00bb16549aa91cd7afb78e053f7a55a4e7807297c13ebdb9f02e6abfa809f2cf

Analysis

max time kernel
142s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
Size

68KB
MD5

189feaa3c9590a71cf9eff00274787e4
SHA1

f902318c15115b28a6cb5a241985790829a6c108
SHA256

00bb16549aa91cd7afb78e053f7a55a4e7807297c13ebdb9f02e6abfa809f2cf
SHA512

17a283414a15d9372f7ed420072c795d90bf1bca9cfbbcfd53b6bb3c807fd11301a9d3089a0cba0bfc37960b45fb8a93befb99f54e003b25aaab2abfdfcc9939
SSDEEP

1536:mCEGV2Nza32KGFR7Hldqs71dH8q7cD8YBtp9muKgl5K+3:Kza7sqp9mullh

Score

8^/10

evasion execution persistence trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1068	770P80JPC.exe
4748	770P80JPC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\770P80JPC.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Program Files\W3L6AUBC6NN.bat	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Program Files\4AP1WI\UF90IQ9.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\4AP1WI\UF90IQ9.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DLECOQ.bat	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
File created	C:\Windows\PM43ZV3.exe	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1012	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSFILE\SCRIPTHOSTENCODE	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4300	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
1068	770P80JPC.exe
1068	770P80JPC.exe
1068	770P80JPC.exe
4748	770P80JPC.exe
3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1068	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	90
PID 3080 wrote to memory of 1068	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	90
PID 3080 wrote to memory of 1068	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	90
PID 3080 wrote to memory of 4748	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	91
PID 3080 wrote to memory of 4748	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	91
PID 3080 wrote to memory of 4748	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	91
PID 3080 wrote to memory of 4548	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	92
PID 3080 wrote to memory of 4548	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	92
PID 3080 wrote to memory of 4548	3080	189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe	92
PID 4548 wrote to memory of 1012	4548	cmd.exe	94
PID 4548 wrote to memory of 1012	4548	cmd.exe	94
PID 4548 wrote to memory of 1012	4548	cmd.exe	94
PID 4548 wrote to memory of 2432	4548	cmd.exe	95
PID 4548 wrote to memory of 2432	4548	cmd.exe	95
PID 4548 wrote to memory of 2432	4548	cmd.exe	95
PID 4548 wrote to memory of 1728	4548	cmd.exe	96
PID 4548 wrote to memory of 1728	4548	cmd.exe	96
PID 4548 wrote to memory of 1728	4548	cmd.exe	96
PID 4548 wrote to memory of 1948	4548	cmd.exe	97
PID 4548 wrote to memory of 1948	4548	cmd.exe	97
PID 4548 wrote to memory of 1948	4548	cmd.exe	97
PID 4548 wrote to memory of 1748	4548	cmd.exe	98
PID 4548 wrote to memory of 1748	4548	cmd.exe	98
PID 4548 wrote to memory of 1748	4548	cmd.exe	98
PID 4548 wrote to memory of 1604	4548	cmd.exe	99
PID 4548 wrote to memory of 1604	4548	cmd.exe	99
PID 4548 wrote to memory of 1604	4548	cmd.exe	99
PID 4548 wrote to memory of 3028	4548	cmd.exe	100
PID 4548 wrote to memory of 3028	4548	cmd.exe	100
PID 4548 wrote to memory of 3028	4548	cmd.exe	100
PID 4548 wrote to memory of 3284	4548	cmd.exe	101
PID 4548 wrote to memory of 3284	4548	cmd.exe	101
PID 4548 wrote to memory of 3284	4548	cmd.exe	101
PID 4548 wrote to memory of 1796	4548	cmd.exe	102
PID 4548 wrote to memory of 1796	4548	cmd.exe	102
PID 4548 wrote to memory of 1796	4548	cmd.exe	102
PID 4548 wrote to memory of 3868	4548	cmd.exe	103
PID 4548 wrote to memory of 3868	4548	cmd.exe	103
PID 4548 wrote to memory of 3868	4548	cmd.exe	103
PID 4548 wrote to memory of 764	4548	cmd.exe	104
PID 4548 wrote to memory of 764	4548	cmd.exe	104
PID 4548 wrote to memory of 764	4548	cmd.exe	104
PID 4548 wrote to memory of 4268	4548	cmd.exe	105
PID 4548 wrote to memory of 4268	4548	cmd.exe	105
PID 4548 wrote to memory of 4268	4548	cmd.exe	105
PID 4548 wrote to memory of 4300	4548	cmd.exe	106
PID 4548 wrote to memory of 4300	4548	cmd.exe	106
PID 4548 wrote to memory of 4300	4548	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files\770P80JPC.exe
  "C:\Program Files\770P80JPC.exe" C:\Users\Admin\AppData\Local\Temp\189feaa3c9590a71cf9eff00274787e4_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Program Files\770P80JPC.exe
  "C:\Program Files\770P80JPC.exe" rb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\W3L6AUBC6NN.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create 9YM7H8HJ1Z7BinPath= "C:\Program Files\4AP1WI\UF90IQ9.exe -start" type= own type= interact start= auto DisplayName= 29BOD
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:1948
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:3284
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:3868
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\770P80JPC.exe

Filesize
32KB

MD5
5efcd9bd040df3f1a91ccca5e2996f1a

SHA1
cf3b753ccb21a215a716873f0121235611933ba2

SHA256
969e0c9b3947de3e494da83c2ee120ce9dc3b751a74b8f8629b26dc09a736a1d

SHA512
e707bca1dd4760f422d7b98226e95e7fe4482bb5f4fadd9d770322680816e4105c06f16a8af3a00b375df73b9e97086b14c4e2aa03ad4c0558ad36c1e94f0ee7

Download Submit
C:\Program Files\W3L6AUBC6NN.bat

Filesize
1KB

MD5
2325684177199a2461d2b04ef53c03be

SHA1
28f704f1ab77f5be267041b53fb1624d1a354d66

SHA256
db53925b4be942a14a8c8e331514c534e63f217a3d2005974a311a87ea5336f4

SHA512
2363ccd682fe973ff820b90703e70263b6d6e7df17ebb2571a96dec3af4e51a74634debe4c772c0d63aec3b619a1b8bad343ccba552bc6c4441d3d5de28cba4d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads