eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
Size

61KB
MD5

33714f9911a0e53e7c88fed03d76bd24
SHA1

5914171a6baf02486159c851019d991e2d0ba279
SHA256

eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049
SHA512

53f91bb056a84de007cb3ef161eb95b68ac99b13a59474454c6f7f1b99c1be90e5da4b4594c83da7fc6a0045d0fa7927aff7ab76fe75ae94bd1b0db41665c39d
SSDEEP

1536:vzxqFQa86qEGpeuomUHPKcgdEKmAEco6tQx:rgD7qzUWUHPKrdEKmAEco6tQx

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "C:\\Windows\\system32\\crsss.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	crsss.exe

Executes dropped EXE 1 IoCs

pid	Process
4848	crsss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\crsss.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	crsss.exe
File opened (read-only)	\??\u:	crsss.exe
File opened (read-only)	\??\l:	crsss.exe
File opened (read-only)	\??\o:	crsss.exe
File opened (read-only)	\??\r:	crsss.exe
File opened (read-only)	\??\h:	crsss.exe
File opened (read-only)	\??\p:	crsss.exe
File opened (read-only)	\??\q:	crsss.exe
File opened (read-only)	\??\v:	crsss.exe
File opened (read-only)	\??\w:	crsss.exe
File opened (read-only)	\??\y:	crsss.exe
File opened (read-only)	\??\i:	crsss.exe
File opened (read-only)	\??\j:	crsss.exe
File opened (read-only)	\??\m:	crsss.exe
File opened (read-only)	\??\n:	crsss.exe
File opened (read-only)	\??\s:	crsss.exe
File opened (read-only)	\??\x:	crsss.exe
File opened (read-only)	\??\z:	crsss.exe
File opened (read-only)	\??\e:	crsss.exe
File opened (read-only)	\??\g:	crsss.exe
File opened (read-only)	\??\k:	crsss.exe

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	crsss.exe
File created	\??\f:\autorun.inf	crsss.exe
File opened for modification	\??\f:\autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File opened for modification	\??\c:\autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File opened for modification	C:\autorun.inf	crsss.exe
File created	\??\c:\autorun.inf	crsss.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\d.txt	crsss.exe
File opened for modification	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\c.txt	crsss.exe
File created	C:\Windows\SysWOW64\crsss.exe	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File opened for modification	C:\Windows\SysWOW64\autorun.inf	crsss.exe
File opened for modification	C:\Windows\SysWOW64\d.txt	crsss.exe
File created	C:\Windows\SysWOW64\crsss.exe	crsss.exe
File created	C:\Windows\SysWOW64\Autorun.inf	crsss.exe
File created	C:\Windows\SysWOW64\test1.txt	crsss.exe
File opened for modification	C:\Windows\SysWOW64\test1.txt	crsss.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office16\OSPP.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM	crsss.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm	crsss.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm	crsss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\forbidframingedge.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\401-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\500.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\http_501.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\defaultbrowser.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\BlockSite.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\servbusy.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\404-8.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\403-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-15.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-7.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_403.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\repost.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_406.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-iis-startclient_31bf3856ad364e35_10.0.19041.906_none_90cded0a0d05b2be\iisstart.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\tlserror.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\WpcBlockFrame.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\BlockSite.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\repost.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\405.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\defaultbrowser.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_cd2d1cde69f392b4\http_410.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\http_403.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\sslnavcancel.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-14.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\http_404.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\PhishSiteEdge.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\servbusy.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\proxyerror.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-3.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-19.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\acr_error.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\hstscerterror.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\http_500.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\repost.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\hstscerterror.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\http_500.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\WpcBlockFrame.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\404-4.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\403-8.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\http_400.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\navcancl.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\http_400.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.423_en-us_f07e1f9c89d64ec4\OOBE_HELP_Opt_in_Details.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-5.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\defaultbrowser.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\500-13.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-17.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\repost.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\http_400.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-o..documents.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_f26c7822f88d3a15\OOBE_HELP_Opt_in_Details.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Error.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-19.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_414a0942eadc3634\404-9.htm	crsss.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_es-es_a2ef4aab3bff561a\invalidcert.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\repost.htm	crsss.exe
File opened for modification	\??\c:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\invalidcert.htm	crsss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 7 IoCs

Modify Registry

T1112

pid	Process
452	reg.exe
4616	reg.exe
4352	reg.exe
2200	reg.exe
3628	reg.exe
3992	reg.exe
3864	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4848	crsss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	4848	crsss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4848	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	82
PID 4540 wrote to memory of 4848	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	82
PID 4540 wrote to memory of 4848	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	82
PID 4540 wrote to memory of 4664	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	83
PID 4540 wrote to memory of 4664	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	83
PID 4540 wrote to memory of 4664	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	83
PID 4540 wrote to memory of 2040	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	84
PID 4540 wrote to memory of 2040	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	84
PID 4540 wrote to memory of 2040	4540	33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe	84
PID 4848 wrote to memory of 2200	4848	crsss.exe	87
PID 4848 wrote to memory of 2200	4848	crsss.exe	87
PID 4848 wrote to memory of 2200	4848	crsss.exe	87
PID 4848 wrote to memory of 388	4848	crsss.exe	89
PID 4848 wrote to memory of 388	4848	crsss.exe	89
PID 4848 wrote to memory of 388	4848	crsss.exe	89
PID 4848 wrote to memory of 3628	4848	crsss.exe	91
PID 4848 wrote to memory of 3628	4848	crsss.exe	91
PID 4848 wrote to memory of 3628	4848	crsss.exe	91
PID 4848 wrote to memory of 3992	4848	crsss.exe	92
PID 4848 wrote to memory of 3992	4848	crsss.exe	92
PID 4848 wrote to memory of 3992	4848	crsss.exe	92
PID 4848 wrote to memory of 3864	4848	crsss.exe	94
PID 4848 wrote to memory of 3864	4848	crsss.exe	94
PID 4848 wrote to memory of 3864	4848	crsss.exe	94
PID 4848 wrote to memory of 452	4848	crsss.exe	197
PID 4848 wrote to memory of 452	4848	crsss.exe	197
PID 4848 wrote to memory of 452	4848	crsss.exe	197
PID 4848 wrote to memory of 4616	4848	crsss.exe	97
PID 4848 wrote to memory of 4616	4848	crsss.exe	97
PID 4848 wrote to memory of 4616	4848	crsss.exe	97
PID 4848 wrote to memory of 4452	4848	crsss.exe	99
PID 4848 wrote to memory of 4452	4848	crsss.exe	99
PID 4848 wrote to memory of 4452	4848	crsss.exe	99
PID 4848 wrote to memory of 2948	4848	crsss.exe	103
PID 4848 wrote to memory of 2948	4848	crsss.exe	103
PID 4848 wrote to memory of 2948	4848	crsss.exe	103
PID 4848 wrote to memory of 3076	4848	crsss.exe	104
PID 4848 wrote to memory of 3076	4848	crsss.exe	104
PID 4848 wrote to memory of 3076	4848	crsss.exe	104
PID 4848 wrote to memory of 3600	4848	crsss.exe	206
PID 4848 wrote to memory of 3600	4848	crsss.exe	206
PID 4848 wrote to memory of 3600	4848	crsss.exe	206
PID 4848 wrote to memory of 4556	4848	crsss.exe	108
PID 4848 wrote to memory of 4556	4848	crsss.exe	108
PID 4848 wrote to memory of 4556	4848	crsss.exe	108
PID 4848 wrote to memory of 4744	4848	crsss.exe	110
PID 4848 wrote to memory of 4744	4848	crsss.exe	110
PID 4848 wrote to memory of 4744	4848	crsss.exe	110
PID 4848 wrote to memory of 1160	4848	crsss.exe	111
PID 4848 wrote to memory of 1160	4848	crsss.exe	111
PID 4848 wrote to memory of 1160	4848	crsss.exe	111
PID 4848 wrote to memory of 2672	4848	crsss.exe	218
PID 4848 wrote to memory of 2672	4848	crsss.exe	218
PID 4848 wrote to memory of 2672	4848	crsss.exe	218
PID 4848 wrote to memory of 5060	4848	crsss.exe	117
PID 4848 wrote to memory of 5060	4848	crsss.exe	117
PID 4848 wrote to memory of 5060	4848	crsss.exe	117
PID 4848 wrote to memory of 2444	4848	crsss.exe	118
PID 4848 wrote to memory of 2444	4848	crsss.exe	118
PID 4848 wrote to memory of 2444	4848	crsss.exe	118
PID 4848 wrote to memory of 3792	4848	crsss.exe	119
PID 4848 wrote to memory of 3792	4848	crsss.exe	119
PID 4848 wrote to memory of 3792	4848	crsss.exe	119
PID 4848 wrote to memory of 1404	4848	crsss.exe	123

C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\crsss.exe
  C:\Windows\system32\crsss.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    PID:388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_SZ /d 3 /f
    3⤵
    - Modifies registry key
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:3864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /f
    3⤵
    - Modifies registry key
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1404
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:8
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krepair.COM" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3668
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3284
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5100
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1776
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2212
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:8
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    PID:2868
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe" /V Debugger /T REG_SZ /D C:\Windows\system32\crsss.exe /F
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_dword /d 00000001 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d <html><html dir="ltr"> /f
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat
  2⤵
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat""
  2⤵
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33714f9911a0e53e7c88fed03d76bd24_JaffaCakes118.bat

Filesize
108B

MD5
ad09abf56ad2dbbf8653396c5a08037b

SHA1
3307a0659288ddab5ad236e80daab47f01f5ef72

SHA256
d01f4715fe587ff5fa4e0ca071f76b25723d3925f0a473a4641ca1c40d2d72e0

SHA512
37e92693eaefae3cd10ca6d4e9f488e24c7ce5e513d0463bc86c389883a701c7a943e673a52900ebf830fa28a11b6a119013a599629d792a8c52db4906befc68

Download Submit
C:\Windows\SysWOW64\crsss.exe

Filesize
61KB

MD5
33714f9911a0e53e7c88fed03d76bd24

SHA1
5914171a6baf02486159c851019d991e2d0ba279

SHA256
eb2231d811d3f155d8f842b0cfc2d40cac2ec1b8028fd921a33982892035e049

SHA512
53f91bb056a84de007cb3ef161eb95b68ac99b13a59474454c6f7f1b99c1be90e5da4b4594c83da7fc6a0045d0fa7927aff7ab76fe75ae94bd1b0db41665c39d

Download Submit
C:\Windows\SysWOW64\test1.txt

Filesize
4KB

MD5
e62d6095b5a305426b044b3355fde8a4

SHA1
5c921870fd109db5fbe37c947f6748be3332c02c

SHA256
c28037aa61ffb4f6cd9991a59b81519407ca489ebbd0959420521f814c92f7f5

SHA512
e5c94fe5d2b062396b6fdf2e6f2269d7616529cd7d9059582bd33ada3c0493d1f915dfb2435371810b12aed9e513bc3775b3ea68c9a3903d76b2fb108eeea8d3

Download Submit
C:\autorun.inf

Filesize
159B

MD5
1936d4487e994cdcdfd75538ad6b26b1

SHA1
7ea7c2cb2fa0efcd476bc67024782e3d6a11f1f1

SHA256
e1306be2c236374e9c5a732ab39b6f3bc633644a6a6645460aa2f3c6f9782c5d

SHA512
4d6eca70e4f00e9a8483373ed946c6d3e4fc1f258699c8b17b0520fc04aa29ba16df7a4f101402a49fdf7a7399ce1066afdd4866a4754db76829c35169ea4508

Download Submit
memory/4540-7-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-171-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-544-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-170-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-289-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-374-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-459-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-629-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-714-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-799-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-884-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-969-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4848-1054-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads