of 4284 5080 wininet.exe 90 PID 4284 wrote to memory of 2352 4284 wininet.exe 91 PID 4284 wrote to memory of 2352 4284 wininet.exe 91 PID 4284 wrote to memory of 2352 4284 wininet.exe 91 PID 2352 wrote to memory of 2060 2352 wininet.exe 92 PID 2352 wrote to memory of 2060 2352 wininet.exe 92 PID 2352 wrote to memory of 2060 2352 wininet.exe 92 PID 2060 wrote to memory of 4312 2060 wininet.exe 93 PID 2060 wrote to memory of 4312 2060 wininet.exe 93 PID 2060 wrote to memory of 4312 2060 wininet.exe 93 PID 4312 wrote to memory of 3004 4312 wininet.exe 94 PID 4312 wrote to memory of 3004 4312 wininet.exe 94 PID 4312 wrote to memory of 3004 4312 wininet.exe 94 PID 3004 wrote to memory of 4324 3004 wininet.exe 95 PID 3004 wrote to memory of 4324 3004 wininet.exe 95 PID 3004 wrote to memory of 4324 3004 wininet.exe 95 PID 4324 wrote to memory of 2760 4324 wininet.exe 96 PID 4324 wrote to memory of 2760 4324 wininet.exe 96 PID 4324 wrote to memory of 2760 4324 wininet.exe 96 PID 2760 wrote to memory of 4816 2760 wininet.exe 97 PID 2760 wrote to memory of 4816 2760 wininet.exe 97 PID 2760 wrote to memory of 4816 2760 wininet.exe 97 PID 4816 wrote to memory of 4968 4816 wininet.exe 98 PID 4816 wrote to memory of 4968 4816 wininet.exe 98 PID 4816 wrote to memory of 4968 4816 wininet.exe 98 PID 4968 wrote to memory of 4100 4968 wininet.exe 99 PID 4968 wrote to memory of 4100 4968 wininet.exe 99 PID 4968 wrote to memory of 4100 4968 wininet.exe 99 PID 4100 wrote to memory of 3288 4100 wininet.exe 100 PID 4100 wrote to memory of 3288 4100 wininet.exe 100 PID 4100 wrote to memory of 3288 4100 wininet.exe 100 PID 3288 wrote to memory of 1864 3288 wininet.exe 101 PID 3288 wrote to memory of 1864 3288 wininet.exe 101 PID 3288 wrote to memory of 1864 3288 wininet.exe 101 PID 1864 wrote to memory of 760 1864 wininet.exe 102 PID 1864 wrote to memory of 760 1864 wininet.exe 102 PID 1864 wrote to memory of 760 1864 wininet.exe 102 PID 760 wrote to memory of 2936 760 wininet.exe 103 PID 760 wrote to memory of 2936 760 wininet.exe 103 PID 760 wrote to memory of 2936 760 wininet.exe 103 PID 2936 wrote to memory of 1492 2936 wininet.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b0c5094c2c677da2735dd39b7752e600_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe23⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe24⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe25⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe26⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe27⤵
- Executes dropped EXE
PID:3636 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe28⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe30⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe31⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe32⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe33⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe34⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe35⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe36⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe37⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe38⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe39⤵
- Executes dropped EXE
PID:4532 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe40⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe41⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe42⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe43⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe44⤵
- Executes dropped EXE
PID:4512 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe45⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe46⤵
- Executes dropped EXE
PID:4336 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe47⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe48⤵
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe49⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe50⤵
- Executes dropped EXE
PID:4220 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe51⤵
- Executes dropped EXE
PID:4176 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe52⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe53⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe54⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe55⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:224 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe57⤵
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe58⤵
- Executes dropped EXE
PID:3600 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe59⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe60⤵
- Executes dropped EXE
PID:3284 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe61⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe62⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe63⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe64⤵
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe65⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe66⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe67⤵PID:4296
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe68⤵
- Modifies registry class
PID:3452 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe69⤵PID:3896
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe70⤵PID:540
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe71⤵PID:1884
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe72⤵PID:2292
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe73⤵PID:2284
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe74⤵PID:4328
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe75⤵PID:2312
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe76⤵PID:5068
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe77⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe78⤵PID:3916
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe79⤵PID:4128
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe80⤵PID:4900
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe81⤵PID:2740
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2364 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe83⤵PID:4688
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe84⤵PID:208
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe85⤵PID:3144
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe86⤵PID:2216
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe87⤵PID:4316
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe88⤵PID:3504
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe89⤵PID:2456
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe90⤵PID:4436
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe91⤵PID:4836
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3712 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe93⤵PID:5044
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe94⤵PID:2008
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe95⤵PID:2480
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe96⤵PID:3028
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe97⤵PID:3424
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe98⤵PID:3796
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe99⤵PID:840
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe100⤵PID:5144
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe101⤵PID:5160
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe102⤵PID:5188
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe103⤵PID:5204
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe104⤵PID:5232
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe105⤵PID:5260
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe106⤵PID:5284
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe107⤵PID:5308
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe109⤵PID:5384
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe110⤵
- Modifies registry class
PID:5428 -
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe111⤵PID:5452
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe112⤵PID:5476
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe113⤵PID:5516
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe114⤵PID:5540
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe115⤵PID:5564
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe116⤵PID:5588
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe117⤵PID:5612
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe118⤵PID:5636
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe119⤵PID:5660
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe120⤵PID:5684
-
C:\Windows\SysWOW64\wininet.exeC:\Windows\system32\wininet.exe121⤵PID:5708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-