b4eea543d3c7a0d19f62b2f0dec0cb544f8d65cd3c8447298632110abbbcdabb

Analysis

max time kernel
135s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 11:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
Size

414KB
MD5

05c792f7ca289a5e53d390b9f32ffcfd
SHA1

6b97cc98029771ff5a7765360bf12561201b432e
SHA256

b4eea543d3c7a0d19f62b2f0dec0cb544f8d65cd3c8447298632110abbbcdabb
SHA512

6955f493830ba2591d3a961830e4ebb32d0e269cbe624f0e6e8a6288db049f072729e62f82c48d680eae83d33f1b888f6c5cb44ed39a15e25602343dc7b35dad
SSDEEP

12288:cEU3npqLuOCtLpq7vnGjp2Vofyr3t/Fwh0uZatfGRxSI:cEU3pqLXEUQ2VofyxFwh0N

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\bB13201LcKlP13201\\bB13201LcKlP13201.exe"	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	bB13201LcKlP13201.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 19 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
4596	bB13201LcKlP13201.exe

Executes dropped EXE 1 IoCs

pid	Process
4596	bB13201LcKlP13201.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4756-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4756-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4756-18-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-22-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-28-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-35-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-36-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-37-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4596-38-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bB13201LcKlP13201 = "C:\\ProgramData\\bB13201LcKlP13201\\bB13201LcKlP13201.exe"	bB13201LcKlP13201.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
744	4756	WerFault.exe	82
672	4596	WerFault.exe	102

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{B528F55E-7080-438A-A282-FBDA2C4083D0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{AB4E194C-0AD4-4C3F-B116-15863D6EAD51}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{3766C201-DDD9-4563-AF45-C1DA9FC2B227}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{3A691E3F-14D2-4CB8-8784-530838071758}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{6078CA53-4FD7-4C2F-A632-787C442AD464}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{A4F338BB-67AA-4B9E-8C1A-6712D361ACF8}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{D381F2D9-F949-4DBD-88AB-78B1D47B0B39}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3169499791-3545231813-3156325206-1000\{909C7BB8-BFAC-472F-B1BB-A6C6D8E43607}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
Token: SeDebugPrivilege	4596	bB13201LcKlP13201.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	3000	explorer.exe
Token: SeCreatePagefilePrivilege	3000	explorer.exe
Token: SeShutdownPrivilege	1248	explorer.exe
Token: SeCreatePagefilePrivilege	1248	explorer.exe
Token: SeShutdownPrivilege	1248	explorer.exe
Token: SeCreatePagefilePrivilege	1248	explorer.exe
Token: SeShutdownPrivilege	1248	explorer.exe
Token: SeCreatePagefilePrivilege	1248	explorer.exe
Token: SeShutdownPrivilege	1248	explorer.exe
Token: SeCreatePagefilePrivilege	1248	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4176	explorer.exe
Token: SeCreatePagefilePrivilege	4176	explorer.exe
Token: SeShutdownPrivilege	4176	explorer.exe
Token: SeCreatePagefilePrivilege	4176	explorer.exe
Token: SeShutdownPrivilege	4176	explorer.exe
Token: SeCreatePagefilePrivilege	4176	explorer.exe
Token: SeShutdownPrivilege	4176	explorer.exe
Token: SeCreatePagefilePrivilege	4176	explorer.exe
Token: SeShutdownPrivilege	4176	explorer.exe
Token: SeCreatePagefilePrivilege	4176	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	3432	explorer.exe
Token: SeCreatePagefilePrivilege	3432	explorer.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeCreatePagefilePrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeCreatePagefilePrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeCreatePagefilePrivilege	2888	explorer.exe
Token: SeShutdownPrivilege	2888	explorer.exe
Token: SeCreatePagefilePrivilege	2888	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4108	sihost.exe
3908	sihost.exe
3668	sihost.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
4596	bB13201LcKlP13201.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
4596	bB13201LcKlP13201.exe
2272	explorer.exe
2272	explorer.exe
2272	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
3000	explorer.exe
4596	bB13201LcKlP13201.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
1248	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
4176	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
3432	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
748	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe
2888	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4380	OfficeClickToRun.exe
2204	OfficeClickToRun.exe
4596	bB13201LcKlP13201.exe
4596	bB13201LcKlP13201.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4596	4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe	102
PID 4756 wrote to memory of 4596	4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe	102
PID 4756 wrote to memory of 4596	4756	05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe	102
PID 1496 wrote to memory of 3000	1496	sihost.exe	118
PID 1496 wrote to memory of 3000	1496	sihost.exe	118

C:\Users\Admin\AppData\Local\Temp\05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 888
  2⤵
  - Program crash
  PID:744
- C:\ProgramData\bB13201LcKlP13201\bB13201LcKlP13201.exe
  "C:\ProgramData\bB13201LcKlP13201\bB13201LcKlP13201.exe" "C:\Users\Admin\AppData\Local\Temp\05c792f7ca289a5e53d390b9f32ffcfd_JaffaCakes118.exe"
  2⤵
  - Modifies security service
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 896
    3⤵
    - Program crash
    PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4756 -ip 4756
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4596 -ip 4596
1⤵
PID:3396

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4108

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3908

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:3668

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:724

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3000

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4176

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3432

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:748

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2212

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2272

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3004

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3652

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3300

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3448

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4852

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:744

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2148

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2272

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2128

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bB13201LcKlP13201\bB13201LcKlP13201.exe

Filesize
414KB

MD5
5d10211207fbc7eead6128096d57bc87

SHA1
75096af8305aafcf1c10a1a0446c330bc77cebd0

SHA256
73f12b25f2b27c07b9722f897c3a7ed4b4bc4a7b6c8fe320c89a736000f349aa

SHA512
c102d129ef683d683c67be0f6c79796a5784d073d64b1ca122568c6a66a1cf97251f74747c216e2ac163effe432805e5ae705b940b15fc29f4c8bada41891290

Download Submit
memory/4596-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-22-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-28-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-35-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-36-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-37-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4596-38-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4756-0-0x0000000000660000-0x0000000000663000-memory.dmp

Filesize
12KB

Download
memory/4756-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4756-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4756-18-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download