Analysis
-
max time kernel
58s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 08:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
04387be6016177db38c7bd299062daf3_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
04387be6016177db38c7bd299062daf3_JaffaCakes118.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
04387be6016177db38c7bd299062daf3_JaffaCakes118.exe
-
Size
42KB
-
MD5
04387be6016177db38c7bd299062daf3
-
SHA1
9e37d33488b9707fe2851d12d948d7078891b1a5
-
SHA256
9680821cebe002991818795ae225a748772e9479272e9935ca97da41b30d6d73
-
SHA512
7ea4816e4005fdb44e433a486b544692cce1265c50b5f1e33317724af7cddea1264c5d823326376cdd9a2ddaff6387d361772fa67f2fbe98d09ce678a4be5a8c
-
SSDEEP
768:miGwwsx1McqaAr240zsMs8jDfU3AzeXCDuERXgcOwKhsAB3M1PmUvOA/eHw:ZYsXpAi4NMtceXtlK2g3oP7mA/eHw
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 27 4212 Process not Found 38 324 Process not Found 41 324 Process not Found 45 324 Process not Found 48 324 Process not Found 51 324 Process not Found -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe File opened for modification C:\Windows\system32\drivers\etc\hosts clipmg.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation clipmg.exe -
Executes dropped EXE 64 IoCs
pid Process 2604 clipmg.exe 2548 clipmg.exe 5088 clipmg.exe 1780 clipmg.exe 1296 clipmg.exe 972 clipmg.exe 1124 clipmg.exe 3444 clipmg.exe 3760 clipmg.exe 4336 clipmg.exe 4688 clipmg.exe 4340 clipmg.exe 2668 clipmg.exe 3400 clipmg.exe 4812 clipmg.exe 3856 clipmg.exe 3280 clipmg.exe 3916 clipmg.exe 3108 clipmg.exe 2384 clipmg.exe 2052 clipmg.exe 4116 clipmg.exe 1668 clipmg.exe 3044 clipmg.exe 2200 clipmg.exe 3644 clipmg.exe 3688 clipmg.exe 2468 clipmg.exe 4596 clipmg.exe 2088 clipmg.exe 632 clipmg.exe 1712 clipmg.exe 4528 clipmg.exe 2200 clipmg.exe 1908 clipmg.exe 4884 clipmg.exe 4596 clipmg.exe 4560 clipmg.exe 5104 clipmg.exe 1248 clipmg.exe 2196 clipmg.exe 4264 clipmg.exe 1376 clipmg.exe 2688 clipmg.exe 4020 clipmg.exe 4288 clipmg.exe 456 clipmg.exe 4804 clipmg.exe 968 clipmg.exe 2248 clipmg.exe 1572 clipmg.exe 1760 clipmg.exe 4672 clipmg.exe 2668 clipmg.exe 4060 clipmg.exe 3484 clipmg.exe 4628 clipmg.exe 2556 clipmg.exe 1112 clipmg.exe 4712 clipmg.exe 2276 clipmg.exe 2076 clipmg.exe 1484 clipmg.exe 1540 clipmg.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Clip Service Manager = "clipmg.exe" clipmg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe Process not Found File created C:\Windows\SysWOW64\clipmg.exe 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe Process not Found File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe File opened for modification C:\Windows\SysWOW64\clipmg.exe clipmg.exe File created C:\Windows\SysWOW64\clipmg.exe Process not Found File created C:\Windows\SysWOW64\clipmg.exe clipmg.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 4256 set thread context of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 2604 set thread context of 2548 2604 clipmg.exe 89 PID 5088 set thread context of 1780 5088 clipmg.exe 102 PID 1296 set thread context of 972 1296 clipmg.exe 117 PID 1124 set thread context of 3444 1124 clipmg.exe 128 PID 3760 set thread context of 4336 3760 clipmg.exe 138 PID 4688 set thread context of 4340 4688 clipmg.exe 151 PID 2668 set thread context of 3400 2668 clipmg.exe 163 PID 4812 set thread context of 3856 4812 clipmg.exe 176 PID 3280 set thread context of 3916 3280 clipmg.exe 186 PID 3108 set thread context of 2384 3108 clipmg.exe 203 PID 2052 set thread context of 4116 2052 clipmg.exe 217 PID 1668 set thread context of 3044 1668 clipmg.exe 225 PID 2200 set thread context of 3644 2200 clipmg.exe 242 PID 3688 set thread context of 2468 3688 clipmg.exe 591 PID 4596 set thread context of 2088 4596 clipmg.exe 267 PID 632 set thread context of 1712 632 clipmg.exe 277 PID 4528 set thread context of 2200 4528 clipmg.exe 289 PID 1908 set thread context of 4884 1908 clipmg.exe 298 PID 4596 set thread context of 4560 4596 clipmg.exe 360 PID 5104 set thread context of 1248 5104 clipmg.exe 327 PID 2196 set thread context of 4264 2196 clipmg.exe 340 PID 1376 set thread context of 2688 1376 clipmg.exe 348 PID 4020 set thread context of 4288 4020 clipmg.exe 699 PID 456 set thread context of 4804 456 clipmg.exe 369 PID 968 set thread context of 2248 968 clipmg.exe 386 PID 1572 set thread context of 1760 1572 clipmg.exe 878 PID 4672 set thread context of 2668 4672 clipmg.exe 409 PID 4060 set thread context of 3484 4060 clipmg.exe 421 PID 4628 set thread context of 2556 4628 clipmg.exe 434 PID 1112 set thread context of 4712 1112 clipmg.exe 885 PID 2276 set thread context of 2076 2276 clipmg.exe 458 PID 1484 set thread context of 1540 1484 clipmg.exe 563 PID 1376 set thread context of 3524 1376 clipmg.exe 482 PID 4980 set thread context of 4644 4980 clipmg.exe 1279 PID 3028 set thread context of 3112 3028 clipmg.exe 508 PID 4044 set thread context of 1812 4044 clipmg.exe 607 PID 4672 set thread context of 4752 4672 clipmg.exe 532 PID 660 set thread context of 1908 660 clipmg.exe 1038 PID 60 set thread context of 828 60 clipmg.exe 955 PID 2364 set thread context of 3340 2364 clipmg.exe 566 PID 1148 set thread context of 4660 1148 clipmg.exe 1288 PID 1280 set thread context of 4344 1280 clipmg.exe 590 PID 4936 set thread context of 924 4936 clipmg.exe 1437 PID 2416 set thread context of 4104 2416 clipmg.exe 613 PID 3904 set thread context of 3076 3904 clipmg.exe 628 PID 3792 set thread context of 1072 3792 clipmg.exe 680 PID 4068 set thread context of 4240 4068 clipmg.exe 1486 PID 3764 set thread context of 5004 3764 clipmg.exe 660 PID 4044 set thread context of 4092 4044 clipmg.exe 676 PID 1444 set thread context of 2716 1444 clipmg.exe 684 PID 3904 set thread context of 2228 3904 clipmg.exe 701 PID 4776 set thread context of 4184 4776 clipmg.exe 712 PID 1668 set thread context of 4932 1668 clipmg.exe 1578 PID 3768 set thread context of 4912 3768 clipmg.exe 739 PID 4296 set thread context of 3428 4296 clipmg.exe 750 PID 5000 set thread context of 5064 5000 clipmg.exe 762 PID 1940 set thread context of 4840 1940 clipmg.exe 773 PID 5056 set thread context of 4872 5056 clipmg.exe 784 PID 3496 set thread context of 1976 3496 clipmg.exe 1146 PID 3116 set thread context of 2236 3116 clipmg.exe 808 PID 3552 set thread context of 4484 3552 clipmg.exe 820 PID 3276 set thread context of 632 3276 clipmg.exe 832 PID 2852 set thread context of 3904 2852 clipmg.exe 1364 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ clipmg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2548 clipmg.exe Token: SeIncBasePriorityPrivilege 1780 clipmg.exe Token: SeIncBasePriorityPrivilege 972 clipmg.exe Token: SeIncBasePriorityPrivilege 3444 clipmg.exe Token: SeIncBasePriorityPrivilege 4336 clipmg.exe Token: SeIncBasePriorityPrivilege 4340 clipmg.exe Token: SeIncBasePriorityPrivilege 3400 clipmg.exe Token: SeIncBasePriorityPrivilege 3856 clipmg.exe Token: SeIncBasePriorityPrivilege 3916 clipmg.exe Token: SeIncBasePriorityPrivilege 2384 clipmg.exe Token: SeIncBasePriorityPrivilege 4116 clipmg.exe Token: SeIncBasePriorityPrivilege 3044 clipmg.exe Token: SeIncBasePriorityPrivilege 3644 clipmg.exe Token: SeIncBasePriorityPrivilege 2468 clipmg.exe Token: SeIncBasePriorityPrivilege 2088 clipmg.exe Token: SeIncBasePriorityPrivilege 1712 clipmg.exe Token: SeIncBasePriorityPrivilege 2200 clipmg.exe Token: SeIncBasePriorityPrivilege 4884 clipmg.exe Token: SeIncBasePriorityPrivilege 4560 clipmg.exe Token: SeIncBasePriorityPrivilege 1248 clipmg.exe Token: SeIncBasePriorityPrivilege 4264 clipmg.exe Token: SeIncBasePriorityPrivilege 2688 clipmg.exe Token: SeIncBasePriorityPrivilege 4288 clipmg.exe Token: SeIncBasePriorityPrivilege 4804 clipmg.exe Token: SeIncBasePriorityPrivilege 2248 clipmg.exe Token: SeIncBasePriorityPrivilege 1760 clipmg.exe Token: SeIncBasePriorityPrivilege 2668 clipmg.exe Token: SeIncBasePriorityPrivilege 3484 clipmg.exe Token: SeIncBasePriorityPrivilege 2556 clipmg.exe Token: SeIncBasePriorityPrivilege 4712 clipmg.exe Token: SeIncBasePriorityPrivilege 2076 clipmg.exe Token: SeIncBasePriorityPrivilege 1540 clipmg.exe Token: SeIncBasePriorityPrivilege 3524 clipmg.exe Token: SeIncBasePriorityPrivilege 4644 clipmg.exe Token: SeIncBasePriorityPrivilege 3112 clipmg.exe Token: SeIncBasePriorityPrivilege 1812 clipmg.exe Token: SeIncBasePriorityPrivilege 4752 clipmg.exe Token: SeIncBasePriorityPrivilege 1908 clipmg.exe Token: SeIncBasePriorityPrivilege 828 clipmg.exe Token: SeIncBasePriorityPrivilege 3340 clipmg.exe Token: SeIncBasePriorityPrivilege 4660 clipmg.exe Token: SeIncBasePriorityPrivilege 4344 clipmg.exe Token: SeIncBasePriorityPrivilege 924 clipmg.exe Token: SeIncBasePriorityPrivilege 4104 clipmg.exe Token: SeIncBasePriorityPrivilege 3076 clipmg.exe Token: SeIncBasePriorityPrivilege 1072 clipmg.exe Token: SeIncBasePriorityPrivilege 4240 clipmg.exe Token: SeIncBasePriorityPrivilege 5004 clipmg.exe Token: SeIncBasePriorityPrivilege 4092 clipmg.exe Token: SeIncBasePriorityPrivilege 2716 clipmg.exe Token: SeIncBasePriorityPrivilege 2228 clipmg.exe Token: SeIncBasePriorityPrivilege 4184 clipmg.exe Token: SeIncBasePriorityPrivilege 4932 clipmg.exe Token: SeIncBasePriorityPrivilege 4912 clipmg.exe Token: SeIncBasePriorityPrivilege 3428 clipmg.exe Token: SeIncBasePriorityPrivilege 5064 clipmg.exe Token: SeIncBasePriorityPrivilege 4840 clipmg.exe Token: SeIncBasePriorityPrivilege 4872 clipmg.exe Token: SeIncBasePriorityPrivilege 1976 clipmg.exe Token: SeIncBasePriorityPrivilege 2236 clipmg.exe Token: SeIncBasePriorityPrivilege 4484 clipmg.exe Token: SeIncBasePriorityPrivilege 632 clipmg.exe Token: SeIncBasePriorityPrivilege 3904 clipmg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4256 wrote to memory of 4576 4256 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 82 PID 4576 wrote to memory of 2604 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 83 PID 4576 wrote to memory of 2604 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 83 PID 4576 wrote to memory of 2604 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 83 PID 4576 wrote to memory of 3120 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 84 PID 4576 wrote to memory of 3120 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 84 PID 4576 wrote to memory of 3120 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 84 PID 4576 wrote to memory of 3152 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 85 PID 4576 wrote to memory of 3152 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 85 PID 4576 wrote to memory of 3152 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 85 PID 4576 wrote to memory of 4020 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 86 PID 4576 wrote to memory of 4020 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 86 PID 4576 wrote to memory of 4020 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 86 PID 4576 wrote to memory of 232 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 87 PID 4576 wrote to memory of 232 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 87 PID 4576 wrote to memory of 232 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 87 PID 4576 wrote to memory of 1796 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 88 PID 4576 wrote to memory of 1796 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 88 PID 4576 wrote to memory of 1796 4576 04387be6016177db38c7bd299062daf3_JaffaCakes118.exe 88 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2604 wrote to memory of 2548 2604 clipmg.exe 89 PID 2548 wrote to memory of 5088 2548 clipmg.exe 95 PID 2548 wrote to memory of 5088 2548 clipmg.exe 95 PID 2548 wrote to memory of 5088 2548 clipmg.exe 95 PID 2548 wrote to memory of 3044 2548 clipmg.exe 96 PID 2548 wrote to memory of 3044 2548 clipmg.exe 96 PID 2548 wrote to memory of 3044 2548 clipmg.exe 96 PID 2548 wrote to memory of 3928 2548 clipmg.exe 97 PID 2548 wrote to memory of 3928 2548 clipmg.exe 97 PID 2548 wrote to memory of 3928 2548 clipmg.exe 97 PID 2548 wrote to memory of 4780 2548 clipmg.exe 98 PID 2548 wrote to memory of 4780 2548 clipmg.exe 98 PID 2548 wrote to memory of 4780 2548 clipmg.exe 98 PID 2548 wrote to memory of 4968 2548 clipmg.exe 99 PID 2548 wrote to memory of 4968 2548 clipmg.exe 99 PID 2548 wrote to memory of 4968 2548 clipmg.exe 99 PID 2548 wrote to memory of 3964 2548 clipmg.exe 100 PID 2548 wrote to memory of 3964 2548 clipmg.exe 100 PID 2548 wrote to memory of 3964 2548 clipmg.exe 100 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 5088 wrote to memory of 1780 5088 clipmg.exe 102 PID 1780 wrote to memory of 1296 1780 clipmg.exe 107 PID 1780 wrote to memory of 1296 1780 clipmg.exe 107 PID 1780 wrote to memory of 1296 1780 clipmg.exe 107 PID 1780 wrote to memory of 1572 1780 clipmg.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\04387be6016177db38c7bd299062daf3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04387be6016177db38c7bd299062daf3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\04387be6016177db38c7bd299062daf3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04387be6016177db38c7bd299062daf3_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"6⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1296 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"8⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1124 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3760 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"12⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4336 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4688 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2668 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4812 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3280 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"20⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3108 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2052 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1668 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"26⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3044 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2200 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"28⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3688 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"30⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2468 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4596 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:632 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4528 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"36⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1908 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4596 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"40⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5104 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2196 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"45⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1376 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4020 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"48⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4288 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"49⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:456 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"50⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4804 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"51⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:968 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1572 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"54⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1760 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"55⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4672 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"57⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4060 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4628 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"60⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"61⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1112 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"62⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"63⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2276 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"65⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1484 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"67⤵
- Suspicious use of SetThreadContext
PID:1376 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"68⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3524 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"69⤵
- Suspicious use of SetThreadContext
PID:4980 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"70⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4644 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"71⤵
- Suspicious use of SetThreadContext
PID:3028 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"72⤵
- Drops file in Drivers directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3112 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"73⤵
- Suspicious use of SetThreadContext
PID:4044 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"74⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"75⤵
- Suspicious use of SetThreadContext
PID:4672 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"76⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"77⤵
- Suspicious use of SetThreadContext
PID:660 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"78⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"79⤵
- Suspicious use of SetThreadContext
PID:60 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"80⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"81⤵
- Suspicious use of SetThreadContext
PID:2364 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"82⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"83⤵
- Suspicious use of SetThreadContext
PID:1148 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"84⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"85⤵
- Suspicious use of SetThreadContext
PID:1280 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"86⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"87⤵
- Suspicious use of SetThreadContext
PID:4936 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"88⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"89⤵
- Suspicious use of SetThreadContext
PID:2416 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"90⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4104 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"91⤵
- Suspicious use of SetThreadContext
PID:3904 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"92⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"93⤵
- Suspicious use of SetThreadContext
PID:3792 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"94⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"95⤵
- Suspicious use of SetThreadContext
PID:4068 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"96⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"97⤵
- Suspicious use of SetThreadContext
PID:3764 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"98⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"99⤵
- Suspicious use of SetThreadContext
PID:4044 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"100⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"101⤵
- Suspicious use of SetThreadContext
PID:1444 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"102⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"103⤵
- Suspicious use of SetThreadContext
PID:3904 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"104⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"105⤵
- Suspicious use of SetThreadContext
PID:4776 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"106⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"107⤵
- Suspicious use of SetThreadContext
PID:1668 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"108⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"109⤵
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"110⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4912 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"111⤵
- Suspicious use of SetThreadContext
PID:4296 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"112⤵
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3428 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"113⤵
- Suspicious use of SetThreadContext
PID:5000 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"114⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5064 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"115⤵
- Suspicious use of SetThreadContext
PID:1940 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"116⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4840 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"117⤵
- Suspicious use of SetThreadContext
PID:5056 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"118⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"119⤵
- Suspicious use of SetThreadContext
PID:3496 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\SysWOW64\clipmg.exe"120⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\SysWOW64\clipmg.exe"C:\Windows\system32\clipmg.exe"121⤵
- Suspicious use of SetThreadContext
PID:3116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-