Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 22:09

General

  • Target

    e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe

  • Size

    166KB

  • MD5

    e8828ef7328cfa84e5cfccfc399645dd

  • SHA1

    5be3525a5cf3a5c99be280812788f766c8c45ce5

  • SHA256

    172ed8dccfa77af72fa89cc401f07e06aedf891f5948653dba43a4ef3d2def72

  • SHA512

    71921c64a39d0ec7f6b46dc1fd3e3f94fdcb20f9cfe1da2fa33c81dc2df7da1fd68098f4fdf08faf8d049a24a383d6139b40d4f300ca0a4d913f1ce5e3d07f39

  • SSDEEP

    3072:wkBJK6EP9PhHU/jCrlE8WALcZzgFWTngFuDZAOHINfeXrWGbfmzqwVGTrl2s:wgK6A0zjKGb+z9V27

Malware Config

Extracted

Family

xtremerat

C2

smokepawts.no-ip.info

Signatures

  • Detect XtremeRAT payload 23 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Xtremerat family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 56 IoCs
  • Adds Run key to start application 2 TTPs 60 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2608
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3328
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2304
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:4012
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:2312
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3464
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4052
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:2184
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3360
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1480
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:4992
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1976
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3740
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:3344
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:344
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:1084
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:2712
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4032
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:832
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:3656
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3928
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4572
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:2820
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4776
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3356
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:4584
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2612
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:4956
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:2900
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2316
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2548
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:3208
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4780
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3628
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:1284
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4568
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:4600
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:2288
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4988
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1844
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:720
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1748
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:1908
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:1544
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1596
        • C:\Windows\SysWOW64\Boot\nvcpl.exe
          "C:\Windows\system32\Boot\nvcpl.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          PID:2212
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\SysWOW64\Boot\nvcpl.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            PID:3488
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:3344
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\system32\Boot\nvcpl.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:2028
            • C:\Windows\SysWOW64\Boot\nvcpl.exe
              "C:\Windows\SysWOW64\Boot\nvcpl.exe"
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              PID:4704
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4652
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\system32\Boot\nvcpl.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:624
            • C:\Windows\SysWOW64\Boot\nvcpl.exe
              "C:\Windows\SysWOW64\Boot\nvcpl.exe"
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              PID:4488
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                • System Location Discovery: System Language Discovery
                PID:900
          • C:\Windows\SysWOW64\Boot\nvcpl.exe
            "C:\Windows\system32\Boot\nvcpl.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            PID:4716
            • C:\Windows\SysWOW64\Boot\nvcpl.exe
              "C:\Windows\SysWOW64\Boot\nvcpl.exe"
              5⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              PID:4960
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                6⤵
                  PID:1044
            • C:\Windows\SysWOW64\Boot\nvcpl.exe
              "C:\Windows\system32\Boot\nvcpl.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2820
              • C:\Windows\SysWOW64\Boot\nvcpl.exe
                "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                5⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                PID:4776
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2524
            • C:\Windows\SysWOW64\Boot\nvcpl.exe
              "C:\Windows\system32\Boot\nvcpl.exe"
              4⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2544
              • C:\Windows\SysWOW64\Boot\nvcpl.exe
                "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                5⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                PID:1008
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  6⤵
                    PID:3484
              • C:\Windows\SysWOW64\Boot\nvcpl.exe
                "C:\Windows\system32\Boot\nvcpl.exe"
                4⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:4168
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                  5⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:3800
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:3060
              • C:\Windows\SysWOW64\Boot\nvcpl.exe
                "C:\Windows\system32\Boot\nvcpl.exe"
                4⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3448
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                  5⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  PID:4512
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    6⤵
                    • System Location Discovery: System Language Discovery
                    PID:2884
              • C:\Windows\SysWOW64\Boot\nvcpl.exe
                "C:\Windows\system32\Boot\nvcpl.exe"
                4⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:2520
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                  5⤵
                  • Boot or Logon Autostart Execution: Active Setup
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  PID:3044
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    6⤵
                      PID:3464
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\system32\Boot\nvcpl.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:4648
                  • C:\Windows\SysWOW64\Boot\nvcpl.exe
                    "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                    5⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:4428
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:2288
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\system32\Boot\nvcpl.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:4004
                  • C:\Windows\SysWOW64\Boot\nvcpl.exe
                    "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                    5⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    PID:1952
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:3184
                • C:\Windows\SysWOW64\Boot\nvcpl.exe
                  "C:\Windows\system32\Boot\nvcpl.exe"
                  4⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Suspicious use of SetWindowsHookEx
                  PID:1004
                  • C:\Windows\SysWOW64\Boot\nvcpl.exe
                    "C:\Windows\SysWOW64\Boot\nvcpl.exe"
                    5⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in System32 directory
                    PID:720
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:1616
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3356

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4089630652-1596403869-279772308-1000\88603cb2913a7df3fbd16b5f958e6447_dc5cddf5-9e4b-4c89-ba53-89649a7a5ee7

            Filesize

            51B

            MD5

            5fc2ac2a310f49c14d195230b91a8885

            SHA1

            90855cc11136ba31758fe33b5cf9571f9a104879

            SHA256

            374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

            SHA512

            ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\v3x3v.cfg

            Filesize

            1KB

            MD5

            af4ab2610a837a3ad826cc396ad6b01b

            SHA1

            73c788d9a980ff1ef1a1b5eacad64c10b382c248

            SHA256

            9e650e08c842048da4873233da25f07778104aaee740fd690609a41c8a9b70df

            SHA512

            a39f69c01b33fca0862ccb35f0975ebbb8a9cd0903634b220c8cf664c0576059b007923c27312c7fd77b816f4a1e2df7ec7112ac907a367c2b7e29772edffc73

          • C:\Windows\SysWOW64\Boot\nvcpl.exe

            Filesize

            166KB

            MD5

            e8828ef7328cfa84e5cfccfc399645dd

            SHA1

            5be3525a5cf3a5c99be280812788f766c8c45ce5

            SHA256

            172ed8dccfa77af72fa89cc401f07e06aedf891f5948653dba43a4ef3d2def72

            SHA512

            71921c64a39d0ec7f6b46dc1fd3e3f94fdcb20f9cfe1da2fa33c81dc2df7da1fd68098f4fdf08faf8d049a24a383d6139b40d4f300ca0a4d913f1ce5e3d07f39

          • memory/344-106-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/1976-91-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/2304-46-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/2316-181-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/2608-31-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/2612-166-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3328-39-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3356-15-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3360-76-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3464-61-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3500-13-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3736-6-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3736-16-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3736-5-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3736-8-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3736-7-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/3928-136-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4032-121-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4356-25-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4568-212-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4776-151-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4780-196-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB

          • memory/4988-227-0x0000000013140000-0x000000001315C000-memory.dmp

            Filesize

            112KB