metasploit | e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Size

194KB
MD5

db19cc95f96b30a0be4f7c9624da78f2
SHA1

6941fab7273c70463e719ae5bbd8957d27ba9c20
SHA256

e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a
SHA512

3cc3675ecfe5ba1ddf8f4fef1a96a9c517a4229d0f2d178befd69ddf38245f0477bf0c2f50a99a42316704723872c4d42f572465de5ff34c9b2212c57f7c1cc3
SSDEEP

6144:yCimQQpmXClMYnXvM+e02fZ1+vbt0NgO6:yCusmXw44bt0Ng3

Score

10^/10

metasploit backdoor discovery trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	CtDrvMkc.exe

Deletes itself 1 IoCs

pid	Process
1500	CtDrvMkc.exe

Executes dropped EXE 39 IoCs

pid	Process
2908	CtDrvMkc.exe
1500	CtDrvMkc.exe
3548	CtDrvMkc.exe
2972	CtDrvMkc.exe
1708	CtDrvMkc.exe
392	CtDrvMkc.exe
1400	CtDrvMkc.exe
1820	CtDrvMkc.exe
3844	CtDrvMkc.exe
1632	CtDrvMkc.exe
1736	CtDrvMkc.exe
4740	CtDrvMkc.exe
3356	CtDrvMkc.exe
1128	CtDrvMkc.exe
836	CtDrvMkc.exe
2648	CtDrvMkc.exe
1644	CtDrvMkc.exe
2420	CtDrvMkc.exe
4184	CtDrvMkc.exe
2688	CtDrvMkc.exe
1140	CtDrvMkc.exe
4836	CtDrvMkc.exe
2324	CtDrvMkc.exe
4488	CtDrvMkc.exe
2252	CtDrvMkc.exe
2024	CtDrvMkc.exe
752	CtDrvMkc.exe
3724	CtDrvMkc.exe
536	CtDrvMkc.exe
380	CtDrvMkc.exe
952	CtDrvMkc.exe
4448	CtDrvMkc.exe
4040	CtDrvMkc.exe
3276	CtDrvMkc.exe
4892	CtDrvMkc.exe
3216	CtDrvMkc.exe
1976	CtDrvMkc.exe
3616	CtDrvMkc.exe
908	CtDrvMkc.exe

Maps connected drives based on registry 3 TTPs 40 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	CtDrvMkc.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File created	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CtDrvMkc.exe	CtDrvMkc.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 2908 set thread context of 1500	2908	CtDrvMkc.exe	94
PID 3548 set thread context of 2972	3548	CtDrvMkc.exe	100
PID 1708 set thread context of 392	1708	CtDrvMkc.exe	102
PID 1400 set thread context of 1820	1400	CtDrvMkc.exe	107
PID 3844 set thread context of 1632	3844	CtDrvMkc.exe	109
PID 1736 set thread context of 4740	1736	CtDrvMkc.exe	111
PID 3356 set thread context of 1128	3356	CtDrvMkc.exe	113
PID 836 set thread context of 2648	836	CtDrvMkc.exe	115
PID 1644 set thread context of 2420	1644	CtDrvMkc.exe	117
PID 4184 set thread context of 2688	4184	CtDrvMkc.exe	119
PID 1140 set thread context of 4836	1140	CtDrvMkc.exe	121
PID 2324 set thread context of 4488	2324	CtDrvMkc.exe	123
PID 2252 set thread context of 2024	2252	CtDrvMkc.exe	125
PID 752 set thread context of 3724	752	CtDrvMkc.exe	127
PID 536 set thread context of 380	536	CtDrvMkc.exe	129
PID 952 set thread context of 4448	952	CtDrvMkc.exe	131
PID 4040 set thread context of 3276	4040	CtDrvMkc.exe	133
PID 4892 set thread context of 3216	4892	CtDrvMkc.exe	135
PID 1976 set thread context of 3616	1976	CtDrvMkc.exe	137

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-0-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-10-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-9-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/5104-44-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1500-52-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1500-54-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1500-56-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1500-53-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1500-57-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2972-66-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2972-69-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2972-68-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2972-70-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/392-79-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/392-82-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/392-81-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/392-83-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1820-92-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1820-95-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1820-94-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1820-97-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1632-105-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1632-108-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1632-107-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1632-112-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4740-126-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1128-136-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/1128-141-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2648-149-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2648-156-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2420-164-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2420-172-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2688-180-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2688-187-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4836-195-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4836-202-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4488-210-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4488-217-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2024-225-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/2024-232-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3724-246-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/380-254-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/380-261-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/4448-275-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3276-290-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3216-304-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral2/memory/3616-318-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CtDrvMkc.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	CtDrvMkc.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
5104	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
5104	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
1500	CtDrvMkc.exe
1500	CtDrvMkc.exe
2972	CtDrvMkc.exe
2972	CtDrvMkc.exe
392	CtDrvMkc.exe
392	CtDrvMkc.exe
1820	CtDrvMkc.exe
1820	CtDrvMkc.exe
1632	CtDrvMkc.exe
1632	CtDrvMkc.exe
4740	CtDrvMkc.exe
4740	CtDrvMkc.exe
1128	CtDrvMkc.exe
1128	CtDrvMkc.exe
2648	CtDrvMkc.exe
2648	CtDrvMkc.exe
2420	CtDrvMkc.exe
2420	CtDrvMkc.exe
2688	CtDrvMkc.exe
2688	CtDrvMkc.exe
4836	CtDrvMkc.exe
4836	CtDrvMkc.exe
4488	CtDrvMkc.exe
4488	CtDrvMkc.exe
2024	CtDrvMkc.exe
2024	CtDrvMkc.exe
3724	CtDrvMkc.exe
3724	CtDrvMkc.exe
380	CtDrvMkc.exe
380	CtDrvMkc.exe
4448	CtDrvMkc.exe
4448	CtDrvMkc.exe
3276	CtDrvMkc.exe
3276	CtDrvMkc.exe
3216	CtDrvMkc.exe
3216	CtDrvMkc.exe
3616	CtDrvMkc.exe
3616	CtDrvMkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 4480 wrote to memory of 5104	4480	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	84
PID 5104 wrote to memory of 2908	5104	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	89
PID 5104 wrote to memory of 2908	5104	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	89
PID 5104 wrote to memory of 2908	5104	db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe	89
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 2908 wrote to memory of 1500	2908	CtDrvMkc.exe	94
PID 1500 wrote to memory of 3548	1500	CtDrvMkc.exe	99
PID 1500 wrote to memory of 3548	1500	CtDrvMkc.exe	99
PID 1500 wrote to memory of 3548	1500	CtDrvMkc.exe	99
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 3548 wrote to memory of 2972	3548	CtDrvMkc.exe	100
PID 2972 wrote to memory of 1708	2972	CtDrvMkc.exe	101
PID 2972 wrote to memory of 1708	2972	CtDrvMkc.exe	101
PID 2972 wrote to memory of 1708	2972	CtDrvMkc.exe	101
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 1708 wrote to memory of 392	1708	CtDrvMkc.exe	102
PID 392 wrote to memory of 1400	392	CtDrvMkc.exe	105
PID 392 wrote to memory of 1400	392	CtDrvMkc.exe	105
PID 392 wrote to memory of 1400	392	CtDrvMkc.exe	105
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1400 wrote to memory of 1820	1400	CtDrvMkc.exe	107
PID 1820 wrote to memory of 3844	1820	CtDrvMkc.exe	108
PID 1820 wrote to memory of 3844	1820	CtDrvMkc.exe	108
PID 1820 wrote to memory of 3844	1820	CtDrvMkc.exe	108
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 3844 wrote to memory of 1632	3844	CtDrvMkc.exe	109
PID 1632 wrote to memory of 1736	1632	CtDrvMkc.exe	110

C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\db19cc95f96b30a0be4f7c9624da78f2_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\CtDrvMkc.exe
    "C:\Windows\system32\CtDrvMkc.exe" C:\Users\Admin\AppData\Local\Temp\DB19CC~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\CtDrvMkc.exe
      "C:\Windows\system32\CtDrvMkc.exe" C:\Users\Admin\AppData\Local\Temp\DB19CC~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Maps connected drives based on registry
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2420
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4836
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3724
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:380
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4448
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3276
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3216
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Maps connected drives based on registry
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3616
        
        C:\Windows\SysWOW64\CtDrvMkc.exe
        
        "C:\Windows\system32\CtDrvMkc.exe" C:\Windows\SysWOW64\CtDrvMkc.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\CtDrvMkc.exe

Filesize
194KB

MD5
db19cc95f96b30a0be4f7c9624da78f2

SHA1
6941fab7273c70463e719ae5bbd8957d27ba9c20

SHA256
e2f892b1cb049973f67cdf77a764fa94692a76e92c3e2d2f1abd7b4da43b8d9a

SHA512
3cc3675ecfe5ba1ddf8f4fef1a96a9c517a4229d0f2d178befd69ddf38245f0477bf0c2f50a99a42316704723872c4d42f572465de5ff34c9b2212c57f7c1cc3

Download Submit
memory/380-261-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/380-254-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/392-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/392-81-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/392-83-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/392-79-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1128-141-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1128-136-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1400-93-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1500-53-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1500-54-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1500-56-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1500-52-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1500-57-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1632-105-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1632-108-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1632-107-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1632-112-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1708-80-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1820-94-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1820-95-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1820-97-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1820-92-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2024-232-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2024-225-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-172-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2420-164-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2648-149-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2648-156-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2688-187-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2688-180-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2908-55-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2972-70-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2972-68-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2972-69-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2972-66-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3216-304-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3276-290-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3548-67-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3616-318-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3724-246-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3844-106-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4448-275-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4480-5-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4488-210-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4488-217-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4740-126-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4836-202-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/4836-195-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-10-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-0-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-44-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5104-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download