Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe
-
Size
166KB
-
MD5
e8828ef7328cfa84e5cfccfc399645dd
-
SHA1
5be3525a5cf3a5c99be280812788f766c8c45ce5
-
SHA256
172ed8dccfa77af72fa89cc401f07e06aedf891f5948653dba43a4ef3d2def72
-
SHA512
71921c64a39d0ec7f6b46dc1fd3e3f94fdcb20f9cfe1da2fa33c81dc2df7da1fd68098f4fdf08faf8d049a24a383d6139b40d4f300ca0a4d913f1ce5e3d07f39
-
SSDEEP
3072:wkBJK6EP9PhHU/jCrlE8WALcZzgFWTngFuDZAOHINfeXrWGbfmzqwVGTrl2s:wgK6A0zjKGb+z9V27
Malware Config
Extracted
xtremerat
smokepawts.no-ip.info
Signatures
-
Detect XtremeRAT payload 23 IoCs
resource yara_rule behavioral2/memory/3736-5-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3736-6-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3736-7-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3736-8-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3500-13-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3356-15-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3736-16-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4356-25-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2608-31-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3328-39-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2304-46-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3464-61-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3360-76-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/1976-91-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/344-106-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4032-121-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/3928-136-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4776-151-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2612-166-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/2316-181-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4780-196-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4568-212-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat behavioral2/memory/4988-227-0x0000000013140000-0x000000001315C000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 60 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Windows\\system32\\Boot\\nvcpl.exe restart" e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Windows\\system32\\Boot\\nvcpl.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28} nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56E8WS3X-1MMN-WBAE-5228-SH4XYF733I28}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe restart" nvcpl.exe -
Executes dropped EXE 56 IoCs
pid Process 1092 nvcpl.exe 4356 nvcpl.exe 2316 nvcpl.exe 3328 nvcpl.exe 4012 nvcpl.exe 2312 nvcpl.exe 4052 nvcpl.exe 2184 nvcpl.exe 1480 nvcpl.exe 4992 nvcpl.exe 3740 nvcpl.exe 3344 nvcpl.exe 1084 nvcpl.exe 2712 nvcpl.exe 832 nvcpl.exe 3656 nvcpl.exe 4572 nvcpl.exe 2820 nvcpl.exe 3356 nvcpl.exe 4584 nvcpl.exe 4956 nvcpl.exe 2900 nvcpl.exe 2548 nvcpl.exe 3208 nvcpl.exe 3628 nvcpl.exe 1284 nvcpl.exe 4600 nvcpl.exe 2288 nvcpl.exe 1844 nvcpl.exe 720 nvcpl.exe 1908 nvcpl.exe 1544 nvcpl.exe 2212 nvcpl.exe 3488 nvcpl.exe 2028 nvcpl.exe 4704 nvcpl.exe 624 nvcpl.exe 4488 nvcpl.exe 4716 nvcpl.exe 4960 nvcpl.exe 2820 nvcpl.exe 4776 nvcpl.exe 2544 nvcpl.exe 1008 nvcpl.exe 4168 nvcpl.exe 3800 nvcpl.exe 3448 nvcpl.exe 4512 nvcpl.exe 2520 nvcpl.exe 3044 nvcpl.exe 4648 nvcpl.exe 4428 nvcpl.exe 4004 nvcpl.exe 1952 nvcpl.exe 1004 nvcpl.exe 720 nvcpl.exe -
Adds Run key to start application 2 TTPs 60 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Windows\\system32\\Boot\\nvcpl.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Windows\\system32\\Boot\\nvcpl.exe" e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Windows\\system32\\Boot\\nvcpl.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Windows\\system32\\Boot\\nvcpl.exe" e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvdisplay = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRAR = "C:\\Users\\Admin\\AppData\\Roaming\\Boot\\nvcpl.exe" nvcpl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File created C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe File opened for modification C:\Windows\SysWOW64\Boot\nvcpl.exe nvcpl.exe -
Suspicious use of SetThreadContext 29 IoCs
description pid Process procid_target PID 1656 set thread context of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1092 set thread context of 4356 1092 nvcpl.exe 88 PID 2316 set thread context of 3328 2316 nvcpl.exe 94 PID 4012 set thread context of 2312 4012 nvcpl.exe 99 PID 4052 set thread context of 2184 4052 nvcpl.exe 102 PID 1480 set thread context of 4992 1480 nvcpl.exe 106 PID 3740 set thread context of 3344 3740 nvcpl.exe 110 PID 1084 set thread context of 2712 1084 nvcpl.exe 113 PID 832 set thread context of 3656 832 nvcpl.exe 116 PID 4572 set thread context of 2820 4572 nvcpl.exe 119 PID 3356 set thread context of 4584 3356 nvcpl.exe 122 PID 4956 set thread context of 2900 4956 nvcpl.exe 125 PID 2548 set thread context of 3208 2548 nvcpl.exe 128 PID 3628 set thread context of 1284 3628 nvcpl.exe 131 PID 4600 set thread context of 2288 4600 nvcpl.exe 134 PID 1844 set thread context of 720 1844 nvcpl.exe 137 PID 1908 set thread context of 1544 1908 nvcpl.exe 140 PID 2212 set thread context of 3488 2212 nvcpl.exe 143 PID 2028 set thread context of 4704 2028 nvcpl.exe 146 PID 624 set thread context of 4488 624 nvcpl.exe 149 PID 4716 set thread context of 4960 4716 nvcpl.exe 152 PID 2820 set thread context of 4776 2820 nvcpl.exe 155 PID 2544 set thread context of 1008 2544 nvcpl.exe 158 PID 4168 set thread context of 3800 4168 nvcpl.exe 161 PID 3448 set thread context of 4512 3448 nvcpl.exe 164 PID 2520 set thread context of 3044 2520 nvcpl.exe 167 PID 4648 set thread context of 4428 4648 nvcpl.exe 170 PID 4004 set thread context of 1952 4004 nvcpl.exe 173 PID 1004 set thread context of 720 1004 nvcpl.exe 176 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvcpl.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 1092 nvcpl.exe 2316 nvcpl.exe 4012 nvcpl.exe 4052 nvcpl.exe 1480 nvcpl.exe 3740 nvcpl.exe 1084 nvcpl.exe 832 nvcpl.exe 4572 nvcpl.exe 3356 nvcpl.exe 4956 nvcpl.exe 2548 nvcpl.exe 3628 nvcpl.exe 4600 nvcpl.exe 1844 nvcpl.exe 1908 nvcpl.exe 2212 nvcpl.exe 2028 nvcpl.exe 624 nvcpl.exe 4716 nvcpl.exe 2820 nvcpl.exe 2544 nvcpl.exe 4168 nvcpl.exe 3448 nvcpl.exe 2520 nvcpl.exe 4648 nvcpl.exe 4004 nvcpl.exe 1004 nvcpl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 1656 wrote to memory of 3736 1656 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 81 PID 3736 wrote to memory of 3500 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 82 PID 3736 wrote to memory of 3500 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 82 PID 3736 wrote to memory of 3500 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 82 PID 3736 wrote to memory of 3500 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 82 PID 3736 wrote to memory of 3356 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 83 PID 3736 wrote to memory of 3356 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 83 PID 3736 wrote to memory of 3356 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 83 PID 3736 wrote to memory of 3356 3736 e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe 83 PID 3500 wrote to memory of 1092 3500 svchost.exe 87 PID 3500 wrote to memory of 1092 3500 svchost.exe 87 PID 3500 wrote to memory of 1092 3500 svchost.exe 87 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 1092 wrote to memory of 4356 1092 nvcpl.exe 88 PID 4356 wrote to memory of 2608 4356 nvcpl.exe 89 PID 4356 wrote to memory of 2608 4356 nvcpl.exe 89 PID 4356 wrote to memory of 2608 4356 nvcpl.exe 89 PID 4356 wrote to memory of 2608 4356 nvcpl.exe 89 PID 3500 wrote to memory of 2316 3500 svchost.exe 93 PID 3500 wrote to memory of 2316 3500 svchost.exe 93 PID 3500 wrote to memory of 2316 3500 svchost.exe 93 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 2316 wrote to memory of 3328 2316 nvcpl.exe 94 PID 3328 wrote to memory of 2304 3328 nvcpl.exe 95 PID 3328 wrote to memory of 2304 3328 nvcpl.exe 95 PID 3328 wrote to memory of 2304 3328 nvcpl.exe 95 PID 3328 wrote to memory of 2304 3328 nvcpl.exe 95 PID 3500 wrote to memory of 4012 3500 svchost.exe 98 PID 3500 wrote to memory of 4012 3500 svchost.exe 98 PID 3500 wrote to memory of 4012 3500 svchost.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8828ef7328cfa84e5cfccfc399645dd_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3464
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4052 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3360
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1480 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4992 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1976
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3740 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1084 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4032
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:832 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3656 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3928
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4776
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3356 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4584 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4956 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3208 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4780
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3628 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4600 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4988
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1844 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1908 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3488 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3344
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2028 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4652
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:624 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4960 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:1044
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3484
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4168 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3800 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3060
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4512 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵PID:3464
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4648 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:2288
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4004 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3184
-
-
-
-
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\system32\Boot\nvcpl.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Windows\SysWOW64\Boot\nvcpl.exe"C:\Windows\SysWOW64\Boot\nvcpl.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:720 -
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:3356
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4089630652-1596403869-279772308-1000\88603cb2913a7df3fbd16b5f958e6447_dc5cddf5-9e4b-4c89-ba53-89649a7a5ee7
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
1KB
MD5af4ab2610a837a3ad826cc396ad6b01b
SHA173c788d9a980ff1ef1a1b5eacad64c10b382c248
SHA2569e650e08c842048da4873233da25f07778104aaee740fd690609a41c8a9b70df
SHA512a39f69c01b33fca0862ccb35f0975ebbb8a9cd0903634b220c8cf664c0576059b007923c27312c7fd77b816f4a1e2df7ec7112ac907a367c2b7e29772edffc73
-
Filesize
166KB
MD5e8828ef7328cfa84e5cfccfc399645dd
SHA15be3525a5cf3a5c99be280812788f766c8c45ce5
SHA256172ed8dccfa77af72fa89cc401f07e06aedf891f5948653dba43a4ef3d2def72
SHA51271921c64a39d0ec7f6b46dc1fd3e3f94fdcb20f9cfe1da2fa33c81dc2df7da1fd68098f4fdf08faf8d049a24a383d6139b40d4f300ca0a4d913f1ce5e3d07f39