eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
Size

61KB
MD5

33714f9911a0e53e7c88fed03d76bd24
SHA1

5914171a6baf02486159c851019d991e2d0ba279
SHA256

eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049
SHA512

53f91bb056a84de007cb3ef161eb95b68ac99b13a59474454c6f7f1b99c1be90e5da4b4594c83da7fc6a0045d0fa7927aff7ab76fe75ae94bd1b0db41665c39d
SSDEEP

1536:vzxqFQa86qEGpeuomUHPKcgdEKmAEco6tQx:rgD7qzUWUHPKrdEKmAEco6tQx

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	crsss.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\crsss.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	crsss.exe
File opened (read-only)	\??\x:	crsss.exe
File opened (read-only)	\??\e:	crsss.exe
File opened (read-only)	\??\g:	crsss.exe
File opened (read-only)	\??\j:	crsss.exe
File opened (read-only)	\??\p:	crsss.exe
File opened (read-only)	\??\h:	crsss.exe
File opened (read-only)	\??\w:	crsss.exe
File opened (read-only)	\??\z:	crsss.exe
File opened (read-only)	\??\i:	crsss.exe
File opened (read-only)	\??\m:	crsss.exe
File opened (read-only)	\??\q:	crsss.exe
File opened (read-only)	\??\u:	crsss.exe
File opened (read-only)	\??\r:	crsss.exe
File opened (read-only)	\??\t:	crsss.exe
File opened (read-only)	\??\v:	crsss.exe
File opened (read-only)	\??\y:	crsss.exe
File opened (read-only)	\??\k:	crsss.exe
File opened (read-only)	\??\l:	crsss.exe
File opened (read-only)	\??\n:	crsss.exe
File opened (read-only)	\??\o:	crsss.exe

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File opened for modification	\??\f:\autorun.inf	crsss.exe
File created	C:\autorun.inf	crsss.exe
File opened for modification	C:\autorun.inf	crsss.exe
File created	\??\c:\autorun.inf	crsss.exe
File opened for modification	\??\c:\autorun.inf	crsss.exe
File created	\??\f:\autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\test1.txt	crsss.exe
File opened for modification	C:\Windows\SysWOW64\d.txt	crsss.exe
File created	C:\Windows\SysWOW64\c.txt	crsss.exe
File created	C:\Windows\SysWOW64\d.txt	crsss.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\test1.txt	crsss.exe
File created	C:\Windows\SysWOW64\crsss.exe	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe

Drops file in Program Files directory 43 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	crsss.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	crsss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-4.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\502.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\412.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\412.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\501.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Shades of Blue.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-10.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-10.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Peacock.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-12.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-7.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-7.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-11.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-sonic-clickme_31bf3856ad364e35_6.1.7600.16385_none_560dd693a7476c8c\ClickMe.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-19.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-6.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\406.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Soft Blue.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Garden.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\401-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-2.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\405.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\502.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-1.htm	crsss.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-4.htm	crsss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
2764	reg.exe
3008	reg.exe
2888	reg.exe
692	reg.exe
1860	reg.exe
2720	reg.exe
2744	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	crsss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2696	crsss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2696	1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2696	1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2696	1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2696	1960	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	30
PID 2696 wrote to memory of 1860	2696	crsss.exe	31
PID 2696 wrote to memory of 1860	2696	crsss.exe	31
PID 2696 wrote to memory of 1860	2696	crsss.exe	31
PID 2696 wrote to memory of 1860	2696	crsss.exe	31
PID 2696 wrote to memory of 1108	2696	crsss.exe	148
PID 2696 wrote to memory of 1108	2696	crsss.exe	148
PID 2696 wrote to memory of 1108	2696	crsss.exe	148
PID 2696 wrote to memory of 1108	2696	crsss.exe	148
PID 2696 wrote to memory of 2720	2696	crsss.exe	35
PID 2696 wrote to memory of 2720	2696	crsss.exe	35
PID 2696 wrote to memory of 2720	2696	crsss.exe	35
PID 2696 wrote to memory of 2720	2696	crsss.exe	35
PID 2696 wrote to memory of 2744	2696	crsss.exe	154
PID 2696 wrote to memory of 2744	2696	crsss.exe	154
PID 2696 wrote to memory of 2744	2696	crsss.exe	154
PID 2696 wrote to memory of 2744	2696	crsss.exe	154
PID 2696 wrote to memory of 2888	2696	crsss.exe	39
PID 2696 wrote to memory of 2888	2696	crsss.exe	39
PID 2696 wrote to memory of 2888	2696	crsss.exe	39
PID 2696 wrote to memory of 2888	2696	crsss.exe	39
PID 2696 wrote to memory of 3008	2696	crsss.exe	159
PID 2696 wrote to memory of 3008	2696	crsss.exe	159
PID 2696 wrote to memory of 3008	2696	crsss.exe	159
PID 2696 wrote to memory of 3008	2696	crsss.exe	159
PID 2696 wrote to memory of 2764	2696	crsss.exe	157
PID 2696 wrote to memory of 2764	2696	crsss.exe	157
PID 2696 wrote to memory of 2764	2696	crsss.exe	157
PID 2696 wrote to memory of 2764	2696	crsss.exe	157
PID 2696 wrote to memory of 2624	2696	crsss.exe	43
PID 2696 wrote to memory of 2624	2696	crsss.exe	43
PID 2696 wrote to memory of 2624	2696	crsss.exe	43
PID 2696 wrote to memory of 2624	2696	crsss.exe	43
PID 2696 wrote to memory of 2332	2696	crsss.exe	44
PID 2696 wrote to memory of 2332	2696	crsss.exe	44
PID 2696 wrote to memory of 2332	2696	crsss.exe	44
PID 2696 wrote to memory of 2332	2696	crsss.exe	44
PID 2696 wrote to memory of 2652	2696	crsss.exe	48
PID 2696 wrote to memory of 2652	2696	crsss.exe	48
PID 2696 wrote to memory of 2652	2696	crsss.exe	48
PID 2696 wrote to memory of 2652	2696	crsss.exe	48
PID 2696 wrote to memory of 2792	2696	crsss.exe	171
PID 2696 wrote to memory of 2792	2696	crsss.exe	171
PID 2696 wrote to memory of 2792	2696	crsss.exe	171
PID 2696 wrote to memory of 2792	2696	crsss.exe	171
PID 2696 wrote to memory of 2780	2696	crsss.exe	52
PID 2696 wrote to memory of 2780	2696	crsss.exe	52
PID 2696 wrote to memory of 2780	2696	crsss.exe	52
PID 2696 wrote to memory of 2780	2696	crsss.exe	52
PID 2696 wrote to memory of 2728	2696	crsss.exe	53
PID 2696 wrote to memory of 2728	2696	crsss.exe	53
PID 2696 wrote to memory of 2728	2696	crsss.exe	53
PID 2696 wrote to memory of 2728	2696	crsss.exe	53
PID 2696 wrote to memory of 2868	2696	crsss.exe	54
PID 2696 wrote to memory of 2868	2696	crsss.exe	54
PID 2696 wrote to memory of 2868	2696	crsss.exe	54
PID 2696 wrote to memory of 2868	2696	crsss.exe	54
PID 2696 wrote to memory of 2620	2696	crsss.exe	56
PID 2696 wrote to memory of 2620	2696	crsss.exe	56
PID 2696 wrote to memory of 2620	2696	crsss.exe	56
PID 2696 wrote to memory of 2620	2696	crsss.exe	56

C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\crsss.exe
  C:\Windows\system32\crsss.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 3 /f
    3⤵
    - Modifies registry key
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_dword /d 00000001 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat""
  2⤵
  - Deletes itself
  PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1529316494-1688007516355692987-1907876863416410421-17567482051818733128369713533"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1537583894838960204-18493169311718714728-57471040-869387180-779614606-659552097"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978991773-2142122892166986382513354511031215477126-20764875187535002421941929574"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12051030381807413673-1661630935882111457-210860260-761798017-461870858-241931489"
1⤵
PID:1392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655602729-113992364-745637068-2099786882-97625763918058028962049650210520577409"
1⤵
PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19024739156241808231468760287-4286774791444347229-640967169102532370-151106048"
1⤵
PID:1964

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2040955335-1701640193-310057651-95189409-1550469385-13838529695917205201160679424"
1⤵
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat

Filesize
108B

MD5
ad09abf56ad2dbbf8653396c5a08037b

SHA1
3307a0659288ddab5ad236e80daab47f01f5ef72

SHA256
d01f4715fe587ff5fa4e0ca071f76b25723d3925f0a473a4641ca1c40d2d72e0

SHA512
37e92693eaefae3cd10ca6d4e9f488e24c7ce5e513d0463bc86c389883a701c7a943e673a52900ebf830fa28a11b6a119013a599629d792a8c52db4906befc68

Download Submit
C:\Windows\SysWOW64\Autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
C:\Windows\SysWOW64\crsss.exe

Filesize
61KB

MD5
33714f9911a0e53e7c88fed03d76bd24

SHA1
5914171a6baf02486159c851019d991e2d0ba279

SHA256
eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049

SHA512
53f91bb056a84de007cb3ef161eb95b68ac99b13a59474454c6f7f1b99c1be90e5da4b4594c83da7fc6a0045d0fa7927aff7ab76fe75ae94bd1b0db41665c39d

Download Submit
C:\Windows\SysWOW64\test1.txt

Filesize
4KB

MD5
e62d6095b5a305426b044b3355fde8a4

SHA1
5c921870fd109db5fbe37c947f6748be3332c02c

SHA256
c28037aa61ffb4f6cd9991a59b81519407ca489ebbd0959420521f814c92f7f5

SHA512
e5c94fe5d2b062396b6fdf2e6f2269d7616529cd7d9059582bd33ada3c0493d1f915dfb2435371810b12aed9e513bc3775b3ea68c9a3903d76b2fb108eeea8d3

Download Submit
memory/1960-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-374-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-176-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-234-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-38-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-486-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-576-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-677-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-778-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-879-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-980-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-992-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-1026-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2696-1134-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads