Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
-
Size
150KB
-
MD5
05da866cdc40e2426903e2c3ba8bbcb6
-
SHA1
c8df5f665324305d51851c1f6decbf612b4be8ab
-
SHA256
c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31
-
SHA512
a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818
-
SSDEEP
1536:cWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAMOwklOcjUpkWb2TTghpwuh:lz6ODIn3u//vS4oEOXOcjWJuuth
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE -
Disables RegEdit via registry modification 14 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
pid Process 2372 4k51k4.exe 2472 IExplorer.exe 1468 Shell.exe 1576 Shell.exe 328 Shell.exe 1944 4k51k4.exe 608 IExplorer.exe 1408 WINLOGON.EXE 396 CSRSS.EXE 1896 SERVICES.EXE 2332 LSASS.EXE 852 SMSS.EXE 284 Shell.exe 3012 Shell.exe 2280 4k51k4.exe 1984 4k51k4.exe 1536 IExplorer.exe 1524 IExplorer.exe 2600 4k51k4.exe 2532 WINLOGON.EXE 2980 WINLOGON.EXE 2512 4k51k4.exe 2692 IExplorer.exe 2260 CSRSS.EXE 2148 CSRSS.EXE 2440 IExplorer.exe 2448 WINLOGON.EXE 2436 SERVICES.EXE 2856 CSRSS.EXE 2964 WINLOGON.EXE 1516 SERVICES.EXE 2860 LSASS.EXE 776 SERVICES.EXE 2432 CSRSS.EXE 2640 LSASS.EXE 2820 SMSS.EXE 376 4k51k4.exe 1580 LSASS.EXE 1356 IExplorer.exe 1164 SERVICES.EXE 1728 SMSS.EXE 2884 SMSS.EXE 3060 LSASS.EXE 2252 Shell.exe 2196 WINLOGON.EXE 2480 Shell.exe 2024 CSRSS.EXE 2328 SMSS.EXE 600 Shell.exe 1400 Shell.exe 1564 SERVICES.EXE 2348 Shell.exe 1592 Shell.exe 1156 LSASS.EXE 380 Shell.exe 1868 SMSS.EXE 2312 Shell.exe 944 Shell.exe 1716 Shell.exe 1232 4k51k4.exe 2120 IExplorer.exe 1892 WINLOGON.EXE 2684 CSRSS.EXE 2572 SERVICES.EXE -
Loads dropped DLL 64 IoCs
pid Process 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 1220 WerFault.exe 1220 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 2372 4k51k4.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1904 WerFault.exe 1408 WINLOGON.EXE 1408 WINLOGON.EXE 396 CSRSS.EXE 396 CSRSS.EXE 396 CSRSS.EXE 396 CSRSS.EXE 1408 WINLOGON.EXE 1896 SERVICES.EXE 1896 SERVICES.EXE 396 CSRSS.EXE 2332 LSASS.EXE 1408 WINLOGON.EXE 1896 SERVICES.EXE 2332 LSASS.EXE 1408 WINLOGON.EXE 1896 SERVICES.EXE 396 CSRSS.EXE 396 CSRSS.EXE 1896 SERVICES.EXE 1896 SERVICES.EXE 2332 LSASS.EXE 2332 LSASS.EXE 396 CSRSS.EXE 396 CSRSS.EXE 1408 WINLOGON.EXE 1408 WINLOGON.EXE 2332 LSASS.EXE 2332 LSASS.EXE 1896 SERVICES.EXE 1408 WINLOGON.EXE 1408 WINLOGON.EXE 396 CSRSS.EXE 396 CSRSS.EXE 1896 SERVICES.EXE 1896 SERVICES.EXE -
Modifies system executable filetype association 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe -
Adds Run key to start application 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\desktop.ini SMSS.EXE File opened for modification C:\desktop.ini 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File created C:\desktop.ini 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification F:\desktop.ini 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification C:\desktop.ini WINLOGON.EXE File opened for modification C:\desktop.ini CSRSS.EXE File opened for modification C:\desktop.ini SERVICES.EXE File opened for modification C:\desktop.ini LSASS.EXE File created F:\desktop.ini 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification C:\desktop.ini 4k51k4.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 4k51k4.exe File opened (read-only) \??\W: 4k51k4.exe File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\M: SMSS.EXE File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\Q: LSASS.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\G: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\I: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\N: CSRSS.EXE File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\O: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\R: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\X: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\K: SMSS.EXE File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\P: SMSS.EXE File opened (read-only) \??\N: 4k51k4.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\N: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\U: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\M: 4k51k4.exe File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\T: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\U: 4k51k4.exe File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\O: LSASS.EXE File opened (read-only) \??\X: SMSS.EXE File opened (read-only) \??\E: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\P: 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\Y: CSRSS.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\G: LSASS.EXE File opened (read-only) \??\H: LSASS.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\U: SMSS.EXE File opened (read-only) \??\G: 4k51k4.exe File opened (read-only) \??\Z: 4k51k4.exe File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\J: LSASS.EXE File opened (read-only) \??\E: CSRSS.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe LSASS.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File created C:\Windows\SysWOW64\shell.exe 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\MrHelloween.scr 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe -
Drops file in Windows directory 60 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\4k51k4.exe 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File opened for modification C:\Windows\4k51k4.exe 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 1220 2472 WerFault.exe 30 1748 1468 WerFault.exe 32 1904 2372 WerFault.exe 29 1616 396 WerFault.exe 39 1940 1408 WerFault.exe 38 536 1896 WerFault.exe 40 1780 2332 WerFault.exe 41 596 852 WerFault.exe 42 -
Modifies Control Panel 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ 4k51k4.exe -
Modifies registry class 27 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 2372 4k51k4.exe 2472 IExplorer.exe 1468 Shell.exe 1576 Shell.exe 328 Shell.exe 1944 4k51k4.exe 608 IExplorer.exe 1408 WINLOGON.EXE 396 CSRSS.EXE 1896 SERVICES.EXE 2332 LSASS.EXE 852 SMSS.EXE 284 Shell.exe 3012 Shell.exe 2280 4k51k4.exe 1984 4k51k4.exe 1524 IExplorer.exe 1536 IExplorer.exe 2600 4k51k4.exe 2532 WINLOGON.EXE 2980 WINLOGON.EXE 2512 4k51k4.exe 2260 CSRSS.EXE 2692 IExplorer.exe 2448 WINLOGON.EXE 2436 SERVICES.EXE 2440 IExplorer.exe 2148 CSRSS.EXE 2964 WINLOGON.EXE 2856 CSRSS.EXE 1516 SERVICES.EXE 2860 LSASS.EXE 776 SERVICES.EXE 2640 LSASS.EXE 2432 CSRSS.EXE 2820 SMSS.EXE 1580 LSASS.EXE 376 4k51k4.exe 1164 SERVICES.EXE 1728 SMSS.EXE 1356 IExplorer.exe 2884 SMSS.EXE 3060 LSASS.EXE 2252 Shell.exe 2196 WINLOGON.EXE 2480 Shell.exe 2328 SMSS.EXE 2024 CSRSS.EXE 1400 Shell.exe 600 Shell.exe 1564 SERVICES.EXE 1592 Shell.exe 2348 Shell.exe 1156 LSASS.EXE 380 Shell.exe 1868 SMSS.EXE 2312 Shell.exe 944 Shell.exe 1716 Shell.exe 1232 4k51k4.exe 2120 IExplorer.exe 1892 WINLOGON.EXE 2684 CSRSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2372 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 29 PID 2340 wrote to memory of 2372 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 29 PID 2340 wrote to memory of 2372 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 29 PID 2340 wrote to memory of 2372 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 29 PID 2340 wrote to memory of 2472 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2472 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2472 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 30 PID 2340 wrote to memory of 2472 2340 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe 30 PID 2472 wrote to memory of 1220 2472 IExplorer.exe 31 PID 2472 wrote to memory of 1220 2472 IExplorer.exe 31 PID 2472 wrote to memory of 1220 2472 IExplorer.exe 31 PID 2472 wrote to memory of 1220 2472 IExplorer.exe 31 PID 1468 wrote to memory of 1748 1468 Shell.exe 33 PID 1468 wrote to memory of 1748 1468 Shell.exe 33 PID 1468 wrote to memory of 1748 1468 Shell.exe 33 PID 1468 wrote to memory of 1748 1468 Shell.exe 33 PID 2372 wrote to memory of 1944 2372 4k51k4.exe 36 PID 2372 wrote to memory of 1944 2372 4k51k4.exe 36 PID 2372 wrote to memory of 1944 2372 4k51k4.exe 36 PID 2372 wrote to memory of 1944 2372 4k51k4.exe 36 PID 2372 wrote to memory of 608 2372 4k51k4.exe 37 PID 2372 wrote to memory of 608 2372 4k51k4.exe 37 PID 2372 wrote to memory of 608 2372 4k51k4.exe 37 PID 2372 wrote to memory of 608 2372 4k51k4.exe 37 PID 2372 wrote to memory of 1408 2372 4k51k4.exe 38 PID 2372 wrote to memory of 1408 2372 4k51k4.exe 38 PID 2372 wrote to memory of 1408 2372 4k51k4.exe 38 PID 2372 wrote to memory of 1408 2372 4k51k4.exe 38 PID 2372 wrote to memory of 396 2372 4k51k4.exe 39 PID 2372 wrote to memory of 396 2372 4k51k4.exe 39 PID 2372 wrote to memory of 396 2372 4k51k4.exe 39 PID 2372 wrote to memory of 396 2372 4k51k4.exe 39 PID 2372 wrote to memory of 1896 2372 4k51k4.exe 40 PID 2372 wrote to memory of 1896 2372 4k51k4.exe 40 PID 2372 wrote to memory of 1896 2372 4k51k4.exe 40 PID 2372 wrote to memory of 1896 2372 4k51k4.exe 40 PID 2372 wrote to memory of 2332 2372 4k51k4.exe 41 PID 2372 wrote to memory of 2332 2372 4k51k4.exe 41 PID 2372 wrote to memory of 2332 2372 4k51k4.exe 41 PID 2372 wrote to memory of 2332 2372 4k51k4.exe 41 PID 2372 wrote to memory of 852 2372 4k51k4.exe 42 PID 2372 wrote to memory of 852 2372 4k51k4.exe 42 PID 2372 wrote to memory of 852 2372 4k51k4.exe 42 PID 2372 wrote to memory of 852 2372 4k51k4.exe 42 PID 2372 wrote to memory of 1904 2372 4k51k4.exe 43 PID 2372 wrote to memory of 1904 2372 4k51k4.exe 43 PID 2372 wrote to memory of 1904 2372 4k51k4.exe 43 PID 2372 wrote to memory of 1904 2372 4k51k4.exe 43 PID 1408 wrote to memory of 2280 1408 WINLOGON.EXE 46 PID 1408 wrote to memory of 2280 1408 WINLOGON.EXE 46 PID 1408 wrote to memory of 2280 1408 WINLOGON.EXE 46 PID 1408 wrote to memory of 2280 1408 WINLOGON.EXE 46 PID 396 wrote to memory of 1984 396 CSRSS.EXE 47 PID 396 wrote to memory of 1984 396 CSRSS.EXE 47 PID 396 wrote to memory of 1984 396 CSRSS.EXE 47 PID 396 wrote to memory of 1984 396 CSRSS.EXE 47 PID 1408 wrote to memory of 1536 1408 WINLOGON.EXE 48 PID 1408 wrote to memory of 1536 1408 WINLOGON.EXE 48 PID 1408 wrote to memory of 1536 1408 WINLOGON.EXE 48 PID 1408 wrote to memory of 1536 1408 WINLOGON.EXE 48 PID 396 wrote to memory of 1524 396 CSRSS.EXE 49 PID 396 wrote to memory of 1524 396 CSRSS.EXE 49 PID 396 wrote to memory of 1524 396 CSRSS.EXE 49 PID 396 wrote to memory of 1524 396 CSRSS.EXE 49 -
System policy modification 1 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:608
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1408 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 3764⤵
- Program crash
PID:1940 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:396 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 3724⤵
- Program crash
PID:1616 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1400
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1896 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 3444⤵
- Program crash
PID:536 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:600
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:380
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2332 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 3604⤵
- Program crash
PID:1780 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:852 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:376
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 3644⤵
- Program crash
PID:596 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:944
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 3683⤵
- Loads dropped DLL
- Program crash
PID:1904 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:284
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2163⤵
- Loads dropped DLL
- Program crash
PID:1220 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 2405⤵
- Loads dropped DLL
- Program crash
PID:1748 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1576
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:328
-
-
-
-
-
-
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1232
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
PID:2572
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵PID:3020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵PID:2984
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵PID:2412
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵PID:2932
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵PID:2532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵PID:2980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵PID:2416
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640B
MD55d142e7978321fde49abd9a068b64d97
SHA170020fcf7f3d6dafb6c8cd7a55395196a487bef4
SHA256fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061
SHA5122351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9
-
Filesize
150KB
MD51523e36aeef239101629b4be86d9fa79
SHA1020d1154946350715b6821a8e9078d8766f16994
SHA256e458c123ffba1f0747d50f324fc6f16f08525642fb5ae411369cb23ab0abce73
SHA5129b35b4c686856919f8f3fb8a8b30059bbfd5e8ccee9247d25eab5a18c9a5c3cea654ff93ab6b971e461ac6269a148a677583eef08742e5e5b294e7eb1e0a0567
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
150KB
MD505da866cdc40e2426903e2c3ba8bbcb6
SHA1c8df5f665324305d51851c1f6decbf612b4be8ab
SHA256c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31
SHA512a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818
-
Filesize
150KB
MD5e68bcf3a137dac9f6864da3952e81223
SHA15ac4e01ea418db213788181825d00e45d449811b
SHA256d48222d56a40cb8605a6318fc3349f603843205d38cc9fc2f20317b2b1261474
SHA512568561586acde06ef0e133ccfc012ee6b04b7c1a1375a13178ee7a07c2ee1e0a3f19bf6f0d3d0a871d4be6df458bd806190d34517678c85b38a29db518b90a10
-
Filesize
150KB
MD574e2bb695cdaeae6c2b6eb8fae96c73b
SHA19a5c6b8fee8a6808e5d651a5e63e959c09f34b96
SHA256bcd9d0e910686c462e3e701899b93f7b98053778c198be79a94ff20e54241377
SHA51221debf2d4dac577b7e110ef9b869b1f98f77170ec250a9130295a6ba25db99e4751fa8e36d797ad4390f91e1dbc883560efa61b38554d11e4da29a0d18c87b9d
-
Filesize
150KB
MD5e6a07d6b3d08834e770cb0e779ad5070
SHA1675b4ac3cfe12977a485935f16b08fedb8f9b61a
SHA2561a4c84c0be1abac86e08aa4431ffe25b51ffeaa53ce39550c49cfd8ac1e8f121
SHA512f59bcf41279ea0cae062607928fc44650189d540b746dede44943ca38f5715e2213051b0baab3a3a5f0f6c89a1e7d9497ffb1c2bdd073652a1fa56126077ae91
-
Filesize
150KB
MD5f2663a4524a5c50b342e4bd95f40f419
SHA1a3c4b2327836a7ebc92ff741fc829e5efbaf5fb2
SHA25622e006c601710cca7cbe6f3bae88a9300db9036d09c5a4efe79d370d284b5ba3
SHA512222bb1382427fbcbff587687304efd2a73dd9665d86fe26de763e2e1c161bb762b1ba60b2c45e3f7f334fbdc301ed826c88c715bf999387207a35d5dc4d75710
-
Filesize
150KB
MD5b9c752975f0fada8fa1d28e0280974b8
SHA156888996cc9aba0949e15af10d2b8765c8ecc12e
SHA2566d068faae63c61d50ef0832f4bedc22cb1fae85add032e63d8e7da2c115d379c
SHA512ea09138de2e676624605257ba50622da24dd8341d470a11d715e9c72c2635fd73baaf56392c28586d888652eefeb79aaa6bbd1576322603e30ed70fc702b37e1
-
Filesize
150KB
MD5a3a5231d6f12463c8f1ded3eeef85246
SHA15c7beeb2406f2c6867b183393360492d292d56ad
SHA256230760ffe58e4271bb12e948df15416215a9c66f0db1be51554530e50eb6159a
SHA512f94b8b8d2320d829c627e117f32e21e7bf0d0c587f5952c7b40f005db879e2c78eb10ed2444c67f39fc85397a8cc75272101e82976d136b64e4a015696ae8b74
-
Filesize
150KB
MD5508b43f2f3548bec6c60c94bfde4abc3
SHA19da03f7ffb0226ac2f9e365ca568b60bff6dc56f
SHA25685b3659eb325f5b5530fe1bf0620b6c2b395a0d98ba64c4be97e40a9066bd5df
SHA512a63a1b86730e1ab797aad34d77f23032002a2f38cf94b6369a555af355b54b23e014965dec31ab61508d53cb168d3ae2900c3c0fd7e3e10992d5922512b1fcb5
-
Filesize
150KB
MD5ce8fbe7e9918fa5dba056ea6cdea50af
SHA1a008ea2f6afeb8e9a56a2bccd830ac8a400cba05
SHA2560d7496a8ac5ad7ee7850fa3f553dbe369c5b0a9ef062e7ef0676b1c27325258d
SHA51297898bba94632b2058439544381c8788ef3f8fa84c4b64e2e354c3d264615a03f963bbec563968226127be2bf87034380f05488d5337f357202382143963e95c
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
150KB
MD54ad22f32782f2e9eb2cb79e7819ce95f
SHA136e34a8111f60494adbcfa8619a5ac176e329823
SHA25635bae5cbeb46bbc42f3e6aafecec844ffb0447c216a38e8dff1132929b0f86fc
SHA512829d58c6398af06b417b8d3eafbb2b4e4ffb90b8ba92aec4eed635cf4dc25a2779e8c6957b6b2f21c89198171e1c974c53cc61c76750a4ee81b00477ed9b0c97
-
Filesize
150KB
MD53e020aa11416229b464731ad1bf719d6
SHA1e434d28895b73332e074320881ffcf2e22d0e992
SHA2564734a0ac53acc70dbd153be3db272146589f24367372e7abc78fbd2ce574672e
SHA51262ffcc4fcf8b89651919d5f00c5a3aebfefb8e2038508d8b4b7b42e807ab727126ab7925c9d1ec6d90cde8c08906bf6f1e3cb07af38cc046d0a9a99223c53196