f241fd1ee6bd07095071753c2dc677b4fa8a54726a7561b8c16dc3ac6f514f67

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Size

26KB
MD5

3499e0675859f7fe86dcb380666819a9
SHA1

6ff726cbe56d985de3cbdc3e5b30b8f0e5dce995
SHA256

f241fd1ee6bd07095071753c2dc677b4fa8a54726a7561b8c16dc3ac6f514f67
SHA512

e3cdbc487b6f8d969e565b3f3435ec4fb34be95af2feb70efe910fcb71bd9ae70701b5ce29c137c607ef53cbc19b20f129214c756f281f7930afd802312362b9
SSDEEP

768:b6s7/2e4Lxcmw0cViKdk7FWoMlHE0Xd/BKOmNXw:b602e4LxcN0R4k7FdMxp5mC

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	0.pif

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 60 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\wauc11.exe"	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2424	0.pif

Loads dropped DLL 2 IoCs

pid	Process
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\T:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\V:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\E:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\H:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\K:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\P:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\U:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\G:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\L:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\M:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\S:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\W:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\I:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\J:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\N:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\O:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened (read-only)	\??\X:	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	C:\AUTORUN.INF	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	F:\AUTORUN.INF	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\iexplorer.exe	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\0.pif	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSVCIR.DLL	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSVCIR.DLL	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wauc11.exe	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer.exe	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wauc11.exe	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3AD9091-93FB-11D6-8D35-5A77BF4D32F0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5404F91-93FB-11D6-8D35-5A77BF4D32F0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1865902120"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeBackupPrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeBackupPrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
Token: SeRestorePrivilege	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2392	iexplore.exe
1008	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2392	iexplore.exe
2392	iexplore.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2864	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2864	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2864	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2864	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	30
PID 2864 wrote to memory of 2688	2864	cmd.exe	32
PID 2864 wrote to memory of 2688	2864	cmd.exe	32
PID 2864 wrote to memory of 2688	2864	cmd.exe	32
PID 2864 wrote to memory of 2688	2864	cmd.exe	32
PID 2688 wrote to memory of 2708	2688	net.exe	33
PID 2688 wrote to memory of 2708	2688	net.exe	33
PID 2688 wrote to memory of 2708	2688	net.exe	33
PID 2688 wrote to memory of 2708	2688	net.exe	33
PID 2732 wrote to memory of 2800	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	34
PID 2732 wrote to memory of 2800	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	34
PID 2732 wrote to memory of 2800	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	34
PID 2732 wrote to memory of 2800	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	34
PID 2800 wrote to memory of 2428	2800	cmd.exe	36
PID 2800 wrote to memory of 2428	2800	cmd.exe	36
PID 2800 wrote to memory of 2428	2800	cmd.exe	36
PID 2800 wrote to memory of 2428	2800	cmd.exe	36
PID 2428 wrote to memory of 2760	2428	net.exe	37
PID 2428 wrote to memory of 2760	2428	net.exe	37
PID 2428 wrote to memory of 2760	2428	net.exe	37
PID 2428 wrote to memory of 2760	2428	net.exe	37
PID 2732 wrote to memory of 2700	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	38
PID 2732 wrote to memory of 2700	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	38
PID 2732 wrote to memory of 2700	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	38
PID 2732 wrote to memory of 2700	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	38
PID 2700 wrote to memory of 2904	2700	cmd.exe	40
PID 2700 wrote to memory of 2904	2700	cmd.exe	40
PID 2700 wrote to memory of 2904	2700	cmd.exe	40
PID 2700 wrote to memory of 2904	2700	cmd.exe	40
PID 2904 wrote to memory of 2848	2904	net.exe	41
PID 2904 wrote to memory of 2848	2904	net.exe	41
PID 2904 wrote to memory of 2848	2904	net.exe	41
PID 2904 wrote to memory of 2848	2904	net.exe	41
PID 2732 wrote to memory of 2608	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	42
PID 2732 wrote to memory of 2608	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	42
PID 2732 wrote to memory of 2608	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	42
PID 2732 wrote to memory of 2608	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	42
PID 2608 wrote to memory of 1908	2608	cmd.exe	44
PID 2608 wrote to memory of 1908	2608	cmd.exe	44
PID 2608 wrote to memory of 1908	2608	cmd.exe	44
PID 2608 wrote to memory of 1908	2608	cmd.exe	44
PID 1908 wrote to memory of 2756	1908	net.exe	45
PID 1908 wrote to memory of 2756	1908	net.exe	45
PID 1908 wrote to memory of 2756	1908	net.exe	45
PID 1908 wrote to memory of 2756	1908	net.exe	45
PID 2732 wrote to memory of 2628	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	46
PID 2732 wrote to memory of 2628	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	46
PID 2732 wrote to memory of 2628	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	46
PID 2732 wrote to memory of 2628	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	46
PID 2628 wrote to memory of 2588	2628	cmd.exe	48
PID 2628 wrote to memory of 2588	2628	cmd.exe	48
PID 2628 wrote to memory of 2588	2628	cmd.exe	48
PID 2628 wrote to memory of 2588	2628	cmd.exe	48
PID 2588 wrote to memory of 2596	2588	net.exe	49
PID 2588 wrote to memory of 2596	2588	net.exe	49
PID 2588 wrote to memory of 2596	2588	net.exe	49
PID 2588 wrote to memory of 2596	2588	net.exe	49
PID 2732 wrote to memory of 1060	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	50
PID 2732 wrote to memory of 1060	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	50
PID 2732 wrote to memory of 1060	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	50
PID 2732 wrote to memory of 1060	2732	3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe	50

C:\Users\Admin\AppData\Local\Temp\3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3499e0675859f7fe86dcb380666819a9_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus"
      4⤵
      PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Drivers Services"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Drivers Services"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Drivers Services"
      4⤵
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Definition Watcher"
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Definition Watcher"
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
      4⤵
      PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework ·þÎñ"
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
      4⤵
      PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  PID:1372
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      PID:2976
- C:\Windows\SysWOW64\0.pif
  C:\Windows\system32\0.pif
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:2424
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2836
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:520
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:2260
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:1164
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:1044
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1008
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1008 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTORUN.INF

Filesize
143B

MD5
33b7da2b6a260b7ddbfa9307930d6cd8

SHA1
91859a5fac5043489c0bda9d6537393679e78789

SHA256
6e7372539697726220bdfa0c2cd02c490ea07f1076abd8e06282db7be95229df

SHA512
3a2eb8462dc03f192e9022245dc642856f5456b958af526201b77eedee427c4eadfb05966919fb1020b1143d5e9a7a35445e1fc352f97950084f4bb5d518c60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fa47d350022596a482b51e66c08fc28

SHA1
8993b4107d9c2f3add0cb198f63606834ad221ff

SHA256
351633bfc0206a4cf8b7eee8dee7fe737879d2ac6899299ab8f7b4304b611eec

SHA512
7bcb15081b81dc3d0bacb2a55f2cd27beb55915f7de8703907c6f10b7f81a9d5776e24cab63cb5da99f62811af9711a2ec8f7ead472bf7e10140c8bb0e1a740f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c32ec0f6adaf6401f945af7aaa34074

SHA1
0c9ae48af6d435fd8c71ab83a6e8063b3859f1e4

SHA256
bef860de579ac409aad40815c9b78b2fc54f5dab8433528f96b1ed741dc40fb0

SHA512
3142bce738ddd5b0e8b676a14a607e52d0632b8db407ea7decdf8a045a2c1fb14f9ef9d10174ac991cafc2edf53b07c4a169ac3dceedc7b14c97f28d844e48db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0379b5e76e291a66c604b8996672178

SHA1
47573b035ddd94e8cffa9c9026b243cf3ed9b5b1

SHA256
6e15edfb2180342fc412bc87e10b755531ce00d86af163968e90ae8c0522f1e4

SHA512
ef212c8f47a4e54dc4576390ab8204a7292faeb1cde92b2412de169a4dcd02d749f9dbc9059031182169e19665279b0282c2aef8c02ce9ca52d8d22f1ad38b7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90a7d25d3d906b6e493e0d694987ff54

SHA1
408510e43dc864547ce16877ec342255c8fcab36

SHA256
ce1dab3aede294e1889cf4ec31c8c17c713739e9db9553467fca2b976c99f7f5

SHA512
2282dd4950fd5decdc28cb0f32a1853630894fce92788f6bea8489e7c76524fc2966446e91b143137e3ca65046c260ff347067d29d75a487aea5399e0863b8f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37bfec8e34c97e10c3b9e1911a14dfa5

SHA1
373b1a34509b7830dac28538f21ce064a1ea834d

SHA256
a30fecacd47f546720577eace138cd547c88b5c3c22906017061a48f0c9458ae

SHA512
d6929510ccb32310cccf5eef4f7d55796ed9f5103b3a0e863a6d1164e0a7ba1eab024fc2dd6eda6833850980f7711c8a40f8af6b2eec695adaf5de64cb6d6394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
260bcf599ec7fe2f7752fdd6815bb0d2

SHA1
585b44f6896db0e797d85c9c0f0dd693ed9965e0

SHA256
cc5ba8bc9b0da22550e58aab78e599cd55c758059884b0f6a869f6336dfe8ad6

SHA512
edd6d1763fc5083907482207340628e6f02f731b7ce87d60af079b08e60f209e37c3d0285e67135d9395a0f25dce6ed4b74882bd5243e55f4afcbd5764200326

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
228659e4407050ba79c568e34fd60d97

SHA1
17fc8d660ffacac4eebf367860d6455266b6647d

SHA256
50bfffcf6d6edb0ceab750b08084a0aa8c515450f7dcd9a1c17cc226ae58c162

SHA512
d347f5585b590f83d12909c72f55a91720046055e78bdf879dfe703f8d007cb60ce66fed95887d54de6ea31d5b586679e8f79b29006a912fb68b38f96a839862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad92de7ebe9aefdc98400ac614d605b7

SHA1
4b83aa624604131324196d153584549b73f8c1d8

SHA256
d64df9ec6c19750dbaf9459e727f471f2e56fc8c5a95559c16faf631511e32d4

SHA512
07cffc8dadfc9bbe0b7f4b15a007fcf1274b4213d3e9209b8ffc4dd1abf4472ab53310c6a45616181b9d0967a356c097e165f949416d3414332db291af9eea75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d6769c7762f4ed5f472595c62f5858

SHA1
214a3ed7f74d3064bce15634ec4c309503d6096b

SHA256
b880cdc51df116c6224d826a8afd96cd9a1697ae4269c2a87e83b4b891a65874

SHA512
02059691b2ef0287caceed8ff396a01a5885220e9cfa3a40f2f8e51937fad9e3dfe113a7372e080f2102496455afabdbf2a374717a981f620d46832bed49e773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ac6c029d549d62358382dd8f942ae5e

SHA1
798ac8208a5f6dfd1674dc2ef7e6eb2d145c30bf

SHA256
d71909c697381fd3d4cc2daae395adb8ea0bd15dcd320f76791aa2a5dda8e72f

SHA512
4b1ee260952198b0737ea80f075be8cf311a5058804c0ed9ef0c4e6f4cfd7148cfd17ac5563ee1d9526ad1d86d69b10c169f678755d5a794453fb3fd7636bc8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c8e03f6a10b6862845bcaad81e15e69

SHA1
bb3f9b7a538c30db0b21786d6542f872d88aed83

SHA256
33032c923a94a25843d8377a855cb6666f107d0f68be6e2c28900dd68d0ae87f

SHA512
c871424a4fdfb967e5237b5716ef05a4806e746442ae2876818db1aea3ba2fee8aa51a6c6deedd787d788e461fa18ef6b620be90aa7e5ec15e7e98b6c6abdbdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a187b08bf8ddb7ddd6d736f8a50818

SHA1
11e03dcc5a38abd3073662700c23656e12a01ff6

SHA256
dc15704017d4987f0988a526d1eb996fde3b073ef97437f99cf775a64efdcc7e

SHA512
81405ef52c5822db728a4c6d0516ec328bf6683c9ae3b5667bc7acc9917ce451863ec0e5643c3558c4526f64904f19af241af94be775f347329031979b2b4de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d8359c2b89b8a0a9dbb10a458ad441a

SHA1
223dde880bf1d3f06a930c377b115abf83706a78

SHA256
6e6fc00a2d2613b998006ec7af937a2c2412e37a6a3c090ee25dce49b29b37ec

SHA512
386fa70d58dbc6fcdb247dd99f740e25d79c25dd029e8403c2ff2db8c08ba2e58fe6bdecae61b708cb61986bd0e603682c4970837f16837b088a530ad2aeac01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf0fd8a01184f834a613034c76281e00

SHA1
8ac7c77b8d69092032bdf8b606f77ee957b42eaa

SHA256
12b8e96bbe7f699e1c2e770c46eed4c1b58f1635e57886f6a34f3ce44422ad23

SHA512
d1d0af3c5bb7eed95cf1355fd2a9d6121ed17ea26d023715170efa9cadf732a16d9eb2a0f38b268bc9a9a9be5d71dcd412a6b520e6f82cf9d6d829adafb1cbeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ab2c1b1970dfc20ab68c4702ffbb42b

SHA1
6584792fa965c2ce71fddf68c8c34134c8eec256

SHA256
2eeb0a4918a0ef55c3ccc18758cd2c834a56d6b9870a22b434a93e3a98bdfe7f

SHA512
2e2a86a75bf600d5282200833e78c41dcbcf3f8e6800c6df8e0155dfdf4fb2ca715b612efa536cd34c76942ffecad6cfebb7c2e32c66e140bb2aa90ffdb9ce98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75680435c6fd11cde80a504eaf4d302f

SHA1
cfaa4a26b170cf6afee4bfdc481fff5f5944f930

SHA256
8d7f459e9171a8dfdee5f95f09d2b68cc8f53f3e3102bc26a3a8adeaebbf88ce

SHA512
94f69fcce70a257da16be11f7510cb7300a6c1638a5ffe47cb03509ca6dd59664c565287fcf519b744fc812486f08d9776da00657327da9f5c2353bcda232e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c176cb631b14cf253993658d9d428f37

SHA1
8027722efb251b204fc72ac94674826844eadf73

SHA256
5dae29b6d7173f227911a24147c0541890279bd6b37a92a431273c33f0510f97

SHA512
31e76f8222906e0652bd48a873a770554f706cf2529066ca380b23637875f51cd2519f7a90360c34f4bb44859087831cf6ea8581f95913fd342927b6090a6fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ab26c33ee56429e8eac1dd083dab1ec

SHA1
30dc607f513948b2e1baed6a2ebfafc4f141514b

SHA256
9ad3f7d285cc18ed35f586013f9bdb5b499daef75a3071560471e93538b78bc7

SHA512
46aee102b7afa512e2545606074701ea9e3e929e6f558a3a97600a4941fa52557e6d0b18256a4787f7ffc47ff775b6a1d175abe1e910df3650a57b01d9d91646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7f95ff1c0d815d1505ed3c8a47af8e4

SHA1
e875f1f8d1b6ac644c6ce93bf19a5771c9a9fc37

SHA256
c771730c9e3f8ceba151faffe9be624db87624e8e913eb80b1cc0063484b9de2

SHA512
5ad954a864cfceebb56bce776c22ef4d3edf3937d21df94c46b5a99a90526744ff70aa39fd707f80d71bd5001d5dd65be4bc0e9d895ccd7469bed0103e8e64ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebde32d64e47e70c372891080753b45d

SHA1
0f72c943f3ff86013b636c442bb2068bfff70011

SHA256
20e42abd1965c040d8e8f1a11f0b0703b24c22595ff9cafcbd207a8f79aa9a58

SHA512
560b076772613bab496148b4be2911fe7b2bd56bebd6af81c16c48904af1f3b2cf543ec15b580f844fa1830fdac9804c3f5bf7c49c35e4c680449dcdc8aa4936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d577515387741882fd2370ce1823b61c

SHA1
d021c4e04e8ba5dc20a367f92ccba3000e174dcb

SHA256
86322ace34657769595a859fe1fda12cebfa0891cd2fbd24dfeb9c3e6f2cdad3

SHA512
870e220b1b84e962a6035dc9221a205015aff85bb98c8160d7c8acb1e0734fa5f826dd1aeee72dfcf9dbc9d09b8215676faead922a51f246669bd82ba91c8a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcae87bcc50e2f3fa872b3fdb2b291ce

SHA1
6f77402402e1619f0d41ca9b1bce2e0162451f76

SHA256
b4151c2158c38a71a391351d5caaa209faf061ccacc8e683091de309cdebce1b

SHA512
057b34ee47dac4a9ba46f50aebb9dd392b62966fbd03384b7b085efea570de3af94e15cdaa01b14707ef7c0c006350206b30f803433a00a5ec1c30eae93d3492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c25c19fa6731849212b1a5f77a877a1d

SHA1
e4164c11d41bfa0ceaa48f9cc7b7836a9c1d9b6c

SHA256
3039fab0b9ed81979962e2312e6f5bb542f29c35ee2f9467ac4c936a2fd499c9

SHA512
bba6e120519aafc65967a703c316ff2bfd9bb3655b25c71624b4afbccccf4b178dfcb135d051c5abcaab9b26a34cbfffe903ccde1cd5edf6a4a60ef7adb918b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7448.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar74F6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\wauc11.exe

Filesize
26KB

MD5
3499e0675859f7fe86dcb380666819a9

SHA1
6ff726cbe56d985de3cbdc3e5b30b8f0e5dce995

SHA256
f241fd1ee6bd07095071753c2dc677b4fa8a54726a7561b8c16dc3ac6f514f67

SHA512
e3cdbc487b6f8d969e565b3f3435ec4fb34be95af2feb70efe910fcb71bd9ae70701b5ce29c137c607ef53cbc19b20f129214c756f281f7930afd802312362b9

Download Submit
\Windows\SysWOW64\0.pif

Filesize
7KB

MD5
2fff260137e1813efab8de2945d50bdf

SHA1
9d4ac3a49a49adc97743c48475a3f9ac8e979e8d

SHA256
05e368d605ab687ae4765b395aeda64d355eb167898496cd9c82d7867eb8a01f

SHA512
ebdbe8d790e90cc47f773b27d397ed2b36e9e13277b61dc9f768a8706637573628c579157c914fd127110db98218b0441f87ebcd1b8d026fb2d17bc96b8c925a

Download Submit
memory/2424-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2424-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2732-14-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-1-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2732-5-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2732-13-0x0000000013140000-0x000000001315B000-memory.dmp

Filesize
108KB

Download
memory/2732-15-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2732-0-0x0000000013140000-0x000000001315B000-memory.dmp

Filesize
108KB

Download