235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Size

1.1MB
MD5

7450d7de36430db233380e1782b12c52
SHA1

78ae9080b1e7341d5934dbb5f991523c77a9e029
SHA256

235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a
SHA512

c6a0e5ddd0f58ed6a7a26915e384ebbf8e4a3e8e42fc29a043b7d5d3b37e2677ed1739c008ec7d1353944779c7311cccaeb314e06b6897602b3c048a4bb861a5
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware collection discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\procdnsobj.exe"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c006600770063006300740066006c00730061002e006500780065000000	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Executes dropped EXE 37 IoCs

Processes:

sqldispobj.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
3016	sqldispobj.exe
3044	smss.exe
2620	smss.exe
2044	smss.exe
2364	smss.exe
2168	smss.exe
2272	smss.exe
2852	smss.exe
884	smss.exe
3036	smss.exe
1724	smss.exe
932	smss.exe
2632	smss.exe
2244	smss.exe
892	smss.exe
1760	smss.exe
1672	smss.exe
2620	smss.exe
1756	smss.exe
868	smss.exe
2360	smss.exe
2584	smss.exe
2476	smss.exe
2088	smss.exe
2264	smss.exe
2656	smss.exe
2456	smss.exe
576	smss.exe
2916	smss.exe
3008	smss.exe
1412	smss.exe
2296	smss.exe
2084	smss.exe
2784	smss.exe
2516	smss.exe
988	smss.exe
1336	smss.exe

Loads dropped DLL 38 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.execmd.exe

pid	process
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe
708	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

sqldispobj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sqldispobj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\procdnsobj.exe"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dhcppdbdisp.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fwcctflsa.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msobjmon.ocx	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hostpptpcms.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\procdnsobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\procdnsobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msobjmon.ocx	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhcppdbdisp.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dispsvcpdb.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dispsvcpdb.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hostpptpcms.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwcctflsa.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exesmss.exesmss.exeattrib.exeattrib.exesmss.exesmss.exesmss.exesmss.exeattrib.exesmss.exesmss.exeattrib.exeIEXPLORE.EXEsmss.exeattrib.exesmss.exesmss.exeattrib.exesmss.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exesmss.exeattrib.exesmss.exeattrib.exesmss.execmd.exesmss.exeattrib.exeattrib.exesmss.exesmss.exeattrib.exeattrib.exeattrib.exeattrib.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exeattrib.exesmss.exeattrib.exesmss.exesmss.exesmss.exeattrib.exesmss.exesmss.exeregedit.exesmss.exeattrib.exeattrib.exeattrib.exeattrib.exesmss.exeattrib.exesqldispobj.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqldispobj.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428169366"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06e9a2570dfda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000b6d6e30d375734248929b95776ed4d07200721f750dcabc2c5b6e5a590b37397000000000e80000000020000200000008f253ae75ca6ddecebf4432920324e563bf45a1857b0b06bdc1324c18a63c07c20000000e1eca2692a6d64ccba659c20e9bcef3d1cb2b586167b4e884f18fb5ceb6db0634000000090ebb597ccb715b7859f864a73f99fec71b01e4ab16ef45ab40834ee25d3e88437e02b975dec65411cba330dd97a47cbc4e0ed89c692aecbc7b0beb2caafca44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000444e11e5342939ba1f26f2c59ebc1a92a71a13cf207c3924d4262061521956f2000000000e8000000002000020000000681a3e18b01153a5a74d11d5fd2cb2bb2e00c57764deaf69e9d07eba0ceeb9369000000053e5370e3b932f881a4ab24887fd5e8ac4c2f523e4c7ff3bcc8006de5745966bae11fa81900216a9e5f7ed79aefe2c10c9f7c00009df9a4c779eb8a505131df42e1c61f6bf3fb716ed097f4ac34ff24036b43f605df1243c62f1b0b52813bd051cccbc5da66e22a410a685514bf706d7339f1b3cf845606f50b81d8bd6c4a6eaa7ac3aa3d9dee1ad801d648dda1da3ec40000000ece0686226b0565dbdbcf9c9ae290a8ff038b4debdcf0764b9153d7d05413671fe4b249ed38ab9cd74bb4f6568020add95f36131aa92715fee7bf328ff057d99	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37EB6D21-4B63-11EF-A850-F62146527E3B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 9 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\msobjmon.ocx"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2464 regedit.exe

pid	process
2464	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

pid	process
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exesqldispobj.exe

description	pid	process
Token: SeDebugPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeDebugPrivilege	3016	sqldispobj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2764 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2764 iexplore.exe
2764 iexplore.exe
3012 IEXPLORE.EXE
3012 IEXPLORE.EXE

pid	process
2764	iexplore.exe

pid	process
2764	iexplore.exe
2764	iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exesqldispobj.execmd.exe

description	pid	process	target process
PID 2080 wrote to memory of 3016	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	sqldispobj.exe
PID 2080 wrote to memory of 3016	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	sqldispobj.exe
PID 2080 wrote to memory of 3016	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	sqldispobj.exe
PID 2080 wrote to memory of 3016	2080	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	sqldispobj.exe
PID 3016 wrote to memory of 708	3016	sqldispobj.exe	cmd.exe
PID 3016 wrote to memory of 708	3016	sqldispobj.exe	cmd.exe
PID 3016 wrote to memory of 708	3016	sqldispobj.exe	cmd.exe
PID 3016 wrote to memory of 708	3016	sqldispobj.exe	cmd.exe
PID 708 wrote to memory of 3044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 3044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 3044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 3044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 1672	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1672	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1672	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1672	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2620	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2620	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2620	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2620	708	cmd.exe	smss.exe
PID 708 wrote to memory of 356	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 356	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 356	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 356	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2044	708	cmd.exe	smss.exe
PID 708 wrote to memory of 1092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 1092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2364	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2364	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2364	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2364	708	cmd.exe	smss.exe
PID 708 wrote to memory of 876	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 876	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 876	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 876	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2168	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2168	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2168	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2168	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2092	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2272	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2272	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2272	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2272	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2868	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2868	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2868	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2868	708	cmd.exe	attrib.exe
PID 708 wrote to memory of 2852	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2852	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2852	708	cmd.exe	smss.exe
PID 708 wrote to memory of 2852	708	cmd.exe	smss.exe
PID 3016 wrote to memory of 2464	3016	sqldispobj.exe	regedit.exe
PID 3016 wrote to memory of 2464	3016	sqldispobj.exe	regedit.exe
PID 3016 wrote to memory of 2464	3016	sqldispobj.exe	regedit.exe
PID 3016 wrote to memory of 2464	3016	sqldispobj.exe	regedit.exe

Views/modifies file attributes 1 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2104	attrib.exe
2776	attrib.exe
1720	attrib.exe
1756	attrib.exe
1092	attrib.exe
2904	attrib.exe
1372	attrib.exe
2084	attrib.exe
1672	attrib.exe
876	attrib.exe
988	attrib.exe
2792	attrib.exe
1800	attrib.exe
2092	attrib.exe
2868	attrib.exe
2144	attrib.exe
2452	attrib.exe
1000	attrib.exe
1040	attrib.exe
2556	attrib.exe
2540	attrib.exe
2408	attrib.exe
2372	attrib.exe
356	attrib.exe
2628	attrib.exe
1740	attrib.exe
2908	attrib.exe
1632	attrib.exe
2612	attrib.exe
1980	attrib.exe
2820	attrib.exe
1692	attrib.exe
1100	attrib.exe
592	attrib.exe
1496	attrib.exe

outlook_win_path 1 IoCs

Processes:

sqldispobj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sqldispobj.exe

C:\Users\Admin\AppData\Local\Temp\7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7450d7de36430db233380e1782b12c52_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\sqldispobj.exe
"C:\Users\Admin\AppData\Local\Temp\sqldispobj.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE""
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1672

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:356

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1092

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:876

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2092

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:2868

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2904

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2408

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3036

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2144

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1372

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2628

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2452

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2540

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:892

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:2612

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1760

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:1000

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1672

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1740

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1980

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:988

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1040

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:2104

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2084

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2820

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2792

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2264

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2776

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:1692

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2456

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- Views/modifies file attributes
PID:2372

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:576

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2908

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1720

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1100

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1632

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2556

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1800

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1756

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:592

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:988

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SQLDIS~1.EXE"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1496

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Runs regedit.exe
PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
778323d0efbef4e93931180511cbde67

SHA1
a9efe755bd508152f8eafdee35e2ce6f3f7c41d3

SHA256
bd7fe8cb3b2b1069a1c29a7bf2b0d58d70d3c54670f761b0b3e0bc7a843349ae

SHA512
873db5704b64acd41e74aefc0770286b402cd2dab1690879dae963a0513dd4876ec3c334ad7f086ea378d82d2082e0854d67f188dd493f0c56f49f6377f5e8c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3e47f7358b7ea013cd9cea025f386c3

SHA1
4ffd6d3c997df1b447318d631388d52386d7b4cd

SHA256
eaa00c5f1593449526ee424225336d21c69fb27bff48ffee452c85136cee0080

SHA512
95cbe9849074172290361d84a0c0940027f615b5775388670c6bf92b8f4aa20d3b3f937d3ea2569cb372f1e4ca551c5e6d290972c3e11a765710b101cd4c3d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8e72d022f75cb3284cd4fea68c88d84

SHA1
0c6f716297765b1b34f0bf440b1cd7246f22e930

SHA256
0a97efa6eda778e72a78020ffd230dee04c8f1509085551ebea2ad5cb53fcdd2

SHA512
46b92adf247e15c6fd40c84376f766b9f9c3b67ccd710f328d83ed50d2a4b923a406cc3edd9c355873bac99296658fc080e38cfee9f83b78e1ef0e7290184352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f961b88fa9cb540d79d172e686973ac

SHA1
06cba95bec4c0dea322fcc493f7a519e325fd8b3

SHA256
06528aef1aa6f8cf4652ae414d3dc1ae43f0d82d98be6320b4185fc54ad74145

SHA512
737bd5a3c3db59267d333e0948986c02291d63018f5f0151e1aa2cee4ee6382a01b2be34da6c47a88b98e8f7dca4369b92e61e069d00be5c53819b5cd5a27af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad9a8e162c17744ec905b38643f96ce6

SHA1
8f696ce18aa3ae55c3b93debdbc3c122db8420da

SHA256
654b56852e9475ec833c1094048c49a34c579ef9c0f94bdbe8c52ff95317e746

SHA512
a5de53aeebd1dc5dd2577c5d948cca7dc38ba9f33edad6ad40656f3c9aa816c350663b9a8ba5ea2ca8ab5d09b0bc6025960f34619f714d126b169d396f1daae8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e15f02122172e67bdc833e33013805b9

SHA1
8e63d6062ad172a1236ae512b39bd8b6ad2f1615

SHA256
0138e7148d2a3a634c9ba97b1dfd1b0463ba53b364230df80cae2999b918c06d

SHA512
60a9caed88ab6c80e7e9874f2c39c4adb29c16585c8c473ca0c5bbfec4f2c1c80ce027ee9a9a01454f9eee87676a84681755b934dbfd0824b3cf7e917a4ea0f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36f3b3edf63e23b632e97a25dbdbc37a

SHA1
b143491fb4ccc075fe08e5a9aef2cae030288dd9

SHA256
c84ded613a054e0dc4847f7956cae0be98c7000b1e3e38c4352fb2b27da30002

SHA512
103fcfae25ab31246e6d8f42da7f57992ec6e3db6d96a054ee4531f88397e7ed063079de50be201a28347f235109ca48d9cd4e4f109245c6292461d54c56a5f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f7f3fc3a6f2ddcc29e7378432b0bec4

SHA1
509b797f5937cbd1fde3767133078d945cef5e12

SHA256
a5ececfaf971f259f1aa9c2f92e6a4fec3b7f182bcd5c17c4cc61cbf6592464d

SHA512
1d9c0bb19f56eebfab0beb63d8153118697174146772b19b021b759f6cda913764e99c68791a4423cf05925c1c2ea706df99e30771e209b4e7f1b2f5e5d2b04c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5f337ec9d9651d329a6d9569589c4ba

SHA1
1f8844025cb031b6c527bcb1408fcd1099de091d

SHA256
a85b891516d8cefcd8e52c919b1c60c2efbc462a93a92b266ef84ad42d3b5bc4

SHA512
6e7a098f721569484370ddedfd5c7206acb509db35cf057e6ac97b0cee578834d3676c13ac4d339ff8f29b5eb6ac3a59a72b36d31da08049a0a3f1faf8faaf57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f796a4b6c47203fd3aeaba5ce674e4c5

SHA1
443f553ed88130b0d8d9b6abf513123d165d4202

SHA256
660a89aa9b562d7ceeafb85aa3d1f1047dc15b6e8bf3098375ce301c272d0f87

SHA512
0f6486780bd1a07cb72c40a3034acdb175c76d541167536c267a1d8bff24524fa352a6d69042262f72ff8e323581ab362bfcbf62f93c8709fa06802e9c7a04f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60cabac0c2cbe1a55c61c9c8aa1bb343

SHA1
35fd2bd2b9258232af8bbabef169e4c023f63578

SHA256
d9f8dac752215a4efe4f5c626ddbf057f4535a24fb5f23036f335d08ac4bcfe2

SHA512
0bda2ea61a14b3b8eb135b5487d94e3ab60eb2c69a23cf7656b841b2abe37bfe5e64803b8150b0e7caf01e12a28e80bdcbaca83d4fad8ba45c32f734a1512371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c0ea3c6445ecbf63220ba80b266f168

SHA1
1eceaaad8d0c10939752ac8e2706fa3dcca6692e

SHA256
77897de15b53e602c658bb65d390efcc71ca8119666a39f6ddca187a4fc5ad16

SHA512
4bb919f0a0804f916dc26183cbdd17f969585203302dbb8edd584bba6dae3a7774a4028b8f9ff6fd4c7c6189e808d62f0605e2b02ca8273b0aaf93535585986f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e442055a324a333fa574a424c2defbf

SHA1
1be26e57e9dc636d4aa1dd3a3f7513c034d26a7a

SHA256
bbfdbc7377febba08087aef76bb39303073563118a970f335f1f10adb174d4d9

SHA512
69ed8f9af718dfbefc2647298620d869b4e085ef92082bb2c52a7e030036fb9eb129f323601d75841b9531f88b9d5ffa3b3cd9d712a915a5854b0918d29a48f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24e9e10379bc6a1ff00607c5a208f807

SHA1
59be847b9b305d0c4725503c6ab796ba01ec9992

SHA256
5f3edaf5e37dae1d2b4d585abb505ba0fdcb434105e889560905197516b31561

SHA512
58d177aab0f7a8df2b1009236f53951290e3a6b6b66c84055724c53c7c2bdba2855ee48cf8c9f0f49e6f9f0643b8e485c3f815f6f6bb9da09b2df997b52ec328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52bcec56d8153d4ec38f594ed2c00e0

SHA1
9ba9ed65666aa293cd2d81daee697462ecf3def8

SHA256
5fc4fa250308e9675daa712207df7812344418bbf08a8dcb907e855d02ca1db4

SHA512
24ddb6992d06e78755661d5b8c83c3d844f1c1b404cc271a7940670ec0ce1c56cb035d87305c3c96265a0d1dff668c87892fdd1e7976c9f4d1af22f67c737bc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94d8060924d9eccac2fd9dcb97015fa8

SHA1
ed541dba925fcfdafc72a34609ea716a6573b1bb

SHA256
d8c41ba1071082982f7a7fb9c6c80ec98051740cd32621b23c719f9adfe512df

SHA512
1f662b3cc8d59c914e803bf38259cf07c55e41a7c4f6330daf2ebc23b742d35752ef475a99d3dacd1badf7591d0bc2b4e2a90a6c0154455fda465cac9192e020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0148bc43fe86c47558a3b645f8e7ac33

SHA1
2bdb3cd93670990182d36a3e870ce0d0c4f93f99

SHA256
5f87df9cee0d36d293a72279c13c9a2dd3be607258c2caeb83cae0d15b1aaf17

SHA512
28c5094c7317816d7860ec70f5d1a6c26261fbc4732408eb54bb73e960cabe0d17f4b7c22c6d7b2399912dcd368e67d5d36992928a300804bd4df1d4e648707e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4001da08765403cee4cf74f26cc6dd13

SHA1
c143918c9f381e27531bdf9fcc701e8a87abf1ef

SHA256
31bd06db3f6a306d4780dd1680dc4a9a4856b437fce3739642091040dd2d4ab2

SHA512
a56f229d3e1b631a323f1d8075bf5bc15998cde47741c005d309b844419edaae5489abccb4cb782b49c82b6ee3bf60246dba8dd8c143139675cedcbf9bd9e9ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5877a6aed8f67e4a5c728511e901a2a2

SHA1
4bf8db96fb0f6dd5b2b7d1bebc8a3c7cc3abed75

SHA256
2145d9c723afc34e9434aaa6cf7792526508078a36bbe432b9ca9988e6f560ad

SHA512
d2438d10e810ec927387c0823119a4f3f1205168ca70584ff256a04899b2ce26e9265754052dc0c3ece024fc2bc37eabf7afb5f9a869932c8d5456f891df48a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar487B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
4KB

MD5
0bdae0bbd35ddef00d4f08c8d7bb5ca1

SHA1
b345049d7ed69e7638c012a513fd0a0fd555b5ff

SHA256
112632fafeeeecf30d7d6ba00f96e6ba889a6e13db22dc8e8922c953dcd79976

SHA512
3d21f2117a6a320011bfcda6ad6f469cf40ed172e78d8d168a08964189aea8bf2c5ae4e0497b7bed13a0e705ffd74cdb981b4ad3c63311fed853b9a059a88a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\dhcppdbdisp.exe

Filesize
1.1MB

MD5
7450d7de36430db233380e1782b12c52

SHA1
78ae9080b1e7341d5934dbb5f991523c77a9e029

SHA256
235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a

SHA512
c6a0e5ddd0f58ed6a7a26915e384ebbf8e4a3e8e42fc29a043b7d5d3b37e2677ed1739c008ec7d1353944779c7311cccaeb314e06b6897602b3c048a4bb861a5

Download Submit
C:\Windows\SysWOW64\msobjmon.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
\Users\Admin\AppData\Local\Temp\sqldispobj.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
memory/2080-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2080-257-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2080-277-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3016-305-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download