Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
f65e53031dd147cba479d30d495467df_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f65e53031dd147cba479d30d495467df_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f65e53031dd147cba479d30d495467df_JaffaCakes118.exe
-
Size
29KB
-
MD5
f65e53031dd147cba479d30d495467df
-
SHA1
0dddd9947c23a832326af732827ac06561ffae36
-
SHA256
bc3be7d0c255b8ea25426a4e357539fb716fc882a3b1e17001e9364d3d22ad59
-
SHA512
ad95df5bd59ad28b48bc380db48963b06c5b7ddaab57f5cebfc29768c6c04e7b3bc19474ea2be878b700e04e58ba34c66ed40cbd37a834df5aeee9b8591a7441
-
SSDEEP
768:nUKHqS2l31I8KcR8aKyqkKuhDFr6PG2BbC:zH/2lFI8D8brqDt6+YbC
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Drivers\beep.sys 0.pif -
Sets file execution options in registry 2 TTPs 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE" f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3828 0.pif -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\Q: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\K: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\M: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\S: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\V: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\Y: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\H: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\J: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\R: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\T: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\W: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\X: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\Z: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\G: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\I: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\L: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\N: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\P: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\U: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened (read-only) \??\E: f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File created F:\AUTORUN.INF f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened for modification C:\AUTORUN.INF f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File created C:\AUTORUN.INF f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\MFCDD.DLL f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MFCDD.DLL f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File created C:\Windows\SysWOW64\1EXPL0RE.EXE f65e53031dd147cba479d30d495467df_JaffaCakes118.exe File created C:\Windows\SysWOW64\0.pif f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80582124a724c401 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1921825433" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2d87de228b7b048a686bce0058687fd00000000020000000000106600000001000020000000943080157837e6d1ed03ad92fc59dd31de4311bd92537bd638c0279dbe99477e000000000e800000000200002000000021e25a91da31a69060119c3bf742fda3da8dd18527eeaddd91dd991373d7c9dd2000000092d97f7c91cca132d155d1f6be90fa8570a826c352ef1fed445257bbd66ac89640000000a3cc54ef00e84e89da1134b5059c1d4d2c69e8bf19abe8307776a5a35e98724bc996b89e29d0e045e50b0071afcb075b1980cee661b698ba6689ac644622396b IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902c1a24a724c401 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{330111DC-909A-11D8-9C52-7E7946C1FF9B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1921825407" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2d87de228b7b048a686bce0058687fd000000000200000000001066000000010000200000005847c2fa3896ba7732092877b560bf1babf94be8b526fc1b2ff4086b428c1445000000000e800000000200002000000067d70e31708da17c25d49f3a585e7a62f3a04299ab054e58c99eeaf3a700092e200000008bf1691fb657037374379b2b1cf3bb7be4c023e73fe4a2d9d495f81c0d1462d4400000004d9243570510f18da8d27029f586bb6587133e8ed248595a550ce0b8ce1e5b8f776e434deceb21969fe8980fcfb69c915896d982b50e016f78f637c122c0a6e2 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{422871D7-909A-11D8-9C52-7E7946C1FF9B} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe Token: SeSystemtimePrivilege 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4708 iexplore.exe 2168 IEXPLORE.EXE 2168 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4708 iexplore.exe 4708 iexplore.exe 4864 IEXPLORE.EXE 4864 IEXPLORE.EXE 4864 IEXPLORE.EXE 4864 IEXPLORE.EXE 2168 IEXPLORE.EXE 2168 IEXPLORE.EXE 5052 IEXPLORE.EXE 5052 IEXPLORE.EXE 5052 IEXPLORE.EXE 5052 IEXPLORE.EXE 2168 IEXPLORE.EXE 2168 IEXPLORE.EXE 4360 IEXPLORE.EXE 4360 IEXPLORE.EXE 4360 IEXPLORE.EXE 4360 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1452 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 82 PID 1864 wrote to memory of 1452 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 82 PID 1864 wrote to memory of 1452 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 82 PID 1452 wrote to memory of 5032 1452 cmd.exe 84 PID 1452 wrote to memory of 5032 1452 cmd.exe 84 PID 1452 wrote to memory of 5032 1452 cmd.exe 84 PID 5032 wrote to memory of 2136 5032 net.exe 85 PID 5032 wrote to memory of 2136 5032 net.exe 85 PID 5032 wrote to memory of 2136 5032 net.exe 85 PID 1864 wrote to memory of 3708 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 86 PID 1864 wrote to memory of 3708 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 86 PID 1864 wrote to memory of 3708 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 86 PID 3708 wrote to memory of 872 3708 cmd.exe 88 PID 3708 wrote to memory of 872 3708 cmd.exe 88 PID 3708 wrote to memory of 872 3708 cmd.exe 88 PID 872 wrote to memory of 4960 872 net.exe 89 PID 872 wrote to memory of 4960 872 net.exe 89 PID 872 wrote to memory of 4960 872 net.exe 89 PID 1864 wrote to memory of 4832 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 91 PID 1864 wrote to memory of 4832 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 91 PID 1864 wrote to memory of 4832 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 91 PID 4832 wrote to memory of 4100 4832 cmd.exe 93 PID 4832 wrote to memory of 4100 4832 cmd.exe 93 PID 4832 wrote to memory of 4100 4832 cmd.exe 93 PID 4100 wrote to memory of 1784 4100 net.exe 94 PID 4100 wrote to memory of 1784 4100 net.exe 94 PID 4100 wrote to memory of 1784 4100 net.exe 94 PID 1864 wrote to memory of 1480 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 95 PID 1864 wrote to memory of 1480 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 95 PID 1864 wrote to memory of 1480 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 95 PID 1480 wrote to memory of 4940 1480 cmd.exe 97 PID 1480 wrote to memory of 4940 1480 cmd.exe 97 PID 1480 wrote to memory of 4940 1480 cmd.exe 97 PID 4940 wrote to memory of 1552 4940 net.exe 98 PID 4940 wrote to memory of 1552 4940 net.exe 98 PID 4940 wrote to memory of 1552 4940 net.exe 98 PID 1864 wrote to memory of 2688 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 99 PID 1864 wrote to memory of 2688 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 99 PID 1864 wrote to memory of 2688 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 99 PID 2688 wrote to memory of 1404 2688 cmd.exe 101 PID 2688 wrote to memory of 1404 2688 cmd.exe 101 PID 2688 wrote to memory of 1404 2688 cmd.exe 101 PID 1404 wrote to memory of 4752 1404 net.exe 102 PID 1404 wrote to memory of 4752 1404 net.exe 102 PID 1404 wrote to memory of 4752 1404 net.exe 102 PID 1864 wrote to memory of 4068 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 103 PID 1864 wrote to memory of 4068 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 103 PID 1864 wrote to memory of 4068 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 103 PID 4068 wrote to memory of 4836 4068 cmd.exe 105 PID 4068 wrote to memory of 4836 4068 cmd.exe 105 PID 4068 wrote to memory of 4836 4068 cmd.exe 105 PID 4836 wrote to memory of 2020 4836 net.exe 106 PID 4836 wrote to memory of 2020 4836 net.exe 106 PID 4836 wrote to memory of 2020 4836 net.exe 106 PID 1864 wrote to memory of 3572 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 107 PID 1864 wrote to memory of 3572 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 107 PID 1864 wrote to memory of 3572 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 107 PID 3572 wrote to memory of 4568 3572 cmd.exe 109 PID 3572 wrote to memory of 4568 3572 cmd.exe 109 PID 3572 wrote to memory of 4568 3572 cmd.exe 109 PID 4568 wrote to memory of 1360 4568 net.exe 110 PID 4568 wrote to memory of 1360 4568 net.exe 110 PID 4568 wrote to memory of 1360 4568 net.exe 110 PID 1864 wrote to memory of 4880 1864 f65e53031dd147cba479d30d495467df_JaffaCakes118.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\f65e53031dd147cba479d30d495467df_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f65e53031dd147cba479d30d495467df_JaffaCakes118.exe"1⤵
- Sets file execution options in registry
- Checks computer location settings
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.execmd /c net stop McShield2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\net.exenet stop McShield3⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McShield4⤵PID:2136
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KWhatchsvc2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\net.exenet stop KWhatchsvc3⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KWhatchsvc4⤵PID:4960
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop KPfwSvc2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\net.exenet stop KPfwSvc3⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop KPfwSvc4⤵PID:1784
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Drivers Services"2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Drivers Services"3⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Drivers Services"4⤵PID:1552
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Definition Watcher"2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Definition Watcher"3⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"4⤵PID:4752
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "McAfee Framework ·þÎñ"2⤵
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\net.exenet stop "McAfee Framework ·þÎñ"3⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"4⤵PID:2020
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Norton AntiVirus Server"2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\SysWOW64\net.exenet stop "Norton AntiVirus Server"3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Norton AntiVirus Server"4⤵PID:1360
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop DefWatch2⤵PID:4880
-
C:\Windows\SysWOW64\net.exenet stop DefWatch3⤵PID:3404
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch4⤵PID:2920
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c net stop "Symantec AntiVirus Client"2⤵PID:2464
-
C:\Windows\SysWOW64\net.exenet stop "Symantec AntiVirus Client"3⤵PID:2100
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Symantec AntiVirus Client"4⤵PID:2432
-
-
-
-
C:\Windows\SysWOW64\0.pifC:\Windows\system32\0.pif2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3828 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4708 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4708 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f2⤵PID:4360
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f2⤵PID:3272
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f2⤵PID:4956
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f2⤵PID:3096
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f2⤵PID:2692
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f2⤵PID:1828
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f2⤵PID:3964
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f2⤵PID:3976
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiduoo.com/tj.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:17416 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4360
-
-
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
PID:4016
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize471B
MD5a4660977d10a286a0ff606b3734933d5
SHA15221b082deb7586bb7de50321fe0c3b9266c045e
SHA2563d925398397bc5939b5c54c2fd662e344b7d0a74743fbc5543473d1875781f1f
SHA5122970ab07715bc77343dcca22c0be250d7360f318d7fde3738becec769b0fa0fe8ddcd651a94edd7799bc18334d89fa24a0224201d3ba766756f8e75989bb0e66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize412B
MD549bf21129872263715a4591695106c98
SHA1dff76f265948458d5f038a454e8d465102e5aa1c
SHA256f34e7c52d91b3962a7a0478906035abf48ebd13499197fbeddbffdf53ee2799c
SHA51283a46881fa9ca51477d9ced406b08aaab34664b399987f01a3022ee8fbeb901977b74b2902812eb00eefb8d18af18a51eb6f1f675c8a1a87152ee0db9b8dba53
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{330111DC-909A-11D8-9C52-7E7946C1FF9B}.dat
Filesize5KB
MD5679989af340e1aa28432490fdbfcd265
SHA1142e927c7517aa17c593641dd0a61a56661cbac4
SHA2562052ecbee13c43b221d2b9e8394959fb2784725d19a57d6c4b4891e5e657496f
SHA512ca58fec7eb55c2a642b676689309d41b0838247f9a11b6eed48fb0c1b9aa9e38266f16b068cc17ca1b8b3b25560dc4ec6071a14733e4595ad0a4e5944e93a2f7
-
Filesize
7KB
MD5ed39b3accc3428934a21772438640be5
SHA1796bf164ff32f1e7453d31988fcf7b2c5e072ed4
SHA256a6a2a4c186b787bc13242f0ab1b5c0b422aa978847da0841539db848faff1fd3
SHA512d87af3b1597973497808c215df184640487d9a5e32961b74345bde2fb3d2dedce98bcac5384f096ae533e14961ecf138ecf27b2e731ef3e2659d55bd021e2ff1