c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

Analysis

max time kernel
149s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Size

150KB
MD5

05da866cdc40e2426903e2c3ba8bbcb6
SHA1

c8df5f665324305d51851c1f6decbf612b4be8ab
SHA256

c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31
SHA512

a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818
SSDEEP

1536:cWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAMOwklOcjUpkWb2TTghpwuh:lz6ODIn3u//vS4oEOXOcjWJuuth

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE

Disables RegEdit via registry modification 20 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2872	4k51k4.exe
1532	IExplorer.exe
1508	WINLOGON.EXE
4244	Shell.exe
2036	Shell.exe
3564	Shell.exe
432	4k51k4.exe
2444	Shell.exe
3468	IExplorer.exe
1700	4k51k4.exe
4376	WINLOGON.EXE
2192	CSRSS.EXE
2340	Shell.exe
808	IExplorer.exe
912	WINLOGON.EXE
5016	Shell.exe
5032	CSRSS.EXE
1816	Shell.exe
4944	SERVICES.EXE
4400	Shell.exe
4932	LSASS.EXE
4612	SMSS.EXE
2468	4k51k4.exe
4156	IExplorer.exe
3196	SERVICES.EXE
3488	Shell.exe
4356	WINLOGON.EXE
1516	LSASS.EXE
880	CSRSS.EXE
4428	SMSS.EXE
4352	Shell.exe
1052	Shell.exe
2464	Shell.exe
3776	Shell.exe
3956	SERVICES.EXE
4768	LSASS.EXE
2264	SMSS.EXE
3784	CSRSS.EXE
4300	4k51k4.exe
4808	SERVICES.EXE
1992	LSASS.EXE
2568	SMSS.EXE
1336	IExplorer.exe
1852	WINLOGON.EXE
1816	4k51k4.exe
2076	CSRSS.EXE
4712	IExplorer.exe
3200	SERVICES.EXE
2524	WINLOGON.EXE
3204	LSASS.EXE
336	CSRSS.EXE
3096	SMSS.EXE
4500	SERVICES.EXE
2160	LSASS.EXE
2468	4k51k4.exe
4156	SMSS.EXE
2852	IExplorer.exe
1516	WINLOGON.EXE
2216	CSRSS.EXE
4536	SERVICES.EXE
1420	4k51k4.exe
3544	LSASS.EXE
4196	4k51k4.exe
2448	IExplorer.exe

Loads dropped DLL 64 IoCs

pid	Process
432	4k51k4.exe
2444	Shell.exe
3468	IExplorer.exe
1700	4k51k4.exe
4376	WINLOGON.EXE
2192	CSRSS.EXE
2340	Shell.exe
808	IExplorer.exe
912	WINLOGON.EXE
5016	Shell.exe
5032	CSRSS.EXE
1816	Shell.exe
4944	SERVICES.EXE
4400	Shell.exe
4932	LSASS.EXE
4612	SMSS.EXE
2468	4k51k4.exe
4156	IExplorer.exe
3196	SERVICES.EXE
4356	WINLOGON.EXE
3488	Shell.exe
1516	LSASS.EXE
880	CSRSS.EXE
4428	SMSS.EXE
4352	Shell.exe
1052	Shell.exe
2464	Shell.exe
3776	Shell.exe
3956	SERVICES.EXE
4768	LSASS.EXE
2264	SMSS.EXE
3784	CSRSS.EXE
4300	4k51k4.exe
4808	SERVICES.EXE
1992	LSASS.EXE
2568	SMSS.EXE
1336	IExplorer.exe
1852	WINLOGON.EXE
1816	4k51k4.exe
2076	CSRSS.EXE
4712	IExplorer.exe
3200	SERVICES.EXE
2524	WINLOGON.EXE
3204	LSASS.EXE
336	CSRSS.EXE
3096	SMSS.EXE
4500	SERVICES.EXE
2160	LSASS.EXE
2468	4k51k4.exe
4156	SMSS.EXE
2852	IExplorer.exe
1516	WINLOGON.EXE
2216	CSRSS.EXE
4536	SERVICES.EXE
1420	4k51k4.exe
3544	LSASS.EXE
4196	4k51k4.exe
2448	IExplorer.exe
4520	IExplorer.exe
3492	SMSS.EXE
1216	WINLOGON.EXE
4896	WINLOGON.EXE
2944	CSRSS.EXE
2012	CSRSS.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	IExplorer.exe
File opened for modification	C:\desktop.ini	4k51k4.exe
File opened for modification	C:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	F:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	F:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	4k51k4.exe
File opened (read-only)	\??\V:	4k51k4.exe
File opened (read-only)	\??\Y:	CSRSS.EXE
File opened (read-only)	\??\B:	4k51k4.exe
File opened (read-only)	\??\M:	CSRSS.EXE
File opened (read-only)	\??\Q:	SMSS.EXE
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\G:	LSASS.EXE
File opened (read-only)	\??\K:	4k51k4.exe
File opened (read-only)	\??\S:	4k51k4.exe
File opened (read-only)	\??\Y:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\G:	4k51k4.exe
File opened (read-only)	\??\E:	SMSS.EXE
File opened (read-only)	\??\G:	Shell.exe
File opened (read-only)	\??\J:	4k51k4.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\J:	CSRSS.EXE
File opened (read-only)	\??\H:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	SMSS.EXE
File opened (read-only)	\??\J:	Shell.exe
File opened (read-only)	\??\P:	Shell.exe
File opened (read-only)	\??\U:	Shell.exe
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\X:	Shell.exe
File opened (read-only)	\??\Q:	CSRSS.EXE
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\B:	SMSS.EXE
File opened (read-only)	\??\N:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\X:	4k51k4.exe
File opened (read-only)	\??\G:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\R:	4k51k4.exe
File opened (read-only)	\??\O:	4k51k4.exe
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\N:	SMSS.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\K:	Shell.exe
File opened (read-only)	\??\L:	Shell.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\Y:	4k51k4.exe
File opened (read-only)	\??\X:	4k51k4.exe
File opened (read-only)	\??\X:	LSASS.EXE
File opened (read-only)	\??\T:	SMSS.EXE
File opened (read-only)	\??\P:	SMSS.EXE
File opened (read-only)	\??\S:	SMSS.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\I:	4k51k4.exe
File opened (read-only)	\??\T:	4k51k4.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\Z:	4k51k4.exe
File opened (read-only)	\??\W:	Shell.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\K:	SMSS.EXE
File opened (read-only)	\??\T:	Shell.exe
File opened (read-only)	\??\S:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File created	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File created	C:\Windows\SysWOW64\shell.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File created	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\4k51k4.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4568	1508	WerFault.exe	86
2556	4244	WerFault.exe	91
3896	2444	WerFault.exe	99
1960	2192	WerFault.exe	105
3948	1532	WerFault.exe	85
932	880	WerFault.exe	126
3116	2872	WerFault.exe	84

Modifies Control Panel 36 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
4300	4k51k4.exe
3784	CSRSS.EXE
3488	Shell.exe
4356	WINLOGON.EXE
4944	SERVICES.EXE
4932	LSASS.EXE
4612	SMSS.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
2872	4k51k4.exe
1532	IExplorer.exe
1508	WINLOGON.EXE
4244	Shell.exe
2036	Shell.exe
3564	Shell.exe
432	4k51k4.exe
2444	Shell.exe
3468	IExplorer.exe
4376	WINLOGON.EXE
1700	4k51k4.exe
2340	Shell.exe
2192	CSRSS.EXE
808	IExplorer.exe
912	WINLOGON.EXE
5016	Shell.exe
5032	CSRSS.EXE
1816	Shell.exe
4944	SERVICES.EXE
4400	Shell.exe
4932	LSASS.EXE
4612	SMSS.EXE
2468	4k51k4.exe
4156	IExplorer.exe
3196	SERVICES.EXE
4356	WINLOGON.EXE
3488	Shell.exe
1516	LSASS.EXE
880	CSRSS.EXE
4428	SMSS.EXE
4352	Shell.exe
1052	Shell.exe
2464	Shell.exe
3776	Shell.exe
3956	SERVICES.EXE
4768	LSASS.EXE
2264	SMSS.EXE
3784	CSRSS.EXE
4808	SERVICES.EXE
4300	4k51k4.exe
1992	LSASS.EXE
2568	SMSS.EXE
1336	IExplorer.exe
1852	WINLOGON.EXE
1816	4k51k4.exe
2076	CSRSS.EXE
4712	IExplorer.exe
3200	SERVICES.EXE
2524	WINLOGON.EXE
3204	LSASS.EXE
336	CSRSS.EXE
4500	SERVICES.EXE
3096	SMSS.EXE
2160	LSASS.EXE
2468	4k51k4.exe
4156	SMSS.EXE
2852	IExplorer.exe
1516	WINLOGON.EXE
2216	CSRSS.EXE
4536	SERVICES.EXE
3544	LSASS.EXE
1420	4k51k4.exe
4196	4k51k4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 2872	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	84
PID 3688 wrote to memory of 2872	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	84
PID 3688 wrote to memory of 2872	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	84
PID 3688 wrote to memory of 1532	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	85
PID 3688 wrote to memory of 1532	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	85
PID 3688 wrote to memory of 1532	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	85
PID 3688 wrote to memory of 1508	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	86
PID 3688 wrote to memory of 1508	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	86
PID 3688 wrote to memory of 1508	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	86
PID 2872 wrote to memory of 432	2872	4k51k4.exe	98
PID 2872 wrote to memory of 432	2872	4k51k4.exe	98
PID 2872 wrote to memory of 432	2872	4k51k4.exe	98
PID 2872 wrote to memory of 3468	2872	4k51k4.exe	100
PID 2872 wrote to memory of 3468	2872	4k51k4.exe	100
PID 2872 wrote to memory of 3468	2872	4k51k4.exe	100
PID 1532 wrote to memory of 1700	1532	IExplorer.exe	101
PID 1532 wrote to memory of 1700	1532	IExplorer.exe	101
PID 1532 wrote to memory of 1700	1532	IExplorer.exe	101
PID 2872 wrote to memory of 4376	2872	4k51k4.exe	103
PID 2872 wrote to memory of 4376	2872	4k51k4.exe	103
PID 2872 wrote to memory of 4376	2872	4k51k4.exe	103
PID 2872 wrote to memory of 2192	2872	4k51k4.exe	105
PID 2872 wrote to memory of 2192	2872	4k51k4.exe	105
PID 2872 wrote to memory of 2192	2872	4k51k4.exe	105
PID 1532 wrote to memory of 808	1532	IExplorer.exe	107
PID 1532 wrote to memory of 808	1532	IExplorer.exe	107
PID 1532 wrote to memory of 808	1532	IExplorer.exe	107
PID 1532 wrote to memory of 912	1532	IExplorer.exe	109
PID 1532 wrote to memory of 912	1532	IExplorer.exe	109
PID 1532 wrote to memory of 912	1532	IExplorer.exe	109
PID 1532 wrote to memory of 5032	1532	IExplorer.exe	112
PID 1532 wrote to memory of 5032	1532	IExplorer.exe	112
PID 1532 wrote to memory of 5032	1532	IExplorer.exe	112
PID 1532 wrote to memory of 4944	1532	IExplorer.exe	114
PID 1532 wrote to memory of 4944	1532	IExplorer.exe	114
PID 1532 wrote to memory of 4944	1532	IExplorer.exe	114
PID 1532 wrote to memory of 4932	1532	IExplorer.exe	116
PID 1532 wrote to memory of 4932	1532	IExplorer.exe	116
PID 1532 wrote to memory of 4932	1532	IExplorer.exe	116
PID 1532 wrote to memory of 4612	1532	IExplorer.exe	117
PID 1532 wrote to memory of 4612	1532	IExplorer.exe	117
PID 1532 wrote to memory of 4612	1532	IExplorer.exe	117
PID 3688 wrote to memory of 2468	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	156
PID 3688 wrote to memory of 2468	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	156
PID 3688 wrote to memory of 2468	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	156
PID 3688 wrote to memory of 4156	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	157
PID 3688 wrote to memory of 4156	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	157
PID 3688 wrote to memory of 4156	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	157
PID 2872 wrote to memory of 3196	2872	4k51k4.exe	122
PID 2872 wrote to memory of 3196	2872	4k51k4.exe	122
PID 2872 wrote to memory of 3196	2872	4k51k4.exe	122
PID 3688 wrote to memory of 4356	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	124
PID 3688 wrote to memory of 4356	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	124
PID 3688 wrote to memory of 4356	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	124
PID 2872 wrote to memory of 1516	2872	4k51k4.exe	159
PID 2872 wrote to memory of 1516	2872	4k51k4.exe	159
PID 2872 wrote to memory of 1516	2872	4k51k4.exe	159
PID 3688 wrote to memory of 880	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	126
PID 3688 wrote to memory of 880	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	126
PID 3688 wrote to memory of 880	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	126
PID 2872 wrote to memory of 4428	2872	4k51k4.exe	127
PID 2872 wrote to memory of 4428	2872	4k51k4.exe	127
PID 2872 wrote to memory of 4428	2872	4k51k4.exe	127
PID 3688 wrote to memory of 3956	3688	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	136

System policy modification 1 TTPs 50 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	Shell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE

C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3688
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2872
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:432
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3468
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4376
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 516
      4⤵
      Program crash
      PID:1960
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1816
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4400
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3196
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1516
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 816
    3⤵
    - Program crash
    PID:3116
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1052
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3776
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1532
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:808
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:912
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4944
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:4300
    - - C:\Windows\4k51k4.exe
        
        C:\Windows\4k51k4.exe
        5⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        5⤵
        
        PID:1760
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        5⤵
        
        PID:4948
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        5⤵
        
        PID:4040
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        5⤵
        
        PID:4400
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        5⤵
        
        PID:3972
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        5⤵
        
        PID:348
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1336
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1852
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2076
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3200
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3204
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3096
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4932
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1816
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4712
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2524
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:336
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4500
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2160
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4156
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4612
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2468
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2852
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1516
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2216
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4536
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3544
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Loads dropped DLL
      PID:3492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 812
    3⤵
    - Program crash
    PID:3948
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:3488
    - - C:\Windows\4k51k4.exe
        
        C:\Windows\4k51k4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4196
    - - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        5⤵
        Loads dropped DLL
        
        PID:4520
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        5⤵
        Loads dropped DLL
        
        PID:4896
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
        5⤵
        Loads dropped DLL
        
        PID:2012
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        5⤵
        
        PID:4424
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
        5⤵
        
        PID:3164
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
        5⤵
        
        PID:464
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 492
    3⤵
    - Program crash
    PID:4568
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 544
        5⤵
        Program crash
        
        PID:2556
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2036
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3564
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 508
        5⤵
        Program crash
        
        PID:3896
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2340
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5016
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4156
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4356
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1420
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Loads dropped DLL
    PID:1216
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Loads dropped DLL
    PID:2944
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:3696
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:1932
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:1528
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 488
    3⤵
    - Program crash
    PID:932
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4352
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2464
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4768
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3784
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    PID:3968
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    PID:408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    PID:4716
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:2052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:2300
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:3020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1508 -ip 1508
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4244 -ip 4244
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2444 -ip 2444
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2192 -ip 2192
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1532 -ip 1532
1⤵
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 880 -ip 880
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2872 -ip 2872
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4K51K4\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\4k51k4.exe

Filesize
150KB

MD5
c431da878f8a030562171e2f0c7d518e

SHA1
51fd67c1e45f6000eb825c032f351612ae79040a

SHA256
9d9df69598b7c7f93e17e89cec91757c6a12a0e59db3bedaf2c1acc8e5c58ee2

SHA512
8ea99565e22fc38fd0a49e21af6f497281ee2c339c4ccba261a99ae83c482bb53b963e6f187d584efc8991a4f365018fc417c9e0ffafc66719bd136a1d7e5fcd

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
150KB

MD5
327347ac64e31243cda533902f6bd7e4

SHA1
e46c4f19428bd2ae8aa59caa21abcd856cf003a1

SHA256
fb8b691366668c0c7d9a8571c792b5b1b22c25e8174c1862e0c2d2bbc7ff130a

SHA512
ea755fe03f5156bdb9ba28e7aa132366ea486f47728f9dcff9b6d6477f209832a85dd64e942e2160592e9fc46dac5fecef259d1b21c705610b5dcbbcac1628fc

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
150KB

MD5
05da866cdc40e2426903e2c3ba8bbcb6

SHA1
c8df5f665324305d51851c1f6decbf612b4be8ab

SHA256
c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

SHA512
a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
150KB

MD5
eccd59c38223ef292862dbaca9e93422

SHA1
9ec9db5e90b09f860301dc068776c7d5677527b9

SHA256
e36948874aa16155e1a35343d399bc5b6775202eb3ebf5fd8fb0296c5c14518f

SHA512
b363865f48dd10d2d4530fc659e1c2d26263d3ad5352873b3645abd11493995e1f4d6d381bf882ff992e2bcf493d9c87c65c8b27c601191c772331ca96cacd9c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
150KB

MD5
9abdb8399027065900c21c236d15bdad

SHA1
675476ae1487724cb7039b1094a5c9ffa9fad348

SHA256
58469b29b2ea259592453c0b66f41811b6a923c8ec0bfd897d50fc757a012f07

SHA512
4bc43dda682ebb692ae80c808a9c623e2943c7efd01097d5b1534b0c941123833a4e797c651133177dd454f590bebfe8932525c2484e08c9293df5957f235b32

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
150KB

MD5
77a6262727cc55fef5a785be6bc27564

SHA1
894d15cc4a7f84de35dbde3ef705c31b9e5dbe20

SHA256
3dbce3db9554a8ad688e4933121e090b6dfaaa06ea8000cadd9c13bc6e32ebc9

SHA512
963707bf0e0610ca6cca84e343cc1220a90dc6f0f4274813b2d90d399041a1f5de6d16a50bfdb6896f01f2b219c7e786facd1963c44e8dba0f92c456d83d7e18

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

Filesize
150KB

MD5
e6fa4d1db7b3a3ce6334b96e00caa9b2

SHA1
7d944a0cdeebe24284692395eaec94a91f08efb5

SHA256
ba00174336a8b8091f639f72eb3c720f4ff465104bb4681f19db581cdfc1c5a4

SHA512
59f938708443ec1ca99cb55b854022dec66b69d375473a29e17c39132a3b271de546177d0fc73781ca8e52cd670b942b008ff4a58e42c7a4cc70c0e22640f2b4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
150KB

MD5
4cfbec9715e13f238531acc80226122b

SHA1
75190645d2e0c936db0480bf68f0fe63c8028b3a

SHA256
129d7c58440e2995ca46efe0c7ddb1df8393c15325c7a00750912874d5eb4df8

SHA512
d4e74299bef2d27c6fa491d17712eb718953a66616de987ebab1ab097c39bbdcb01fdeea3318f70852bd8c00f3b8c205724dc10da4a40e3b90292d73cc1dc68b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
150KB

MD5
3bb71bf87ece3e28116668c4480b77d5

SHA1
217efb6a49ce73d78f6edef390596115ebcc3190

SHA256
5c227a4bc8d1fca1bfe6f1d53f037cf2b9e3ed2d6fb0269bb0f333b134b3a6f5

SHA512
17b8914f4ebb0ea2897f554b5f0651f974f94ca3da7d1811501b785969c88020264b7ba3f33e97154dae8378ae7129adc474e2cd8f3b7c8f68b3ca83e4981a0d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
150KB

MD5
0499124797741649efa812ea3082c6c5

SHA1
a883dd7ff75f5391191cd65da31ac723c3435164

SHA256
b90df6e2328f53832081d603c79c0317ceca6fbeb4fa65839eef53fabefaa40d

SHA512
79502e48e00df7205fe61ef43db25ad00f7988de4b522f14743b788b45bacb3e073ec994ef4b61976c27670707ed3f9e3035e1812061ae4f08abe4756bf6b9f2

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
150KB

MD5
447c4a6ac48e3059287c3eb20652a267

SHA1
6f0953e216511ad17865b29c492b14c899a32c1a

SHA256
0a2f720603eafb79637d6ae256e9962a74e6f1096db8fd379bb6d9b2fdbc2736

SHA512
068e5eae4007e8a99cf86c8ef708d722f4161776d49b96f97adcda2419337ee70bafff72ccfd4e01262582f08a816ac97963c2147cc712bfb397decaa36de761

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
150KB

MD5
c943827e218b1f2db27034de19421556

SHA1
ecd41c2985478a7823e75fff221bb9f1188b9276

SHA256
5239ea320158477c2ff5c5d7da81cfaf7fa71486f8f3509d4bbe639e1a5c12ab

SHA512
13de3af99e92e45f0ffaa91b95eb08f8fd631445b37e8f84e5a97939a0d5aff7f32f653a4f2b2e6c75f65d26781abd7ce3ad91b05e3f7a7487c38218fa79350f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
150KB

MD5
992ab03f8540d3e148abd07b3c061541

SHA1
939b71045fdb06fc257fd1d2bbc188504191a0ec

SHA256
98b09ab2b12ae0ef4fe86dd968b33354c1a2f908aed02c20a214bff1445bf7a8

SHA512
dec39e1edec75596ba31f745b4c96e51f05140c18f77384667f87d52e446ca0d7d63ad53c536da033706a0a9e35054e6d63edeaa9dcb4155d571f93b9cc30553

Download Submit
C:\Windows\4k51k4.exe

Filesize
150KB

MD5
b403de77c4836c8db8820d1b7336f218

SHA1
6c80d64bac8fb625e0c3b85dc28b5d47ff4cce27

SHA256
a6ef19da774cc4e16599e1bc216f43c51ecddf2c1161f904e1fa244927837271

SHA512
1ffc9e84b17c0b566ce275907bac1886b98f71ba5018327e35817a34d8666710623ca7768000df3cffc20284fb1f5bd2d69015d9cc06eaf25969689b42c39caf

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
150KB

MD5
a77dc0abec804001724921c89d51e0a7

SHA1
c8f8a8e151d43f56a74379dfb43769f98dc348cf

SHA256
31a511b391feda090c46d56c334205b3306d61edf2dab2fdd50b3ca1af1da7f4

SHA512
e50e307c4381e723907227157a4e846445c21989a90bb78de974caf44536f9eb6872ca0447fbdb8e4f6ec65829bde6234efa122b25e6e0417690d214872f2038

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
150KB

MD5
0196d35fbe8371bdb83a9391014bdb9d

SHA1
4130f3271069d47ed7c439d2bbbec2a7fc279423

SHA256
c69772413f543cc588721fbef81c6439b77885a04d7feaa7c00eaec92a17b5cb

SHA512
b07b24ed6507e7b3aceaa3e7157220d176b0ccac63541dc7a8e23fddaa4d98eea9f9256b603e646df831b24622dbb5f7b18116d471a8dc5d03e67e07e2498b42

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
150KB

MD5
e85127bf2669754b71f8c64cdec07adf

SHA1
e565d40bafcf214231328adfe437c9abede35242

SHA256
4385a3345cadcb792ef1ffa610dc4180e51f69c6164d6c403a9f61990367d65b

SHA512
8eaedfa09749c6f9241a249394e657bebab5d8ff7ea38785a1d377cfac4a889643def7aefc93e7f0aab0957dc430da05319fe70320e7b621e8e378b2be13b9ef

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
150KB

MD5
b87452482ebc0484029eb9bd375aa0f1

SHA1
e60cc3a2327df1fdad1c3aecac39724e89bf1413

SHA256
3547ca6a15760574bb8b622d400a25148e7e6eb992bcd71ae94067d49fd5bd10

SHA512
c087f5e5178d9504ad438993a72bf436bdb1f39b26dab0c8b9dd1d2124d305cb614d80fa8c59e67a999bf24c7cb12595895fe611a68fa929f85bba7c75a8fea6

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/432-191-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1508-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1700-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2468-302-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2872-112-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3488-313-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3688-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4244-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4300-402-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4356-312-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4612-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4932-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4944-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download