metasploit | e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Size

194KB
MD5

db19cc95f96b30a0be4f7c9624da78f2
SHA1

6941fab7273c70463e719ae5bbd8957d27ba9c20
SHA256

e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a
SHA512

3cc3675ecfe5ba1ddf8f4fef1a96a9c517a4229d0f2d178befd69ddf38245f0477bf0c2f50a99a42316704723872c4d42f572465de5ff34c9b2212c57f7c1cc3
SSDEEP

6144:yCimQQpmXClMYnXvM+e02fZ1+vbt0NgO6:yCusmXw44bt0Ng3

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Deletes itself 1 IoCs

pid	Process
2612	CtDrvMkc.exe

Executes dropped EXE 64 IoCs

pid	Process
2800	CtDrvMkc.exe
2612	CtDrvMkc.exe
1664	CtDrvMkc.exe
1152	CtDrvMkc.exe
1320	CtDrvMkc.exe
2856	CtDrvMkc.exe
2092	CtDrvMkc.exe
592	CtDrvMkc.exe
1956	CtDrvMkc.exe
2416	CtDrvMkc.exe
404	CtDrvMkc.exe
1228	CtDrvMkc.exe
888	CtDrvMkc.exe
1000	CtDrvMkc.exe
1712	CtDrvMkc.exe
1528	CtDrvMkc.exe
1700	CtDrvMkc.exe
2080	CtDrvMkc.exe
1728	CtDrvMkc.exe
1592	CtDrvMkc.exe
2872	CtDrvMkc.exe
2600	CtDrvMkc.exe
2616	CtDrvMkc.exe
1816	CtDrvMkc.exe
2764	CtDrvMkc.exe
2832	CtDrvMkc.exe
2756	CtDrvMkc.exe
2804	CtDrvMkc.exe
2376	CtDrvMkc.exe
2372	CtDrvMkc.exe
1828	CtDrvMkc.exe
2976	CtDrvMkc.exe
764	CtDrvMkc.exe
828	CtDrvMkc.exe
1844	CtDrvMkc.exe
1744	CtDrvMkc.exe
2076	CtDrvMkc.exe
2240	CtDrvMkc.exe
1072	CtDrvMkc.exe
1088	CtDrvMkc.exe
3028	CtDrvMkc.exe
1508	CtDrvMkc.exe
2792	CtDrvMkc.exe
2628	CtDrvMkc.exe
1984	CtDrvMkc.exe
1900	CtDrvMkc.exe
2848	CtDrvMkc.exe
1040	CtDrvMkc.exe
588	CtDrvMkc.exe
2192	CtDrvMkc.exe
2216	CtDrvMkc.exe
1308	CtDrvMkc.exe
2940	CtDrvMkc.exe
444	CtDrvMkc.exe
920	CtDrvMkc.exe
1868	CtDrvMkc.exe
1380	CtDrvMkc.exe
1060	CtDrvMkc.exe
1712	CtDrvMkc.exe
2392	CtDrvMkc.exe
1084	CtDrvMkc.exe
2504	CtDrvMkc.exe
2752	CtDrvMkc.exe
2776	CtDrvMkc.exe

Loads dropped DLL 64 IoCs

pid	Process
2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
2800	CtDrvMkc.exe
2612	CtDrvMkc.exe
2612	CtDrvMkc.exe
1152	CtDrvMkc.exe
1152	CtDrvMkc.exe
2856	CtDrvMkc.exe
2856	CtDrvMkc.exe
592	CtDrvMkc.exe
592	CtDrvMkc.exe
2416	CtDrvMkc.exe
2416	CtDrvMkc.exe
1228	CtDrvMkc.exe
1228	CtDrvMkc.exe
1000	CtDrvMkc.exe
1000	CtDrvMkc.exe
1528	CtDrvMkc.exe
1528	CtDrvMkc.exe
2080	CtDrvMkc.exe
2080	CtDrvMkc.exe
1592	CtDrvMkc.exe
1592	CtDrvMkc.exe
2600	CtDrvMkc.exe
2600	CtDrvMkc.exe
1816	CtDrvMkc.exe
1816	CtDrvMkc.exe
2832	CtDrvMkc.exe
2832	CtDrvMkc.exe
2804	CtDrvMkc.exe
2804	CtDrvMkc.exe
2372	CtDrvMkc.exe
2372	CtDrvMkc.exe
2976	CtDrvMkc.exe
2976	CtDrvMkc.exe
828	CtDrvMkc.exe
828	CtDrvMkc.exe
1744	CtDrvMkc.exe
1744	CtDrvMkc.exe
2240	CtDrvMkc.exe
2240	CtDrvMkc.exe
1088	CtDrvMkc.exe
1088	CtDrvMkc.exe
1508	CtDrvMkc.exe
1508	CtDrvMkc.exe
2628	CtDrvMkc.exe
2628	CtDrvMkc.exe
1900	CtDrvMkc.exe
1900	CtDrvMkc.exe
1040	CtDrvMkc.exe
1040	CtDrvMkc.exe
2192	CtDrvMkc.exe
2192	CtDrvMkc.exe
1308	CtDrvMkc.exe
1308	CtDrvMkc.exe
444	CtDrvMkc.exe
444	CtDrvMkc.exe
1868	CtDrvMkc.exe
1868	CtDrvMkc.exe
1060	CtDrvMkc.exe
1060	CtDrvMkc.exe
2392	CtDrvMkc.exe
2392	CtDrvMkc.exe
2504	CtDrvMkc.exe

Maps connected drives based on registry 3 TTPs 64 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe

Suspicious use of SetThreadContext 47 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2800 set thread context of 2612	2800	CtDrvMkc.exe	32
PID 1664 set thread context of 1152	1664	CtDrvMkc.exe	34
PID 1320 set thread context of 2856	1320	CtDrvMkc.exe	36
PID 2092 set thread context of 592	2092	CtDrvMkc.exe	38
PID 1956 set thread context of 2416	1956	CtDrvMkc.exe	40
PID 404 set thread context of 1228	404	CtDrvMkc.exe	42
PID 888 set thread context of 1000	888	CtDrvMkc.exe	44
PID 1712 set thread context of 1528	1712	CtDrvMkc.exe	46
PID 1700 set thread context of 2080	1700	CtDrvMkc.exe	48
PID 1728 set thread context of 1592	1728	CtDrvMkc.exe	50
PID 2872 set thread context of 2600	2872	CtDrvMkc.exe	52
PID 2616 set thread context of 1816	2616	CtDrvMkc.exe	54
PID 2764 set thread context of 2832	2764	CtDrvMkc.exe	56
PID 2756 set thread context of 2804	2756	CtDrvMkc.exe	58
PID 2376 set thread context of 2372	2376	CtDrvMkc.exe	60
PID 1828 set thread context of 2976	1828	CtDrvMkc.exe	62
PID 764 set thread context of 828	764	CtDrvMkc.exe	64
PID 1844 set thread context of 1744	1844	CtDrvMkc.exe	66
PID 2076 set thread context of 2240	2076	CtDrvMkc.exe	68
PID 1072 set thread context of 1088	1072	CtDrvMkc.exe	70
PID 3028 set thread context of 1508	3028	CtDrvMkc.exe	73
PID 2792 set thread context of 2628	2792	CtDrvMkc.exe	75
PID 1984 set thread context of 1900	1984	CtDrvMkc.exe	77
PID 2848 set thread context of 1040	2848	CtDrvMkc.exe	79
PID 588 set thread context of 2192	588	CtDrvMkc.exe	81
PID 2216 set thread context of 1308	2216	CtDrvMkc.exe	83
PID 2940 set thread context of 444	2940	CtDrvMkc.exe	85
PID 920 set thread context of 1868	920	CtDrvMkc.exe	87
PID 1380 set thread context of 1060	1380	CtDrvMkc.exe	89
PID 1712 set thread context of 2392	1712	CtDrvMkc.exe	91
PID 1084 set thread context of 2504	1084	CtDrvMkc.exe	93
PID 2752 set thread context of 2776	2752	CtDrvMkc.exe	95
PID 2872 set thread context of 2640	2872	CtDrvMkc.exe	97
PID 2868 set thread context of 2176	2868	CtDrvMkc.exe	99
PID 892 set thread context of 2236	892	CtDrvMkc.exe	101
PID 1248 set thread context of 2548	1248	CtDrvMkc.exe	103
PID 1160 set thread context of 2028	1160	CtDrvMkc.exe	105
PID 1876 set thread context of 2420	1876	CtDrvMkc.exe	107
PID 1232 set thread context of 2940	1232	CtDrvMkc.exe	109
PID 1080 set thread context of 1376	1080	CtDrvMkc.exe	111
PID 1880 set thread context of 2460	1880	CtDrvMkc.exe	113
PID 2076 set thread context of 1700	2076	CtDrvMkc.exe	115
PID 1740 set thread context of 276	1740	CtDrvMkc.exe	117
PID 1192 set thread context of 2820	1192	CtDrvMkc.exe	119
PID 2884 set thread context of 2636	2884	CtDrvMkc.exe	121
PID 2000 set thread context of 2064	2000	CtDrvMkc.exe	123

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2692-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-17-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-14-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-12-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-4-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2692-29-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2612-42-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2612-44-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2612-43-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2612-45-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2612-49-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-62-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-61-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-64-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-63-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-69-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2856-82-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2856-90-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/592-102-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/592-110-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2416-122-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2416-130-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1228-142-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1228-150-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1000-162-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1000-170-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1528-184-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1528-190-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2080-202-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2080-210-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1592-222-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1592-231-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2600-243-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2600-251-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1816-263-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1816-271-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2832-285-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2832-290-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2804-301-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2804-306-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2372-317-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2372-322-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2976-333-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2976-338-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/828-349-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/828-354-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1744-365-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1744-370-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2240-381-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2240-386-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1088-397-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1088-402-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1508-415-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1508-418-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2628-427-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2628-434-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1900-445-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1900-450-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1040-460-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1040-466-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2192-479-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
2612	CtDrvMkc.exe
1152	CtDrvMkc.exe
2856	CtDrvMkc.exe
592	CtDrvMkc.exe
2416	CtDrvMkc.exe
1228	CtDrvMkc.exe
1000	CtDrvMkc.exe
1528	CtDrvMkc.exe
2080	CtDrvMkc.exe
1592	CtDrvMkc.exe
2600	CtDrvMkc.exe
1816	CtDrvMkc.exe
2832	CtDrvMkc.exe
2804	CtDrvMkc.exe
2372	CtDrvMkc.exe
2976	CtDrvMkc.exe
828	CtDrvMkc.exe
1744	CtDrvMkc.exe
2240	CtDrvMkc.exe
1088	CtDrvMkc.exe
1508	CtDrvMkc.exe
2628	CtDrvMkc.exe
1900	CtDrvMkc.exe
1040	CtDrvMkc.exe
2192	CtDrvMkc.exe
1308	CtDrvMkc.exe
444	CtDrvMkc.exe
1868	CtDrvMkc.exe
1060	CtDrvMkc.exe
2392	CtDrvMkc.exe
2504	CtDrvMkc.exe
2776	CtDrvMkc.exe
2640	CtDrvMkc.exe
2176	CtDrvMkc.exe
2236	CtDrvMkc.exe
2548	CtDrvMkc.exe
2028	CtDrvMkc.exe
2420	CtDrvMkc.exe
2940	CtDrvMkc.exe
1376	CtDrvMkc.exe
2460	CtDrvMkc.exe
1700	CtDrvMkc.exe
276	CtDrvMkc.exe
2820	CtDrvMkc.exe
2636	CtDrvMkc.exe
2064	CtDrvMkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2672 wrote to memory of 2692	2672	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	30
PID 2692 wrote to memory of 2800	2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2800	2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2800	2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2800	2692	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	31
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2800 wrote to memory of 2612	2800	CtDrvMkc.exe	32
PID 2612 wrote to memory of 1664	2612	CtDrvMkc.exe	33
PID 2612 wrote to memory of 1664	2612	CtDrvMkc.exe	33
PID 2612 wrote to memory of 1664	2612	CtDrvMkc.exe	33
PID 2612 wrote to memory of 1664	2612	CtDrvMkc.exe	33
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1664 wrote to memory of 1152	1664	CtDrvMkc.exe	34
PID 1152 wrote to memory of 1320	1152	CtDrvMkc.exe	35
PID 1152 wrote to memory of 1320	1152	CtDrvMkc.exe	35
PID 1152 wrote to memory of 1320	1152	CtDrvMkc.exe	35
PID 1152 wrote to memory of 1320	1152	CtDrvMkc.exe	35
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 1320 wrote to memory of 2856	1320	CtDrvMkc.exe	36
PID 2856 wrote to memory of 2092	2856	CtDrvMkc.exe	37
PID 2856 wrote to memory of 2092	2856	CtDrvMkc.exe	37
PID 2856 wrote to memory of 2092	2856	CtDrvMkc.exe	37
PID 2856 wrote to memory of 2092	2856	CtDrvMkc.exe	37
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 2092 wrote to memory of 592	2092	CtDrvMkc.exe	38
PID 592 wrote to memory of 1956	592	CtDrvMkc.exe	39
PID 592 wrote to memory of 1956	592	CtDrvMkc.exe	39
PID 592 wrote to memory of 1956	592	CtDrvMkc.exe	39
PID 592 wrote to memory of 1956	592	CtDrvMkc.exe	39
PID 1956 wrote to memory of 2416	1956	CtDrvMkc.exe	40
PID 1956 wrote to memory of 2416	1956	CtDrvMkc.exe	40
PID 1956 wrote to memory of 2416	1956	CtDrvMkc.exe	40
PID 1956 wrote to memory of 2416	1956	CtDrvMkc.exe	40

C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\CtDrvMkc.exe
    "C:\Windows\system32\CtDrvMkc.exe" C:\Users\Admin\AppData\Local\Temp\DB19CC~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\CtDrvMkc.exe
      "C:\Windows\system32\CtDrvMkc.exe" C:\Users\Admin\AppData\Local\Temp\DB19CC~1.EXE
      4⤵
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1000
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1712
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1728
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2616
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:828
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2076
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2240
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1088
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3028
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1984
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2848
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1040
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2216
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1868
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1084
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2752
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        66⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2776
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        68⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2868
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        70⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        71⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        72⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        76⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        77⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        78⤵
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        79⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1080
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        82⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1376
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        83⤵
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        84⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        86⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        87⤵
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        88⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:276
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        92⤵
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2636
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        93⤵
        Suspicious use of SetThreadContext
        
        PID:2000
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        94⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\CtDrvMkc.exe

Filesize
194KB

MD5
db19cc95f96b30a0be4f7c9624da78f2

SHA1
6941fab7273c70463e719ae5bbd8957d27ba9c20

SHA256
e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a

SHA512
3cc3675ecfe5ba1ddf8f4fef1a96a9c517a4229d0f2d178befd69ddf38245f0477bf0c2f50a99a42316704723872c4d42f572465de5ff34c9b2212c57f7c1cc3

Download Submit
memory/276-764-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/276-759-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/444-513-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/592-110-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/592-102-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/828-349-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/828-354-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1000-170-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1000-162-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1040-460-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1040-466-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1060-538-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1060-544-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1088-402-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1088-397-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-69-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-64-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-63-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-62-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-61-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1228-142-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1228-150-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1308-493-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1308-498-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1320-78-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1376-716-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1376-709-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1508-418-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1508-415-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1528-190-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1528-184-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1592-231-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1592-222-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1664-59-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1700-741-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1700-748-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1744-365-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1744-370-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1816-263-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1816-271-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1868-528-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1900-450-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1900-445-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2028-669-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2064-808-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2080-210-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2080-202-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2176-622-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2192-482-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2192-479-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2236-632-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2236-638-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2240-381-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2240-386-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2372-322-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2372-317-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2392-555-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2392-560-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2416-122-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2416-130-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-684-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2460-727-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2460-732-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2504-576-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2504-573-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2548-651-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2548-654-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2600-251-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2600-243-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2612-45-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2612-43-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2612-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2612-42-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2612-49-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2628-427-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2628-434-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-795-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2636-790-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2640-603-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2640-607-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2672-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2692-29-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-14-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-12-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-4-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2692-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-591-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2800-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2804-306-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2804-301-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2820-779-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2832-285-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2832-290-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2856-90-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2856-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2940-700-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2940-694-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2976-338-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2976-333-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download