c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea

Analysis

max time kernel
101s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Size

407KB
MD5

0e678cc7200d5237b10aed249321fde1
SHA1

3652ab54bd034fdc49bcfd5f5ecdc65ec0c4c127
SHA256

c4ddc309d779a97ee858a7a2d51b00d1b4e6520936ba286ce5d9df95568788ea
SHA512

fa448066c5cf2f153c23b2ac955d69d673b64a94c90cbc2f4433b0b47cacbde70d3d8ba9d9214f016cb13e5ebd0b91ef6c7faa49b2ba30b4f5aad7c7c446a78b
SSDEEP

12288:ug0Cq6x4aIhpJIew5rzWZfb6YkOVYGXKmRjVNW:uyfsJezoxkOVim

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \\lC20302GbLnC20302\\lC20302GbLnC20302.exe"	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 26 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
3992	lC20302GbLnC20302.exe

Executes dropped EXE 1 IoCs

pid	Process
3992	lC20302GbLnC20302.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/636-1-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/636-80-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral2/memory/636-90-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lC20302GbLnC20302 = "C:\\lC20302GbLnC20302\\lC20302GbLnC20302.exe"	lC20302GbLnC20302.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2256	636	WerFault.exe	80
4620	3992	WerFault.exe	91

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{BCE6D514-DAEC-42B1-A17B-D0A6189A1DCF}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{10E42180-B642-4E78-8104-98D5723354C0}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{53FB398D-1CE6-4F78-8BB3-4ECF1F11EEAE}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{3A117A8F-620D-48D7-91CB-DC7F1314BCD1}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{491A892C-C791-4092-A453-3720EE7D6F03}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{05D891D2-AC5A-433B-B80E-9D12E8F70BA4}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{11E077B7-6EB3-48F0-BB75-95E549A831CA}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{6D45014E-A741-4C9D-BB2E-282DCF9EB57F}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{D28B6919-7F04-4573-8E4D-4ED82E669BC3}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{B47B1A0C-05FA-486B-A110-7039C0207135}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
Token: SeDebugPrivilege	3992	lC20302GbLnC20302.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	4888	explorer.exe
Token: SeCreatePagefilePrivilege	4888	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	404	explorer.exe
Token: SeCreatePagefilePrivilege	404	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	4268	explorer.exe
Token: SeCreatePagefilePrivilege	4268	explorer.exe
Token: SeShutdownPrivilege	3156	explorer.exe
Token: SeCreatePagefilePrivilege	3156	explorer.exe
Token: SeShutdownPrivilege	3156	explorer.exe
Token: SeCreatePagefilePrivilege	3156	explorer.exe
Token: SeShutdownPrivilege	3156	explorer.exe
Token: SeCreatePagefilePrivilege	3156	explorer.exe
Token: SeShutdownPrivilege	3156	explorer.exe
Token: SeCreatePagefilePrivilege	3156	explorer.exe
Token: SeShutdownPrivilege	4692	explorer.exe
Token: SeCreatePagefilePrivilege	4692	explorer.exe
Token: SeShutdownPrivilege	4692	explorer.exe
Token: SeCreatePagefilePrivilege	4692	explorer.exe
Token: SeShutdownPrivilege	4692	explorer.exe
Token: SeCreatePagefilePrivilege	4692	explorer.exe
Token: SeShutdownPrivilege	4692	explorer.exe
Token: SeCreatePagefilePrivilege	4692	explorer.exe
Token: SeShutdownPrivilege	1548	explorer.exe
Token: SeCreatePagefilePrivilege	1548	explorer.exe
Token: SeShutdownPrivilege	1548	explorer.exe
Token: SeCreatePagefilePrivilege	1548	explorer.exe
Token: SeShutdownPrivilege	1548	explorer.exe
Token: SeCreatePagefilePrivilege	1548	explorer.exe
Token: SeShutdownPrivilege	1548	explorer.exe
Token: SeCreatePagefilePrivilege	1548	explorer.exe
Token: SeShutdownPrivilege	1548	explorer.exe
Token: SeCreatePagefilePrivilege	1548	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeCreatePagefilePrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeCreatePagefilePrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeCreatePagefilePrivilege	840	explorer.exe
Token: SeShutdownPrivilege	840	explorer.exe
Token: SeCreatePagefilePrivilege	840	explorer.exe
Token: SeShutdownPrivilege	2964	explorer.exe
Token: SeCreatePagefilePrivilege	2964	explorer.exe
Token: SeShutdownPrivilege	2964	explorer.exe
Token: SeCreatePagefilePrivilege	2964	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4088	sihost.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4316	sihost.exe
4888	explorer.exe
4452	sihost.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
3992	lC20302GbLnC20302.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
2964	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe
1104	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
4888	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
404	explorer.exe
3992	lC20302GbLnC20302.exe
404	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
4268	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
3156	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
4692	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe
840	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3240	OfficeClickToRun.exe
444	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3992	636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	91
PID 636 wrote to memory of 3992	636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	91
PID 636 wrote to memory of 3992	636	0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe	91
PID 4524 wrote to memory of 4888	4524	sihost.exe	98
PID 4524 wrote to memory of 4888	4524	sihost.exe	98
PID 1536 wrote to memory of 5084	1536	sihost.exe	106
PID 1536 wrote to memory of 5084	1536	sihost.exe	106

C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 840
  2⤵
  - Program crash
  PID:2256
- C:\lC20302GbLnC20302\lC20302GbLnC20302.exe
  "\lC20302GbLnC20302\lC20302GbLnC20302.exe" "C:\Users\Admin\AppData\Local\Temp\0e678cc7200d5237b10aed249321fde1_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 840
    3⤵
    - Program crash
    PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 636 -ip 636
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3992 -ip 3992
1⤵
PID:4340

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4888

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1028

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:5084

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:1308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2188

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3156

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:840

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:5108

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:836

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3176

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:516

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3948

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2620

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4724

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3876

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1416

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3112

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2320

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:392

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3180

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2904

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3624

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2584

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1976

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3312

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4700

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4488

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1032

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:460

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4316

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:708

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4680

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3164

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:64

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2848

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3616

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2928

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\lC20302GbLnC20302\lC20302GbLnC20302.exe

Filesize
407KB

MD5
405f8613ba7488d715a99bd39fcdea53

SHA1
5a6856ae8d5738c3ee365e7e5dfdbc3ad6dd34ae

SHA256
322d2bbeabaad02d03f65177449436b62e17f57610d880aa34f9a62b197791cf

SHA512
b4ed8edc440b8ba21d133a71139e78dc131d3b1e81ef1a5c3d480a27a1bce83513069e3c68e2a4f89ad4b16e9dcd0026bb6bc88c807e43d5b74608263d20affd

Download Submit
memory/636-0-0x00000000020F0000-0x00000000020F3000-memory.dmp

Filesize
12KB

Download
memory/636-1-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/636-7-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/636-80-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/636-90-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download