Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
1b92a5cabb819c864f03ca18d3428165
-
SHA1
a56bdc7707ccdf5dfcf6e9769bb98e825020cb77
-
SHA256
9212306dc1b5e72d9c1a4b582a31b14e083147a106d69b93758ddcba7b5f5a84
-
SHA512
9b7ddd59436ae58eb0db59ac6169890a3f5b95d11c7ecf6caf8c3e295efac351154fdd495ec4ce0009651e862935731919b6185f4691f865f77365e74402a472
-
SSDEEP
24576:EeOnGK9VFU+RbTuTXaq5vAzr3TGqSv7Gu57m+zV5ML:cn11TuTXb5Azr3TGLn566ML
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 13 IoCs
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe" 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe" svchosts.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation svchosts.exe -
Executes dropped EXE 37 IoCs
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exepid process 1060 svchosts.exe 32680 svchosts.exe 9808 svchosts.exe 10808 svchosts.exe 32492 svchosts.exe 27188 svchosts.exe 30004 svchosts.exe 34056 svchosts.exe 5348 svchosts.exe 12664 svchosts.exe 32920 svchosts.exe 11580 svchosts.exe 14580 svchosts.exe 33860 svchosts.exe 18992 svchosts.exe 17660 svchosts.exe 29412 svchosts.exe 23104 svchosts.exe 29988 svchosts.exe 7236 svchosts.exe 8544 svchosts.exe 24736 svchosts.exe 30908 svchosts.exe 12404 svchosts.exe 9952 svchosts.exe 25520 svchosts.exe 15180 svchosts.exe 16580 svchosts.exe 28412 svchosts.exe 32252 svchosts.exe 2388 svchosts.exe 21776 svchosts.exe 26208 svchosts.exe 27232 svchosts.exe 26716 svchosts.exe 9064 svchosts.exe 29240 svchosts.exe -
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe" svchosts.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 13 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription ioc process File opened for modification \??\PhysicalDrive0 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe File opened for modification \??\PhysicalDrive0 svchosts.exe -
Drops file in System32 directory 64 IoCs
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription ioc process File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File created C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\svchosts.exe svchosts.exe File opened for modification C:\Windows\SysWOW64\ svchosts.exe -
Suspicious use of SetThreadContext 26 IoCs
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription pid process target process PID 4564 set thread context of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 set thread context of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 1060 set thread context of 32680 1060 svchosts.exe svchosts.exe PID 32680 set thread context of 9808 32680 svchosts.exe svchosts.exe PID 10808 set thread context of 32492 10808 svchosts.exe svchosts.exe PID 32492 set thread context of 27188 32492 svchosts.exe svchosts.exe PID 30004 set thread context of 34056 30004 svchosts.exe svchosts.exe PID 34056 set thread context of 5348 34056 svchosts.exe svchosts.exe PID 12664 set thread context of 32920 12664 svchosts.exe svchosts.exe PID 32920 set thread context of 11580 32920 svchosts.exe svchosts.exe PID 14580 set thread context of 33860 14580 svchosts.exe svchosts.exe PID 33860 set thread context of 18992 33860 svchosts.exe svchosts.exe PID 17660 set thread context of 29412 17660 svchosts.exe svchosts.exe PID 29412 set thread context of 23104 29412 svchosts.exe svchosts.exe PID 29988 set thread context of 7236 29988 svchosts.exe svchosts.exe PID 7236 set thread context of 8544 7236 svchosts.exe svchosts.exe PID 24736 set thread context of 30908 24736 svchosts.exe svchosts.exe PID 30908 set thread context of 12404 30908 svchosts.exe svchosts.exe PID 9952 set thread context of 25520 9952 svchosts.exe svchosts.exe PID 25520 set thread context of 15180 25520 svchosts.exe svchosts.exe PID 16580 set thread context of 28412 16580 svchosts.exe svchosts.exe PID 28412 set thread context of 32252 28412 svchosts.exe svchosts.exe PID 2388 set thread context of 21776 2388 svchosts.exe svchosts.exe PID 21776 set thread context of 26208 21776 svchosts.exe svchosts.exe PID 27232 set thread context of 26716 27232 svchosts.exe svchosts.exe PID 26716 set thread context of 9064 26716 svchosts.exe svchosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 13 IoCs
Processes:
svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchosts.exe -
Runs ping.exe 1 TTPs 39 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1264 PING.EXE 27992 PING.EXE 12404 PING.EXE 25704 PING.EXE 25960 PING.EXE 9308 PING.EXE 2664 PING.EXE 2612 PING.EXE 29540 PING.EXE 29840 PING.EXE 14280 PING.EXE 10896 PING.EXE 10444 PING.EXE 24416 PING.EXE 7648 PING.EXE 17568 PING.EXE 7404 PING.EXE 34804 PING.EXE 7360 PING.EXE 11220 PING.EXE 2308 PING.EXE 24684 PING.EXE 11176 PING.EXE 23316 PING.EXE 27220 PING.EXE 30020 PING.EXE 29380 PING.EXE 33336 PING.EXE 10060 PING.EXE 8240 PING.EXE 24740 PING.EXE 5820 PING.EXE 22092 PING.EXE 12328 PING.EXE 16204 PING.EXE 6420 PING.EXE 12292 PING.EXE 11528 PING.EXE 29468 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exepid process 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeAuditPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeBackupPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreateTokenPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeLoadDriverPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeLockMemoryPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeMachineAccountPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeRestorePrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSecurityPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeShutdownPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemProfilePrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemtimePrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeTcbPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeDebugPrivilege 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSecurityPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemtimePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeBackupPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeRestorePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeShutdownPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeDebugPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeUndockPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeManageVolumePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeImpersonatePrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: 33 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: 34 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: 35 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: 36 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 32680 svchosts.exe Token: SeAuditPrivilege 32680 svchosts.exe Token: SeBackupPrivilege 32680 svchosts.exe Token: SeChangeNotifyPrivilege 32680 svchosts.exe Token: SeCreatePagefilePrivilege 32680 svchosts.exe Token: SeCreatePermanentPrivilege 32680 svchosts.exe Token: SeCreatePermanentPrivilege 32680 svchosts.exe Token: SeCreateTokenPrivilege 32680 svchosts.exe Token: SeIncBasePriorityPrivilege 32680 svchosts.exe Token: SeIncreaseQuotaPrivilege 32680 svchosts.exe Token: SeLoadDriverPrivilege 32680 svchosts.exe Token: SeLockMemoryPrivilege 32680 svchosts.exe Token: SeMachineAccountPrivilege 32680 svchosts.exe Token: SeProfSingleProcessPrivilege 32680 svchosts.exe Token: SeRemoteShutdownPrivilege 32680 svchosts.exe Token: SeRestorePrivilege 32680 svchosts.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exepid process 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1060 svchosts.exe 32680 svchosts.exe 10808 svchosts.exe 32492 svchosts.exe 30004 svchosts.exe 34056 svchosts.exe 12664 svchosts.exe 32920 svchosts.exe 14580 svchosts.exe 33860 svchosts.exe 17660 svchosts.exe 29412 svchosts.exe 29988 svchosts.exe 7236 svchosts.exe 24736 svchosts.exe 30908 svchosts.exe 9952 svchosts.exe 25520 svchosts.exe 16580 svchosts.exe 28412 svchosts.exe 2388 svchosts.exe 21776 svchosts.exe 27232 svchosts.exe 26716 svchosts.exe 29240 svchosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.execmd.execmd.execmd.exesvchosts.exesvchosts.exesvchosts.exedescription pid process target process PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 4564 wrote to memory of 31676 4564 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 31676 wrote to memory of 1140 31676 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe PID 1140 wrote to memory of 4932 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 4932 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 4932 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 2344 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 2344 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 2344 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 3572 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 3572 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 1140 wrote to memory of 3572 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe cmd.exe PID 2344 wrote to memory of 2664 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 2664 2344 cmd.exe PING.EXE PID 2344 wrote to memory of 2664 2344 cmd.exe PING.EXE PID 4932 wrote to memory of 2612 4932 cmd.exe PING.EXE PID 4932 wrote to memory of 2612 4932 cmd.exe PING.EXE PID 4932 wrote to memory of 2612 4932 cmd.exe PING.EXE PID 3572 wrote to memory of 1264 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 1264 3572 cmd.exe PING.EXE PID 3572 wrote to memory of 1264 3572 cmd.exe PING.EXE PID 1140 wrote to memory of 1060 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe svchosts.exe PID 1140 wrote to memory of 1060 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe svchosts.exe PID 1140 wrote to memory of 1060 1140 1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 1060 wrote to memory of 32680 1060 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 32680 wrote to memory of 9808 32680 svchosts.exe svchosts.exe PID 9808 wrote to memory of 10204 9808 svchosts.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "7⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 58⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 511⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 511⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "10⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 511⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "13⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 514⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 517⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 517⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "16⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 517⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "19⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 520⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 523⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 523⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "22⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 523⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "25⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 526⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "28⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 529⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "28⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 529⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "28⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 529⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 532⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 532⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "31⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 532⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "34⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 535⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "34⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 535⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "34⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 535⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 538⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 538⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "37⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 538⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchosts.exeC:\Windows\SysWOW64\svchosts.exe39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "40⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 541⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "40⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 541⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "40⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 541⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchosts.exe"C:\Windows\system32\svchosts.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
113B
MD5a126f74af9bcda66c6634a7bdf4fc39e
SHA1bd7c9e11985200653b6a3ba105fd52c65ff70d56
SHA256bebe46e2d6ac5f329c70f308ef733de78a8a748b1930bc0248736184a83501a5
SHA512556ec075d022445efcf9904f6bad73dfafda3f1d772606ebc0fc255c563a39740bdb1f3f55371133277c81c10482ff98c1ef78d047449d29d1f55cbc2e433496
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
61B
MD5e26ece7e6ad0e5a909065e6a3fecf9be
SHA149822ffa80dd98fdd3c77ae9bfba5afa776e9b72
SHA25694d338faf5f0edd6cf8374d8b502fe6c28a85f568860b7420c250d15d5e2c275
SHA5125298e4bf8e2fab794dd55fed826d497a399ca06c8a0666889653863a4b74a4dfe6654924ebc26dbfa9bf8377d2a9955d30ab87cc4c2059904e95b5e2df858899
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
49B
MD54fd6ea5e3cccd64e772b8400c77747db
SHA1016a7fb32b5ca72bc9ac3843ce4524e4bf9c9de3
SHA2563ea93f5247ef91efcdee1bc38f7ad9b061c72a68fb1f10f5b088aa429b6fbc4a
SHA51259b915433d10ca6f49738bd2beb258e4722f671167e3555a00ef218541356de79e4ee2d3c4bf87e05b71827efcfd775fbf3f5527789ab97dce6adc35ca4a1d3d
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
36B
MD5f4e9f709ff2fc0b0e1f2b1d0d25249b8
SHA160f0d5e9a7821e8e7bf8383ad55d8a6927d1475e
SHA2561c61400353d1ef72e2b5c612e55cf4a5af634dc07c0f9208353c594f4833657e
SHA512c3ec59dad70a0055841e5e25209cc325760db5c7a640a12a78685ba84ccf7b85c95deb27a36075abbda474efc1c180be2dcf3e766956df06cb4fce9b3dcd4e1d
-
C:\Windows\SysWOW64\svchosts.exeFilesize
1.1MB
MD51b92a5cabb819c864f03ca18d3428165
SHA1a56bdc7707ccdf5dfcf6e9769bb98e825020cb77
SHA2569212306dc1b5e72d9c1a4b582a31b14e083147a106d69b93758ddcba7b5f5a84
SHA5129b7ddd59436ae58eb0db59ac6169890a3f5b95d11c7ecf6caf8c3e295efac351154fdd495ec4ce0009651e862935731919b6185f4691f865f77365e74402a472
-
memory/1140-14190-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1140-14192-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1140-14191-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1140-14189-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1140-14268-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/5348-59610-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/5348-59593-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/7236-121965-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/9808-29068-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/9808-29085-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/11580-75235-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/18992-90827-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/18992-90811-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/21776-183400-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/25520-153021-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/26716-198537-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/27188-44030-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/27188-44045-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/28412-168264-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/29412-106458-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/30908-137628-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-13868-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-13861-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-13864-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-13866-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-14258-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/31676-13865-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32492-43704-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32492-43705-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32492-44043-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32680-29082-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/32920-75234-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/33860-90488-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/33860-90824-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/33860-90487-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/34056-59269-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/34056-59270-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/34056-59608-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB