darkcomet | 9212306dc1b5e72d9c1a4b582a31b14e083147a106d69b93758ddcba7b5f5a84

Analysis

max time kernel
150s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Size

1.1MB
MD5

1b92a5cabb819c864f03ca18d3428165
SHA1

a56bdc7707ccdf5dfcf6e9769bb98e825020cb77
SHA256

9212306dc1b5e72d9c1a4b582a31b14e083147a106d69b93758ddcba7b5f5a84
SHA512

9b7ddd59436ae58eb0db59ac6169890a3f5b95d11c7ecf6caf8c3e295efac351154fdd495ec4ce0009651e862935731919b6185f4691f865f77365e74402a472
SSDEEP

24576:EeOnGK9VFU+RbTuTXaq5vAzr3TGqSv7Gu57m+zV5ML:cn11TuTXb5Azr3TGLn566ML

Score

10^/10

darkcomet bootkit persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe"	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe,C:\\Windows\\system32\\svchosts.exe"	svchosts.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchosts.exe

Executes dropped EXE 37 IoCs

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

pid	process
1060	svchosts.exe
32680	svchosts.exe
9808	svchosts.exe
10808	svchosts.exe
32492	svchosts.exe
27188	svchosts.exe
30004	svchosts.exe
34056	svchosts.exe
5348	svchosts.exe
12664	svchosts.exe
32920	svchosts.exe
11580	svchosts.exe
14580	svchosts.exe
33860	svchosts.exe
18992	svchosts.exe
17660	svchosts.exe
29412	svchosts.exe
23104	svchosts.exe
29988	svchosts.exe
7236	svchosts.exe
8544	svchosts.exe
24736	svchosts.exe
30908	svchosts.exe
12404	svchosts.exe
9952	svchosts.exe
25520	svchosts.exe
15180	svchosts.exe
16580	svchosts.exe
28412	svchosts.exe
32252	svchosts.exe
2388	svchosts.exe
21776	svchosts.exe
26208	svchosts.exe
27232	svchosts.exe
26716	svchosts.exe
9064	svchosts.exe
29240	svchosts.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Windows\\system32\\svchosts.exe"	svchosts.exe

Writes to the Master Boot Record (MBR) 1 TTPs 13 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe
File opened for modification	\??\PhysicalDrive0	svchosts.exe

Drops file in System32 directory 64 IoCs

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File created	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\svchosts.exe	svchosts.exe
File opened for modification	C:\Windows\SysWOW64\	svchosts.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	pid	process	target process
PID 4564 set thread context of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 set thread context of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 1060 set thread context of 32680	1060	svchosts.exe	svchosts.exe
PID 32680 set thread context of 9808	32680	svchosts.exe	svchosts.exe
PID 10808 set thread context of 32492	10808	svchosts.exe	svchosts.exe
PID 32492 set thread context of 27188	32492	svchosts.exe	svchosts.exe
PID 30004 set thread context of 34056	30004	svchosts.exe	svchosts.exe
PID 34056 set thread context of 5348	34056	svchosts.exe	svchosts.exe
PID 12664 set thread context of 32920	12664	svchosts.exe	svchosts.exe
PID 32920 set thread context of 11580	32920	svchosts.exe	svchosts.exe
PID 14580 set thread context of 33860	14580	svchosts.exe	svchosts.exe
PID 33860 set thread context of 18992	33860	svchosts.exe	svchosts.exe
PID 17660 set thread context of 29412	17660	svchosts.exe	svchosts.exe
PID 29412 set thread context of 23104	29412	svchosts.exe	svchosts.exe
PID 29988 set thread context of 7236	29988	svchosts.exe	svchosts.exe
PID 7236 set thread context of 8544	7236	svchosts.exe	svchosts.exe
PID 24736 set thread context of 30908	24736	svchosts.exe	svchosts.exe
PID 30908 set thread context of 12404	30908	svchosts.exe	svchosts.exe
PID 9952 set thread context of 25520	9952	svchosts.exe	svchosts.exe
PID 25520 set thread context of 15180	25520	svchosts.exe	svchosts.exe
PID 16580 set thread context of 28412	16580	svchosts.exe	svchosts.exe
PID 28412 set thread context of 32252	28412	svchosts.exe	svchosts.exe
PID 2388 set thread context of 21776	2388	svchosts.exe	svchosts.exe
PID 21776 set thread context of 26208	21776	svchosts.exe	svchosts.exe
PID 27232 set thread context of 26716	27232	svchosts.exe	svchosts.exe
PID 26716 set thread context of 9064	26716	svchosts.exe	svchosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

Processes:

svchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exesvchosts.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchosts.exe

Runs ping.exe 1 TTPs 39 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1264	PING.EXE
27992	PING.EXE
12404	PING.EXE
25704	PING.EXE
25960	PING.EXE
9308	PING.EXE
2664	PING.EXE
2612	PING.EXE
29540	PING.EXE
29840	PING.EXE
14280	PING.EXE
10896	PING.EXE
10444	PING.EXE
24416	PING.EXE
7648	PING.EXE
17568	PING.EXE
7404	PING.EXE
34804	PING.EXE
7360	PING.EXE
11220	PING.EXE
2308	PING.EXE
24684	PING.EXE
11176	PING.EXE
23316	PING.EXE
27220	PING.EXE
30020	PING.EXE
29380	PING.EXE
33336	PING.EXE
10060	PING.EXE
8240	PING.EXE
24740	PING.EXE
5820	PING.EXE
22092	PING.EXE
12328	PING.EXE
16204	PING.EXE
6420	PING.EXE
12292	PING.EXE
11528	PING.EXE
29468	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe

pid	process
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exesvchosts.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeAuditPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeBackupPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeRestorePrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSecurityPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeShutdownPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemtimePrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeTcbPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeDebugPrivilege	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSecurityPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeBackupPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeRestorePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeShutdownPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeDebugPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeUndockPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: 33	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: 34	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: 35	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: 36	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	32680	svchosts.exe
Token: SeAuditPrivilege	32680	svchosts.exe
Token: SeBackupPrivilege	32680	svchosts.exe
Token: SeChangeNotifyPrivilege	32680	svchosts.exe
Token: SeCreatePagefilePrivilege	32680	svchosts.exe
Token: SeCreatePermanentPrivilege	32680	svchosts.exe
Token: SeCreatePermanentPrivilege	32680	svchosts.exe
Token: SeCreateTokenPrivilege	32680	svchosts.exe
Token: SeIncBasePriorityPrivilege	32680	svchosts.exe
Token: SeIncreaseQuotaPrivilege	32680	svchosts.exe
Token: SeLoadDriverPrivilege	32680	svchosts.exe
Token: SeLockMemoryPrivilege	32680	svchosts.exe
Token: SeMachineAccountPrivilege	32680	svchosts.exe
Token: SeProfSingleProcessPrivilege	32680	svchosts.exe
Token: SeRemoteShutdownPrivilege	32680	svchosts.exe
Token: SeRestorePrivilege	32680	svchosts.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
1060	svchosts.exe
32680	svchosts.exe
10808	svchosts.exe
32492	svchosts.exe
30004	svchosts.exe
34056	svchosts.exe
12664	svchosts.exe
32920	svchosts.exe
14580	svchosts.exe
33860	svchosts.exe
17660	svchosts.exe
29412	svchosts.exe
29988	svchosts.exe
7236	svchosts.exe
24736	svchosts.exe
30908	svchosts.exe
9952	svchosts.exe
25520	svchosts.exe
16580	svchosts.exe
28412	svchosts.exe
2388	svchosts.exe
21776	svchosts.exe
27232	svchosts.exe
26716	svchosts.exe
29240	svchosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.execmd.execmd.execmd.exesvchosts.exesvchosts.exesvchosts.exe

description	pid	process	target process
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 4564 wrote to memory of 31676	4564	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 31676 wrote to memory of 1140	31676	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
PID 1140 wrote to memory of 4932	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 4932	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 4932	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 2344	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 2344	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 2344	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 3572	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 3572	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 1140 wrote to memory of 3572	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	cmd.exe
PID 2344 wrote to memory of 2664	2344	cmd.exe	PING.EXE
PID 2344 wrote to memory of 2664	2344	cmd.exe	PING.EXE
PID 2344 wrote to memory of 2664	2344	cmd.exe	PING.EXE
PID 4932 wrote to memory of 2612	4932	cmd.exe	PING.EXE
PID 4932 wrote to memory of 2612	4932	cmd.exe	PING.EXE
PID 4932 wrote to memory of 2612	4932	cmd.exe	PING.EXE
PID 3572 wrote to memory of 1264	3572	cmd.exe	PING.EXE
PID 3572 wrote to memory of 1264	3572	cmd.exe	PING.EXE
PID 3572 wrote to memory of 1264	3572	cmd.exe	PING.EXE
PID 1140 wrote to memory of 1060	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	svchosts.exe
PID 1140 wrote to memory of 1060	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	svchosts.exe
PID 1140 wrote to memory of 1060	1140	1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 1060 wrote to memory of 32680	1060	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 32680 wrote to memory of 9808	32680	svchosts.exe	svchosts.exe
PID 9808 wrote to memory of 10204	9808	svchosts.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564

C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:31676

C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b92a5cabb819c864f03ca18d3428165_JaffaCakes118.exe
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
5⤵
- Runs ping.exe
PID:1264

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:32680

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:9808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:10204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:10896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:10192

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:11220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
7⤵
PID:9700

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
8⤵
- Runs ping.exe
PID:10444

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:10808

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
8⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:32492

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:27188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:27676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:29540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:28264

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:29840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
10⤵
PID:28912

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
11⤵
- Runs ping.exe
PID:30020

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:30004

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:34056

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
12⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:5348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
13⤵
PID:15112

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
14⤵
- Runs ping.exe
PID:27992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
13⤵
PID:19172

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
14⤵
- Runs ping.exe
PID:7648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
13⤵
PID:21224

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
14⤵
- Runs ping.exe
PID:2308

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:12664

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:32920

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
15⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:11580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
16⤵
PID:29356

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
17⤵
- Runs ping.exe
PID:16204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
16⤵
PID:6832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
17⤵
- Runs ping.exe
PID:24684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
16⤵
PID:17676

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
17⤵
- Runs ping.exe
PID:14280

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:14580

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:33860

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
18⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:18992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
19⤵
PID:6968

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
20⤵
- Runs ping.exe
PID:11176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
19⤵
PID:16916

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
20⤵
- Runs ping.exe
PID:12404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
19⤵
PID:21828

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
20⤵
- Runs ping.exe
PID:29380

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:17660

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:29412

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
21⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:23104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
22⤵
PID:17536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
23⤵
- Runs ping.exe
PID:6420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
22⤵
PID:8660

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
23⤵
- Runs ping.exe
PID:25960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
22⤵
PID:32732

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
23⤵
- Runs ping.exe
PID:24740

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:29988

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7236

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
24⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:8544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
25⤵
PID:16204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
26⤵
- Runs ping.exe
PID:33336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
25⤵
PID:11916

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
26⤵
- Runs ping.exe
PID:5820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
25⤵
PID:24212

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
26⤵
- Runs ping.exe
PID:10060

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:24736

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:30908

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
27⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:12404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
28⤵
PID:6076

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
29⤵
- Runs ping.exe
PID:9308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
28⤵
PID:8672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
29⤵
- Runs ping.exe
PID:23316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
28⤵
PID:6908

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
29⤵
- Runs ping.exe
PID:24416

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:9952

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:25520

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
30⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:15180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
31⤵
PID:20672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
32⤵
- Runs ping.exe
PID:8240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
31⤵
PID:26832

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
32⤵
- Runs ping.exe
PID:17568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
31⤵
PID:22868

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
32⤵
- Runs ping.exe
PID:22092

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:16580

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:28412

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
33⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:32252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
34⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
35⤵
- Runs ping.exe
PID:11528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
34⤵
PID:16712

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
35⤵
- Runs ping.exe
PID:7404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
34⤵
PID:26464

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
35⤵
- Runs ping.exe
PID:12292

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:21776

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
36⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:26208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
37⤵
PID:19368

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
38⤵
- Runs ping.exe
PID:25704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
37⤵
PID:11144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
38⤵
- Runs ping.exe
PID:27220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
37⤵
PID:32628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
38⤵
- Runs ping.exe
PID:29468

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:27232

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:26716

C:\Windows\SysWOW64\svchosts.exe
C:\Windows\SysWOW64\svchosts.exe
39⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:9064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
40⤵
PID:17620

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
41⤵
- Runs ping.exe
PID:12328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
40⤵
PID:3768

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
41⤵
- Runs ping.exe
PID:34804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
40⤵
PID:18808

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
41⤵
- Runs ping.exe
PID:7360

C:\Windows\SysWOW64\svchosts.exe
"C:\Windows\system32\svchosts.exe"
40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:29240

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
113B

MD5
a126f74af9bcda66c6634a7bdf4fc39e

SHA1
bd7c9e11985200653b6a3ba105fd52c65ff70d56

SHA256
bebe46e2d6ac5f329c70f308ef733de78a8a748b1930bc0248736184a83501a5

SHA512
556ec075d022445efcf9904f6bad73dfafda3f1d772606ebc0fc255c563a39740bdb1f3f55371133277c81c10482ff98c1ef78d047449d29d1f55cbc2e433496

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
61B

MD5
e26ece7e6ad0e5a909065e6a3fecf9be

SHA1
49822ffa80dd98fdd3c77ae9bfba5afa776e9b72

SHA256
94d338faf5f0edd6cf8374d8b502fe6c28a85f568860b7420c250d15d5e2c275

SHA512
5298e4bf8e2fab794dd55fed826d497a399ca06c8a0666889653863a4b74a4dfe6654924ebc26dbfa9bf8377d2a9955d30ab87cc4c2059904e95b5e2df858899

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
49B

MD5
4fd6ea5e3cccd64e772b8400c77747db

SHA1
016a7fb32b5ca72bc9ac3843ce4524e4bf9c9de3

SHA256
3ea93f5247ef91efcdee1bc38f7ad9b061c72a68fb1f10f5b088aa429b6fbc4a

SHA512
59b915433d10ca6f49738bd2beb258e4722f671167e3555a00ef218541356de79e4ee2d3c4bf87e05b71827efcfd775fbf3f5527789ab97dce6adc35ca4a1d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
Filesize
36B

MD5
f4e9f709ff2fc0b0e1f2b1d0d25249b8

SHA1
60f0d5e9a7821e8e7bf8383ad55d8a6927d1475e

SHA256
1c61400353d1ef72e2b5c612e55cf4a5af634dc07c0f9208353c594f4833657e

SHA512
c3ec59dad70a0055841e5e25209cc325760db5c7a640a12a78685ba84ccf7b85c95deb27a36075abbda474efc1c180be2dcf3e766956df06cb4fce9b3dcd4e1d

Download Submit
C:\Windows\SysWOW64\svchosts.exe
Filesize
1.1MB

MD5
1b92a5cabb819c864f03ca18d3428165

SHA1
a56bdc7707ccdf5dfcf6e9769bb98e825020cb77

SHA256
9212306dc1b5e72d9c1a4b582a31b14e083147a106d69b93758ddcba7b5f5a84

SHA512
9b7ddd59436ae58eb0db59ac6169890a3f5b95d11c7ecf6caf8c3e295efac351154fdd495ec4ce0009651e862935731919b6185f4691f865f77365e74402a472

Download Submit
memory/1140-14190-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1140-14192-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1140-14191-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1140-14189-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1140-14268-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5348-59610-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/5348-59593-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/7236-121965-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/9808-29068-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/9808-29085-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/11580-75235-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/18992-90827-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/18992-90811-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/21776-183400-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/25520-153021-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/26716-198537-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/27188-44030-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/27188-44045-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/28412-168264-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/29412-106458-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/30908-137628-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-13868-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-13861-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-13864-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-13866-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-14258-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/31676-13865-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/32492-43704-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/32492-43705-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/32492-44043-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/32680-29082-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/32920-75234-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/33860-90488-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/33860-90824-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/33860-90487-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/34056-59269-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/34056-59270-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/34056-59608-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download