235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Size

1.1MB
MD5

7450d7de36430db233380e1782b12c52
SHA1

78ae9080b1e7341d5934dbb5f991523c77a9e029
SHA256

235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a
SHA512

c6a0e5ddd0f58ed6a7a26915e384ebbf8e4a3e8e42fc29a043b7d5d3b37e2677ed1739c008ec7d1353944779c7311cccaeb314e06b6897602b3c048a4bb861a5
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\infoipobj.exe"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0069006e0066006f0063006d0073006f0062006a002e006500780065000000	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Executes dropped EXE 36 IoCs

Processes:

msmonsql.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
3704	msmonsql.exe
2084	smss.exe
1060	smss.exe
1216	smss.exe
2260	smss.exe
3944	smss.exe
4332	smss.exe
4156	smss.exe
2752	smss.exe
3428	smss.exe
3544	smss.exe
3604	smss.exe
2776	smss.exe
3748	smss.exe
4648	smss.exe
3796	smss.exe
3296	smss.exe
3428	smss.exe
4272	smss.exe
1488	smss.exe
3604	smss.exe
3196	smss.exe
1668	smss.exe
2216	smss.exe
2104	smss.exe
3500	smss.exe
1664	smss.exe
3880	smss.exe
3444	smss.exe
2196	smss.exe
1812	smss.exe
2632	smss.exe
1480	smss.exe
184	smss.exe
3644	smss.exe
1556	smss.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\infoipobj.exe"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ctfpoolctf.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srvdhcphost.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvdhcphost.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipdispras.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ipdispras.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\infocmsobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ctfpoolctf.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\infoipobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\infoipobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdhcpproc.ocx	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rasdhcpproc.ocx	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\infocmsobj.exe	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1924 3704 WerFault.exe msmonsql.exe

pid	pid_target	process	target process
1924	3704	WerFault.exe	msmonsql.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exeIEXPLORE.EXEsmss.exesmss.exesmss.exesmss.exeattrib.exesmss.exeattrib.exeattrib.exesmss.exemsmonsql.exesmss.exeattrib.exeattrib.exesmss.exeattrib.exesmss.exeattrib.exesmss.exeattrib.exeattrib.exesmss.exeattrib.exeattrib.exesmss.exeattrib.exesmss.exesmss.exeattrib.exesmss.exesmss.exesmss.exeattrib.exeattrib.exeattrib.exeattrib.execmd.exesmss.exeattrib.exesmss.exesmss.exesmss.exe7450d7de36430db233380e1782b12c52_JaffaCakes118.exesmss.exesmss.exeielowutil.exeattrib.exeattrib.exesmss.exeattrib.exeattrib.exesmss.exesmss.exeattrib.exesmss.exesmss.exeattrib.exesmss.exeattrib.exeattrib.exeattrib.exesmss.exesmss.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmonsql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEregedit.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000877bedc867ac68d6ed2af34c26d93a7a7687c8175fcfa859e854e4fea9397266000000000e8000000002000020000000b524dff3ccba2b625ad9ce28901cf17c92aa99b88aea03ca03147f3d6062107420000000ad36a26979b8aa02a60d3ccca1edbe0946734fde80384f613cc3e8daeb6beaee400000000131dcd3dffbebc80abd31f93c5a20d2d31cb3d6668f0a0231ba28ef87e117dc61a00c7395ee1de49368c29b4bd94ed5d917af9a3360b917411699a63d141ed5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000142623f4d9f65961ca08911347c5f55f23a4d8b42d5c436547474f0a2564f955000000000e80000000020000200000007fa105d3de1e50e30748f06d023fe53d164453ec757e4c72ebabc48d2b68599e2000000056d66307de833330a5791626e08a654d035362166b21aecd6cefebd974557ed140000000a4a7238c50af527fbd579c387fbfee3e7bb2a775d1f0f727b66f63896a8de1ed76adba4c81502f78b78a11867a952523914af4ec780d5c4ea6e066e85448a5cf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000e71293b277a7073b498ff8920f18b15c0fb307a15b200178530a6ea951bda822000000000e8000000002000020000000854c46f8e61a0cc740c1e8c0355378ad4f5f888e16203e7dbceaf05ce2539cd220000000c91fc58be91b699cfdf798b0746fbc2b46f988a7ec7e2553a45f496361a5649c40000000f7c6a6cf2d3311a9659aa4b8a69f38bd6f2a91ee43af9b315ae027aca72ab738c3ebcce73397307b371580cc9cee45ac454531caaf3a3f9dfdd088cb3a493bd8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000f919aad2cf09d58e022b5e294185ef0561fe68d6ef082fcbd057c6c5fb47ece0000000000e80000000020000200000006e80df4d38d1e0b5123ec8017d35ac379c952009997298cfece6e0aea48001ed200000000907ade90b325cf8daf8a618202582ec8c74e49fafaac8622a1c6c7a8cd59333400000001d8c7131c00ef43f2d471a4d6c65c74829160f55113db481f96aa985c1aec75ae68559dbd3b3d3f85f9c8453a8e9d0184387cac6556b56383529a69de4337131	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000067be63ba1c84bc2fa8e7eb31c57248b8e6cb3ef1e8f1ff8724e967a19925979000000000e80000000020000200000002cebba9548d079e2fd22c9aed4b83f18f010ec6f56de6b609cdd6dca00c739f620000000b8300443b38d27d1cef2cdbda683ed96f322a24895653902d03e7fe4848ff0434000000020b6258ef3fb922eeb772f0f8cf056fdd608b94fc76e4876098c8076b38ed2696c404ef67e0103c94e040d138fcd4c35329885057817277c151ba9fef8bb0c44	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0de7c1470dfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000b412c5279196126fafc3fb4f0500df715e65f3cf1ebeb7d2f270bbf5f8d75e6f000000000e8000000002000020000000b4a05f7650dd77492eb52b545ba62e1db071e3721917bb4ffd439aa578a548922000000036180dcedc85241ed5ebff7a7a15ee6842158173ce14477923493a63e3b84df9400000006789c1c87b0bea3503e785d58ced5060021aadab766069f2bb9200d848b7e9b0ca45bae16423c4862ca55f171c0fa5281d71ed1674d30c23e1c3f2021d762183	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000b5b0986bd1682575cb51c76a51237f0dfbd78c16a5ca2348b69058217c0006a9000000000e8000000002000020000000c33e5b595ee1fc7564df98f8fa9eaa01bb5e786299c90eec73ba70d3650e073b200000008fce74c781f63315408cc78cee95ab92ed77b06680e408b41c575a3dce46303c40000000f15728d94d5821406bb39d45021ad6322bfb9fbc28d9ac8a3340e722a01b582fbcf6dced6ccd7b78b3fee45e6159d1ed087e7a315a6a2539bf8f25d3abc49a50	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4078698605"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428772431"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4078698605"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4081669638"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000f0ce81041e094417d45a6e7e6fef3c6668e3d6c26c29fa5642b91e0581ed3813000000000e800000000200002000000030440b3e1c9b800d96d611de15976056b2bf4ef235bfc217042e52fd366873aa2000000083f284f0d4ce2f05a73434cf366f8a284892fca7908aec8fb8160b5b66ce001a40000000fab9957d04bd633973740ff7adb83d14c65938ba0e8a0a324d29092952deece0ec07201819642a32e8e9b9a10c8929cf6d63f2e5f33b8a42443fe5ffa5b51806	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d033a10670dfda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a096d1f86fdfda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1038490b70dfda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809ae00f70dfda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000faee49a5a0c8fe42fd5506e3a00045f54b04b75d973cfc96bc89926eb7aa9a2a000000000e8000000002000020000000496d5f18e726fb07a16a42be323618018e50cd0c3b67ab2fc89b150ce783da25200000005c80b4d34b778b7aa54251b4ce5aef685ff7330900b39bfdf2b1f315a964de1f40000000ad9ff40dd13d9516a862100b71871f316aed847b01cda5a267eedcd541b01355a631daed62aa01fe4c12077b8a088aa090fd5a0ce94023580f7a3a2e9a64093c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30920deb6fdfda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c07e9bef6fdfda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121263"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1EB4D874-4B63-11EF-9A70-423954E40A58} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121263"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00436bfd6fdfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121263"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008343f46fdfda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6060070270dfda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cdc5e48483fa34f869ba9241b95153800000000020000000000106600000001000020000000869c60198ab528af86cc84c3dfd25a9a55d64a6cf5a1ce92c9ab225723fbda81000000000e80000000020000200000000bc85e8954cdd1c8b7e1ca251e2be722b3b6e9c4d659a428d601deb18405eb742000000010a97d81e304e178fe5ff1211261fc49c60c41fc64f11ef579536be16c5f8c18400000000b56ec9ef530693ec40747d50be18cd3b69448e303b206945ed7f961a1bd872207bf14eb7efd05698bf71c3678662a03513ee19d97a6d677ea22fc57fc8ea4f3	iexplore.exe

Modifies registry class 9 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\rasdhcpproc.ocx"	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4944 regedit.exe

pid	process
4944	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

pid	process
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exemsmonsql.exe

description	pid	process
Token: SeDebugPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeBackupPrivilege	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
Token: SeDebugPrivilege	3704	msmonsql.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4740 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4740 iexplore.exe
4740 iexplore.exe
4132 IEXPLORE.EXE
4132 IEXPLORE.EXE

pid	process
4740	iexplore.exe

pid	process
4740	iexplore.exe
4740	iexplore.exe
4132	IEXPLORE.EXE
4132	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7450d7de36430db233380e1782b12c52_JaffaCakes118.exemsmonsql.execmd.exeiexplore.exe

description	pid	process	target process
PID 1748 wrote to memory of 3704	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	msmonsql.exe
PID 1748 wrote to memory of 3704	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	msmonsql.exe
PID 1748 wrote to memory of 3704	1748	7450d7de36430db233380e1782b12c52_JaffaCakes118.exe	msmonsql.exe
PID 3704 wrote to memory of 2024	3704	msmonsql.exe	cmd.exe
PID 3704 wrote to memory of 2024	3704	msmonsql.exe	cmd.exe
PID 3704 wrote to memory of 2024	3704	msmonsql.exe	cmd.exe
PID 2024 wrote to memory of 2084	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2084	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2084	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3068	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3068	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3068	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1060	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 1060	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 1060	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2312	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2312	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2312	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1216	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 1216	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 1216	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2780	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2780	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2780	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2260	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2260	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2260	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3040	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3040	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3040	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3944	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3944	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3944	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4336	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4336	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4336	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4332	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4332	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4332	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4916	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4916	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4916	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4156	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4156	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 4156	2024	cmd.exe	smss.exe
PID 3704 wrote to memory of 4944	3704	msmonsql.exe	regedit.exe
PID 3704 wrote to memory of 4944	3704	msmonsql.exe	regedit.exe
PID 3704 wrote to memory of 4944	3704	msmonsql.exe	regedit.exe
PID 4740 wrote to memory of 4132	4740	iexplore.exe	IEXPLORE.EXE
PID 4740 wrote to memory of 4132	4740	iexplore.exe	IEXPLORE.EXE
PID 4740 wrote to memory of 4132	4740	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 4128	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4128	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 4128	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 2752	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2752	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 2752	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 1132	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1132	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1132	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 3428	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3428	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 3428	2024	cmd.exe	smss.exe
PID 2024 wrote to memory of 5036	2024	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
1532	attrib.exe
3944	attrib.exe
3068	attrib.exe
2312	attrib.exe
3412	attrib.exe
1444	attrib.exe
4548	attrib.exe
1132	attrib.exe
5036	attrib.exe
3652	attrib.exe
2040	attrib.exe
4144	attrib.exe
2012	attrib.exe
3120	attrib.exe
2780	attrib.exe
816	attrib.exe
3956	attrib.exe
1244	attrib.exe
436	attrib.exe
3040	attrib.exe
4128	attrib.exe
2936	attrib.exe
4336	attrib.exe
772	attrib.exe
4916	attrib.exe
2856	attrib.exe
4764	attrib.exe
4336	attrib.exe
2056	attrib.exe
2528	attrib.exe
1180	attrib.exe
1328	attrib.exe
4424	attrib.exe
1148	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7450d7de36430db233380e1782b12c52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7450d7de36430db233380e1782b12c52_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\msmonsql.exe
"C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe""
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3068

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1060

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:2312

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2780

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:3040

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3944

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4336

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4916

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4156

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4128

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1132

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3428

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5036

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3544

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3412

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1444

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2936

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3748

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1328

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:816

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4548

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3296

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:3956

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3428

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:2056

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4272

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1244

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2856

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4336

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3196

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3652

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:1668

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4424

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2528

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1532

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3500

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3944

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4764

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3880

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:1148

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
PID:3444

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4144

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2012

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1180

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2040

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1480

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:772

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:184

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- Views/modifies file attributes
PID:3120

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\msmonsql.exe"
4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:436

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 592
3⤵
- Program crash
PID:1924

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
3⤵
- Modifies Internet Explorer settings
- Runs regedit.exe
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3704 -ip 3704
1⤵
PID:3296

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4740 CREDAT:17410 /prefetch:2
2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
3657335e6a16bf2e31605028126baadb

SHA1
e5d5a1fb18511ebcb49494570a94b92527540114

SHA256
433b51bbdd8a72ef859d9e4bc11030dd61b20e78db25fda3780d5ae8fe706548

SHA512
29b6d77cb3850711312b6578dc8f647018c1e7ea7ff1a375f55563dd69395d03a960d11e6a83d77c0a93695440fb1c3522cfbd4c957e6e06c82c9e8650785848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
29ed3453a687ada63a5ea0a3c04b5d9e

SHA1
5d7929dca414225c8dc78c06f36fff2f50783627

SHA256
fafbecf35e4f6c9dc3295a1a55a2925ff076a403936298867399b23892168250

SHA512
2e7f3b3f2e5358a4295579e8833880b25872b4e01cfe20170e33c0136acb9c8dfa7deb1495a0f199270cb761802439ed00a00351068f05e9d43294a9ffe22af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0HGGBLFL\dnserror[1]
Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\NewErrorPageTemplate[1]
Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\errorPageStrings[1]
Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D1AP1AEC\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\down[1]
Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\httpErrorPagesScripts[1]
Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd
Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\advsec32.dll
Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log
Filesize
2KB

MD5
7ffc218f8d87c772952574006cae89c4

SHA1
d365be57cd8ccb854f89c7b233f523471da80ec6

SHA256
38e258865a9fbdd2f9cee95d31636e5df6d802a268c5e4120935de914c14c301

SHA512
86a9b08470314c91cb8fa4ebb2db761891963bc447d27c8e7a36d7b8e246b85bfc6ff97d8120405f4337b071247c8a7cfa5c36c61185f4eb561ffae329bb356b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log
Filesize
4KB

MD5
583999dcd468229c832c668703e730ef

SHA1
7b467e38ed41dd273a60de36cce85839c970b24c

SHA256
d2a1e9662df21a483a9706dfbfc2c6b1bac04219196bcaacb4a7f1b3cab85cba

SHA512
d6a4555fa27fd745e5ce4037475e76436373071888f31bd0907336a6254d5487eb59771396290bd0766b51cb6caa27cb910bfcb0b6d071dd2a2e90a87c73a095

Download Submit
C:\Users\Admin\AppData\Local\Temp\msmonsql.exe
Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp
Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\ipdispras.exe
Filesize
1.1MB

MD5
7450d7de36430db233380e1782b12c52

SHA1
78ae9080b1e7341d5934dbb5f991523c77a9e029

SHA256
235df3bcb60644fcd517284a2edcb591c8721613f138d600a4b5eaa2e715779a

SHA512
c6a0e5ddd0f58ed6a7a26915e384ebbf8e4a3e8e42fc29a043b7d5d3b37e2677ed1739c008ec7d1353944779c7311cccaeb314e06b6897602b3c048a4bb861a5

Download Submit
memory/1748-261-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1748-245-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1748-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download