a584e4a5826b492a01e11f63f0f9b88bd0dad58c2e3d9070329996d6286b5309

Analysis

max time kernel
131s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
Size

413KB
MD5

8ba453f79ebd16a8905484681918c2f0
SHA1

9de5f96e61156db2bf6c6379fafe70443a4dcc81
SHA256

a584e4a5826b492a01e11f63f0f9b88bd0dad58c2e3d9070329996d6286b5309
SHA512

1db779bd65bd73dd74e66d5bb618dddf36da4505f63a0d599972557ebe2393041941c764a47345824bcf962e22909a7a5f6d33310b203135441504f0ca1e5168
SSDEEP

6144:Q7/7Wn2iBqScSkltGne4D64jdMcmR5HYfEsq4DKxZtmCmUbLZOTvoU:Q7TykFILjdbmR54csq4DK/tOTwU

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\ProgramData\\jF33411EhEdM33411\\jF33411EhEdM33411.exe"	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	jF33411EhEdM33411.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
4824	jF33411EhEdM33411.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	jF33411EhEdM33411.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3188-1-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3188-10-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/3188-19-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4824-22-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4824-28-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4824-35-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4824-36-0x0000000000400000-0x00000000004D2000-memory.dmp	upx
behavioral2/memory/4824-37-0x0000000000400000-0x00000000004D2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jF33411EhEdM33411 = "C:\\ProgramData\\jF33411EhEdM33411\\jF33411EhEdM33411.exe"	jF33411EhEdM33411.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3276	3188	WerFault.exe	83
2036	4824	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jF33411EhEdM33411.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{18D745D7-538A-4C3A-BD66-048F60D3E008}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{1E10F1D4-4C76-4643-B475-50F54A813BE4}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{E0102B76-64AF-418F-97C2-E3E461EE8ACE}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{B2DB6CF2-A8DF-4CE6-800A-6B5610304CF5}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{C594FBC5-BDC8-464A-81E0-A86F15CDF877}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{581D13E4-3FD5-4BEB-9899-2224F384EAE8}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{F755A192-93C4-4617-A20F-1F95BB6C552F}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{505A9774-5F1A-481B-A52A-60D50B2919A9}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{082353DA-CDF1-406F-BE8E-FBFD0BADBCDC}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{C9F50094-43FD-455A-A185-F88EEDC96298}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{46CCB851-C413-4E75-BF26-87F3BEA6D1D9}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{6054F140-36C0-48D6-AB97-B2956AF70476}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{2FF68704-A3AE-45F8-AE31-50A567CA1FFB}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
Token: SeDebugPrivilege	4824	jF33411EhEdM33411.exe
Token: SeShutdownPrivilege	2972	explorer.exe
Token: SeCreatePagefilePrivilege	2972	explorer.exe
Token: SeShutdownPrivilege	2972	explorer.exe
Token: SeCreatePagefilePrivilege	2972	explorer.exe
Token: SeShutdownPrivilege	2972	explorer.exe
Token: SeCreatePagefilePrivilege	2972	explorer.exe
Token: SeShutdownPrivilege	2972	explorer.exe
Token: SeCreatePagefilePrivilege	2972	explorer.exe
Token: SeShutdownPrivilege	1360	explorer.exe
Token: SeCreatePagefilePrivilege	1360	explorer.exe
Token: SeShutdownPrivilege	1360	explorer.exe
Token: SeCreatePagefilePrivilege	1360	explorer.exe
Token: SeShutdownPrivilege	1360	explorer.exe
Token: SeCreatePagefilePrivilege	1360	explorer.exe
Token: SeShutdownPrivilege	1360	explorer.exe
Token: SeCreatePagefilePrivilege	1360	explorer.exe
Token: SeShutdownPrivilege	3540	explorer.exe
Token: SeCreatePagefilePrivilege	3540	explorer.exe
Token: SeShutdownPrivilege	3540	explorer.exe
Token: SeCreatePagefilePrivilege	3540	explorer.exe
Token: SeShutdownPrivilege	3540	explorer.exe
Token: SeCreatePagefilePrivilege	3540	explorer.exe
Token: SeShutdownPrivilege	3540	explorer.exe
Token: SeCreatePagefilePrivilege	3540	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2632	explorer.exe
Token: SeCreatePagefilePrivilege	2632	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeCreatePagefilePrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeCreatePagefilePrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeCreatePagefilePrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	2328	explorer.exe
Token: SeCreatePagefilePrivilege	2328	explorer.exe
Token: SeShutdownPrivilege	832	explorer.exe
Token: SeCreatePagefilePrivilege	832	explorer.exe
Token: SeShutdownPrivilege	832	explorer.exe
Token: SeCreatePagefilePrivilege	832	explorer.exe
Token: SeShutdownPrivilege	832	explorer.exe
Token: SeCreatePagefilePrivilege	832	explorer.exe
Token: SeShutdownPrivilege	832	explorer.exe
Token: SeCreatePagefilePrivilege	832	explorer.exe
Token: SeShutdownPrivilege	2928	explorer.exe
Token: SeCreatePagefilePrivilege	2928	explorer.exe
Token: SeShutdownPrivilege	2928	explorer.exe
Token: SeCreatePagefilePrivilege	2928	explorer.exe
Token: SeShutdownPrivilege	2928	explorer.exe
Token: SeCreatePagefilePrivilege	2928	explorer.exe
Token: SeShutdownPrivilege	2928	explorer.exe
Token: SeCreatePagefilePrivilege	2928	explorer.exe
Token: SeShutdownPrivilege	3404	explorer.exe
Token: SeCreatePagefilePrivilege	3404	explorer.exe
Token: SeShutdownPrivilege	3404	explorer.exe
Token: SeCreatePagefilePrivilege	3404	explorer.exe
Token: SeShutdownPrivilege	3404	explorer.exe
Token: SeCreatePagefilePrivilege	3404	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1624	sihost.exe
4580	sihost.exe
1944	sihost.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
1476	sihost.exe
2972	explorer.exe
1360	explorer.exe
1360	explorer.exe
4824	jF33411EhEdM33411.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
4824	jF33411EhEdM33411.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
3404	explorer.exe
3404	explorer.exe
3404	explorer.exe
3404	explorer.exe
3404	explorer.exe
3404	explorer.exe
3404	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
2972	explorer.exe
1360	explorer.exe
1360	explorer.exe
4824	jF33411EhEdM33411.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
4824	jF33411EhEdM33411.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
3540	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2632	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
2328	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
832	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3620	OfficeClickToRun.exe
4824	jF33411EhEdM33411.exe
4824	jF33411EhEdM33411.exe
456	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 4824	3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe	102
PID 3188 wrote to memory of 4824	3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe	102
PID 3188 wrote to memory of 4824	3188	8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe	102
PID 2932 wrote to memory of 2972	2932	sihost.exe	118
PID 2932 wrote to memory of 2972	2932	sihost.exe	118

C:\Users\Admin\AppData\Local\Temp\8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 860
  2⤵
  - Program crash
  PID:3276
- C:\ProgramData\jF33411EhEdM33411\jF33411EhEdM33411.exe
  "C:\ProgramData\jF33411EhEdM33411\jF33411EhEdM33411.exe" "C:\Users\Admin\AppData\Local\Temp\8ba453f79ebd16a8905484681918c2f0_JaffaCakes118.exe"
  2⤵
  - Modifies security service
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 852
    3⤵
    - Program crash
    PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3188 -ip 3188
1⤵
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4824 -ip 4824
1⤵
PID:4724

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:4580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1944

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2972

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4492

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1476

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3540

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2928

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1516

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3128

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4784

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3264

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2464

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4700

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3028

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1692

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3592

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4116

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4292

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4020

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:732

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4648

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1356

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:448

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5004

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3260

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4024

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4600

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3172

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2368

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2088

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jF33411EhEdM33411\jF33411EhEdM33411.exe

Filesize
413KB

MD5
a72ad51a649917a08258fbd8e040a7e2

SHA1
cea8be317705a4d72b7770ae43a47b79648a5ca6

SHA256
dbf666e32ed31cac458654b51e3d288ab1c5c03651f1bb2943692e2e2e2a4162

SHA512
52296a13197c7ab4bdbc97722509bb75826ce99de92a20264ecf71a23728d5efcb19dd94e51bfdf62061558810d0a9d5693ecf40e0292c84f1bed9d745aa417a

Download Submit
memory/3188-0-0x0000000002230000-0x0000000002233000-memory.dmp

Filesize
12KB

Download
memory/3188-1-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3188-10-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/3188-19-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-21-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-22-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-28-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-35-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-36-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4824-37-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download