cycbot | 688029de162c63ab0f1ea5cf5a0ecbb3bb53f5ea84949113568075a069c56c12

Analysis

max time kernel
141s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
Size

180KB
MD5

9d275eac79a094b348c4f00af94cc66b
SHA1

a422ee1c31ecaed0c5ca4c6cf08d7d8e42858f40
SHA256

688029de162c63ab0f1ea5cf5a0ecbb3bb53f5ea84949113568075a069c56c12
SHA512

1ca5cbd50394e1f0d5c07d69f285f9e346ed8c9f6ed24b6c6dcf5a00083684e39d3bc65b1cd9e745e7e6c9cadea58d6f6579bc9b2ae9ab150799f2378611ae7a
SSDEEP

3072:Bq9uNvM3aBiI7Jq1jMpEiypVNA5rqaOoqHW5dDA3hj6wdfMOT3MMJSFVWwmW7agG:8INvM3aMss18EiyPNonqHKA3b5T3cFVt

Score

10^/10

cycbot backdoor discovery persistence rat upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 55 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/4368-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3616-20-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4288-23-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2920-26-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3980-29-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4312-32-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4068-35-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1496-38-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4564-41-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1432-44-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/5000-47-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2592-50-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4432-53-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4140-56-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4808-59-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2240-62-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4024-65-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4136-68-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3836-71-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1252-74-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4564-77-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4528-78-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4188-81-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2120-84-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/440-87-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4968-90-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1584-93-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1932-96-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2752-99-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/5064-102-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2772-105-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4388-108-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3172-111-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3164-114-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4124-117-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1960-120-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3156-123-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/5072-126-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4720-129-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3900-190-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4528-191-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4912-193-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3896-196-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1728-199-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2988-202-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4316-205-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4428-208-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4020-211-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3976-214-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1796-217-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1308-220-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1496-223-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/3992-226-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4704-229-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/4528-323-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Executes dropped EXE 51 IoCs

pid	Process
3616	conhost.exe
4288	conhost.exe
2920	conhost.exe
3980	conhost.exe
4312	conhost.exe
4068	conhost.exe
1496	conhost.exe
4564	conhost.exe
1432	conhost.exe
5000	conhost.exe
2592	conhost.exe
4432	conhost.exe
4140	conhost.exe
4808	conhost.exe
2240	conhost.exe
4024	conhost.exe
4136	conhost.exe
3836	conhost.exe
1252	conhost.exe
4564	conhost.exe
4188	conhost.exe
2120	conhost.exe
440	conhost.exe
4968	conhost.exe
1584	conhost.exe
1932	conhost.exe
2752	conhost.exe
5064	conhost.exe
2772	conhost.exe
4388	conhost.exe
3172	conhost.exe
3164	conhost.exe
4124	conhost.exe
1960	conhost.exe
3156	conhost.exe
5072	conhost.exe
4720	conhost.exe
4912	conhost.exe
3896	conhost.exe
1728	conhost.exe
2988	conhost.exe
4316	conhost.exe
4428	conhost.exe
4020	conhost.exe
3976	conhost.exe
1796	conhost.exe
1308	conhost.exe
1496	conhost.exe
3992	conhost.exe
4704	conhost.exe
5040	conhost.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	conhost.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4528-1-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4368-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3616-18-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3616-17-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3616-20-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4288-23-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2920-26-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3980-29-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4312-32-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4068-35-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1496-38-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4564-41-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1432-44-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/5000-47-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2592-50-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4432-53-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4140-56-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4808-59-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2240-62-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4024-65-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4136-68-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3836-71-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1252-74-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4564-77-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4528-78-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4188-81-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2120-84-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/440-87-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4968-90-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1584-93-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1932-96-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2752-99-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/5064-102-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2772-105-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4388-108-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3172-111-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3164-114-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4124-117-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1960-120-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3156-123-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/5072-126-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4720-129-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3900-190-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4528-191-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4912-193-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3896-196-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1728-199-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2988-202-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4316-205-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4428-208-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4020-211-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3976-214-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1796-217-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1308-220-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1496-223-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3992-226-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4704-229-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/4528-323-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	5040	WerFault.exe	251

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4368	4528	JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe	89
PID 4528 wrote to memory of 4368	4528	JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe	89
PID 4528 wrote to memory of 4368	4528	JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe	89
PID 4796 wrote to memory of 3616	4796	cmd.exe	90
PID 4796 wrote to memory of 3616	4796	cmd.exe	90
PID 4796 wrote to memory of 3616	4796	cmd.exe	90
PID 3796 wrote to memory of 4288	3796	cmd.exe	93
PID 3796 wrote to memory of 4288	3796	cmd.exe	93
PID 3796 wrote to memory of 4288	3796	cmd.exe	93
PID 4720 wrote to memory of 2920	4720	cmd.exe	96
PID 4720 wrote to memory of 2920	4720	cmd.exe	96
PID 4720 wrote to memory of 2920	4720	cmd.exe	96
PID 2148 wrote to memory of 3980	2148	cmd.exe	99
PID 2148 wrote to memory of 3980	2148	cmd.exe	99
PID 2148 wrote to memory of 3980	2148	cmd.exe	99
PID 1704 wrote to memory of 4312	1704	cmd.exe	103
PID 1704 wrote to memory of 4312	1704	cmd.exe	103
PID 1704 wrote to memory of 4312	1704	cmd.exe	103
PID 4800 wrote to memory of 4068	4800	cmd.exe	107
PID 4800 wrote to memory of 4068	4800	cmd.exe	107
PID 4800 wrote to memory of 4068	4800	cmd.exe	107
PID 3556 wrote to memory of 1496	3556	cmd.exe	111
PID 3556 wrote to memory of 1496	3556	cmd.exe	111
PID 3556 wrote to memory of 1496	3556	cmd.exe	111
PID 3632 wrote to memory of 4564	3632	cmd.exe	114
PID 3632 wrote to memory of 4564	3632	cmd.exe	114
PID 3632 wrote to memory of 4564	3632	cmd.exe	114
PID 3392 wrote to memory of 1432	3392	cmd.exe	119
PID 3392 wrote to memory of 1432	3392	cmd.exe	119
PID 3392 wrote to memory of 1432	3392	cmd.exe	119
PID 2576 wrote to memory of 5000	2576	cmd.exe	122
PID 2576 wrote to memory of 5000	2576	cmd.exe	122
PID 2576 wrote to memory of 5000	2576	cmd.exe	122
PID 3972 wrote to memory of 2592	3972	cmd.exe	125
PID 3972 wrote to memory of 2592	3972	cmd.exe	125
PID 3972 wrote to memory of 2592	3972	cmd.exe	125
PID 4708 wrote to memory of 4432	4708	cmd.exe	128
PID 4708 wrote to memory of 4432	4708	cmd.exe	128
PID 4708 wrote to memory of 4432	4708	cmd.exe	128
PID 1760 wrote to memory of 4140	1760	cmd.exe	132
PID 1760 wrote to memory of 4140	1760	cmd.exe	132
PID 1760 wrote to memory of 4140	1760	cmd.exe	132
PID 2488 wrote to memory of 4808	2488	cmd.exe	136
PID 2488 wrote to memory of 4808	2488	cmd.exe	136
PID 2488 wrote to memory of 4808	2488	cmd.exe	136
PID 1796 wrote to memory of 2240	1796	cmd.exe	139
PID 1796 wrote to memory of 2240	1796	cmd.exe	139
PID 1796 wrote to memory of 2240	1796	cmd.exe	139
PID 4576 wrote to memory of 4024	4576	cmd.exe	142
PID 4576 wrote to memory of 4024	4576	cmd.exe	142
PID 4576 wrote to memory of 4024	4576	cmd.exe	142
PID 4892 wrote to memory of 4136	4892	cmd.exe	145
PID 4892 wrote to memory of 4136	4892	cmd.exe	145
PID 4892 wrote to memory of 4136	4892	cmd.exe	145
PID 4292 wrote to memory of 3836	4292	cmd.exe	148
PID 4292 wrote to memory of 3836	4292	cmd.exe	148
PID 4292 wrote to memory of 3836	4292	cmd.exe	148
PID 4800 wrote to memory of 1252	4800	cmd.exe	151
PID 4800 wrote to memory of 1252	4800	cmd.exe	151
PID 4800 wrote to memory of 1252	4800	cmd.exe	151
PID 3744 wrote to memory of 4564	3744	cmd.exe	154
PID 3744 wrote to memory of 4564	3744	cmd.exe	154
PID 3744 wrote to memory of 4564	3744	cmd.exe	154
PID 4560 wrote to memory of 4188	4560	cmd.exe	157

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d275eac79a094b348c4f00af94cc66b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3648
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3664
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1696
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2940
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1100
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4200
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1168
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:1624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2948
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4776
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2372
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3324
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4020
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3624
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4868
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:32
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3292
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2496
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2364
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2576
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:888
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:3556
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:4516
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
1⤵
PID:2740
- C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 368
    3⤵
    - Program crash
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AF00.FD0

Filesize
600B

MD5
9f53f1ac376f1b436cc59c2a1acda342

SHA1
880bb0fe27c7a6fd09f8b85a755574d0d48c6d04

SHA256
cbd8260cc1581cab18fea0821ee80d86274471948846faf67c2347695cdeb3bd

SHA512
be970c9cad0d2de202b1234468aacacfec65f556ac81f4cad0fcdbb799964f49d2072567bd8708cd36cba1770d6a143668a1e705fae80fad44fbd221b45e69dd

Download Submit
C:\Users\Admin\AppData\Roaming\AF00.FD0

Filesize
996B

MD5
61b18cd7b78a3f2aa347bc842b4024d4

SHA1
d11bda9b78ac9e016fd1c150722f2321e5008158

SHA256
8dd6233984b8a86c8d5c58632d3010f91dd1396455a05bd16fc2463a55aafb0c

SHA512
822967b3c94736454a1a2a43bcc42099ce625228fcd495150c9b1009532f2fae2a4baf5b53a6faf71cdacab69815e690dce6bf787c1891359e5b7806f84c0d39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe

Filesize
180KB

MD5
9d275eac79a094b348c4f00af94cc66b

SHA1
a422ee1c31ecaed0c5ca4c6cf08d7d8e42858f40

SHA256
688029de162c63ab0f1ea5cf5a0ecbb3bb53f5ea84949113568075a069c56c12

SHA512
1ca5cbd50394e1f0d5c07d69f285f9e346ed8c9f6ed24b6c6dcf5a00083684e39d3bc65b1cd9e745e7e6c9cadea58d6f6579bc9b2ae9ab150799f2378611ae7a

Download Submit
memory/440-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1252-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1308-220-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1432-44-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1496-38-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1496-223-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1584-93-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1728-199-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-217-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1932-96-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-120-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2120-84-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2240-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2592-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2752-99-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2772-105-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2920-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2988-202-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3156-123-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3164-114-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3172-111-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3616-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3616-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3616-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3836-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3896-196-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3900-190-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3976-214-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3980-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3992-226-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4020-211-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4024-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4068-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4124-117-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4136-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4140-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4188-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4288-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4312-32-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4316-205-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4368-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4388-108-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4428-208-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4432-53-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4528-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4528-323-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4528-191-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4528-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4564-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4564-41-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4704-229-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4720-129-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4808-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4912-193-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4968-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5000-47-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5064-102-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5072-126-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads