Analysis
-
max time kernel
60s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe
-
Size
171KB
-
MD5
ad95d1d7aa0dd86d915cb3bfe13aff69
-
SHA1
da87234fb0a568f3c4cb956fcad614a4db3dda0f
-
SHA256
432cc2ae26082f2fc2d96c1a981ac5c2402191432124e0fe12a9d89cf75881f4
-
SHA512
ef93a4b89b756dc89b7f5cc3f12e5eda4a32625851d93822eef5e355ea7199cdce6aaf043e16e48dc8e4cbe96eda04f4ce6c01862bd239a8310d4978b14cbf33
-
SSDEEP
3072:kQ47gL3eTh4KvJ9Lbcra1BJPDgWrIH3E1SQYDeLHb/an3RzzanSyVmnkmc/GeI:kQ47g7eio1bcra1B5rxSFDQU3RzzfcY
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2316-10-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/2316-48-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/2316-69-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/1644-86-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/1644-90-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/1644-135-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat behavioral1/memory/1644-133-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xtremerat -
Modifies firewall policy service 3 TTPs 33 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" win23.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\win23.exe restart" win23.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} win23.exe -
Disables RegEdit via registry modification 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" win23.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 1644 win23.exe -
Executes dropped EXE 20 IoCs
pid Process 1888 win23.exe 1644 win23.exe 2224 win23.exe 2244 win23.exe 1680 win23.exe 2332 win23.exe 1156 win23.exe 2712 win23.exe 2484 win23.exe 868 win23.exe 3044 win23.exe 2704 win23.exe 592 win23.exe 2604 win23.exe 1620 win23.exe 3012 win23.exe 1756 win23.exe 904 win23.exe 2924 win23.exe 1896 win23.exe -
Loads dropped DLL 3 IoCs
pid Process 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 1888 win23.exe -
resource yara_rule behavioral1/memory/2316-6-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-8-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-5-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-3-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-10-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-9-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-12-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-34-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-16-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-15-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-32-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-13-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-33-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-14-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-41-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-40-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-42-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-43-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-44-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/2316-48-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/2316-69-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/1644-86-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/1644-90-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/1644-92-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-85-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-91-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-88-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-84-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-135-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx behavioral1/memory/1644-134-0x00000000020B0000-0x000000000313E000-memory.dmp upx behavioral1/memory/1644-133-0x0000000000C80000-0x0000000000CA8000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" win23.exe -
Adds Run key to start application 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\win23.exe" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\win23.exe" win23.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe File opened (read-only) \??\E: win23.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 2632 set thread context of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 set thread context of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 1888 set thread context of 1644 1888 win23.exe 40 PID 1888 set thread context of 0 1888 win23.exe PID 2224 set thread context of 2244 2224 win23.exe 50 PID 2224 set thread context of 0 2224 win23.exe PID 1680 set thread context of 2332 1680 win23.exe 60 PID 1680 set thread context of 0 1680 win23.exe PID 1156 set thread context of 2712 1156 win23.exe 71 PID 1156 set thread context of 0 1156 win23.exe PID 2484 set thread context of 868 2484 win23.exe 81 PID 2484 set thread context of 0 2484 win23.exe PID 3044 set thread context of 2704 3044 win23.exe 91 PID 3044 set thread context of 0 3044 win23.exe PID 592 set thread context of 2604 592 win23.exe 184 PID 592 set thread context of 0 592 win23.exe PID 1620 set thread context of 3012 1620 win23.exe 111 PID 1620 set thread context of 0 1620 win23.exe PID 1756 set thread context of 904 1756 win23.exe 237 PID 1756 set thread context of 0 1756 win23.exe PID 2924 set thread context of 1896 2924 win23.exe 156 PID 2924 set thread context of 0 2924 win23.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\InstallDir\win23.exe ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe File opened for modification C:\Windows\InstallDir\win23.exe ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language win23.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 1644 win23.exe 2244 win23.exe 2332 win23.exe 2712 win23.exe 868 win23.exe 2704 win23.exe 2604 win23.exe 3012 win23.exe 904 win23.exe 1896 win23.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 1644 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe Token: SeDebugPrivilege 2244 win23.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 1888 win23.exe 2224 win23.exe 1680 win23.exe 1156 win23.exe 2484 win23.exe 3044 win23.exe 592 win23.exe 1620 win23.exe 1756 win23.exe 2924 win23.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 2316 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 30 PID 2632 wrote to memory of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 2632 wrote to memory of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 2632 wrote to memory of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 2632 wrote to memory of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 2632 wrote to memory of 0 2632 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe PID 2316 wrote to memory of 1124 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 19 PID 2316 wrote to memory of 1180 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 20 PID 2316 wrote to memory of 1232 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 21 PID 2316 wrote to memory of 1668 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 25 PID 2316 wrote to memory of 2632 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 29 PID 2316 wrote to memory of 604 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 31 PID 2316 wrote to memory of 604 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 31 PID 2316 wrote to memory of 604 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 31 PID 2316 wrote to memory of 604 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 31 PID 2316 wrote to memory of 604 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 31 PID 2316 wrote to memory of 600 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 32 PID 2316 wrote to memory of 600 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 32 PID 2316 wrote to memory of 600 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 32 PID 2316 wrote to memory of 600 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 32 PID 2316 wrote to memory of 600 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 32 PID 2316 wrote to memory of 784 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 33 PID 2316 wrote to memory of 784 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 33 PID 2316 wrote to memory of 784 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 33 PID 2316 wrote to memory of 784 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 33 PID 2316 wrote to memory of 784 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 33 PID 2316 wrote to memory of 828 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 34 PID 2316 wrote to memory of 828 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 34 PID 2316 wrote to memory of 828 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 34 PID 2316 wrote to memory of 828 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 34 PID 2316 wrote to memory of 828 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 34 PID 2316 wrote to memory of 928 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 35 PID 2316 wrote to memory of 928 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 35 PID 2316 wrote to memory of 928 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 35 PID 2316 wrote to memory of 928 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 35 PID 2316 wrote to memory of 928 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 35 PID 2316 wrote to memory of 1516 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 36 PID 2316 wrote to memory of 1516 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 36 PID 2316 wrote to memory of 1516 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 36 PID 2316 wrote to memory of 1516 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 36 PID 2316 wrote to memory of 1516 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 36 PID 2316 wrote to memory of 1532 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 37 PID 2316 wrote to memory of 1532 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 37 PID 2316 wrote to memory of 1532 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 37 PID 2316 wrote to memory of 1532 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 37 PID 2316 wrote to memory of 1532 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 37 PID 2316 wrote to memory of 2612 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 38 PID 2316 wrote to memory of 2612 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 38 PID 2316 wrote to memory of 2612 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 38 PID 2316 wrote to memory of 2612 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 38 PID 2316 wrote to memory of 1888 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 39 PID 2316 wrote to memory of 1888 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 39 PID 2316 wrote to memory of 1888 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 39 PID 2316 wrote to memory of 1888 2316 ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe 39 PID 1888 wrote to memory of 1644 1888 win23.exe 40 PID 1888 wrote to memory of 1644 1888 win23.exe 40 -
System policy modification 1 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" win23.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ad95d1d7aa0dd86d915cb3bfe13aff69_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2612
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2500
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2224 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"7⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2244 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:648
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"9⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2332 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2992
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2516
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"11⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2712 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2380
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2828
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"13⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:868 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2088
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:848
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3044 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"15⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2704 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:2796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"16⤵PID:1676
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"16⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"17⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2604 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:2916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:2136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:2132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:672
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:1852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:2492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"18⤵PID:3056
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"19⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3012 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:1604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:1412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:1808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:2352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:2888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"20⤵PID:1072
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"21⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:904 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2676
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"22⤵PID:2960
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"22⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2924 -
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"23⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Boot or Logon Autostart Execution: Active Setup
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1896 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:2420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1840
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"24⤵PID:1544
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"24⤵PID:1704
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"25⤵PID:1740
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:2464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:3028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:2724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:1832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:1468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:2652
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"26⤵PID:1932
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"26⤵PID:1636
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"27⤵PID:2800
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:1728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:2924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:2520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:1200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:1896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:1540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"28⤵PID:2644
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"28⤵PID:3004
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"29⤵PID:700
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:2256
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:1888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:1620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:1424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:2276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:2772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"30⤵PID:2524
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"30⤵PID:1120
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"31⤵PID:1036
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:1156
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"32⤵PID:2292
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"32⤵PID:560
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"33⤵PID:2904
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:1900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:2604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:2116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:2572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:1140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"34⤵PID:1012
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"34⤵PID:2940
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"35⤵PID:2892
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:2216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:2304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:2040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:3032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:2412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"36⤵PID:2660
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"36⤵PID:1756
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"37⤵PID:2904
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:2920
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:1152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:2248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:1816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:2900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"38⤵PID:2104
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"38⤵PID:2656
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"39⤵PID:1480
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:1048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:2472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:2548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:2488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:1756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"40⤵PID:2768
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"40⤵PID:2188
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"41⤵PID:1616
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:3060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2656
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:1804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"42⤵PID:2904
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"42⤵PID:1336
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"43⤵PID:868
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:2072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:2000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:1336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:2260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:2732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:1980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"44⤵PID:2188
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"44⤵PID:1688
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"45⤵PID:2284
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:1480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:3024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:1556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:2816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:1772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:2280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:2736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"46⤵PID:1020
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"46⤵PID:960
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"47⤵PID:3096
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"48⤵PID:3416
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"48⤵PID:3424
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"49⤵PID:3508
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3820
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"50⤵PID:3876
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"50⤵PID:3884
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"51⤵PID:3968
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:1168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:2596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:3120
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:1100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:1740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:3084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"52⤵PID:3036
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"52⤵PID:2556
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"53⤵PID:3248
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3452
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"54⤵PID:3660
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"54⤵PID:3672
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"55⤵PID:3864
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:1036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:2892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:4052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:4068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:4080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:3872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"56⤵PID:1428
-
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"56⤵PID:3132
-
C:\Windows\InstallDir\win23.exe"C:\Windows\InstallDir\win23.exe"57⤵PID:3088
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"58⤵PID:3124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b43e8c8fd8e3648a290097f4bca6a58b
SHA19c919be562a14a6bf66c934172040563dc1d8ac8
SHA256ed30ef88c6c97969557f4e0a88e12c6087365635e117380b75893c7513de9acb
SHA512a86c680eefd61b9fdcbf38d07d02901268957853910700280cb03eb6c107dc3a0fa1fcb6d7031e6e2a79ac331c70943fe7e8135b6d39d2be4cc0849374a3a2a3
-
Filesize
257B
MD5fa9336fd2989f8fc50f3506af67b7ba3
SHA1509728c36d354ad8391583e4c625febac4c8fa63
SHA256832e28e064d2d1cdde9fcd2a071d03110f02169ba81a93bfc9f09dfa954c7e2b
SHA51223843562a9ec35e68798683de282177a68611fd7263360694826550f84bfd385e536d338b7f33c37a70745256f1d61a3343fdca576fae3691a7c6e2bc186f032
-
Filesize
171KB
MD5ad95d1d7aa0dd86d915cb3bfe13aff69
SHA1da87234fb0a568f3c4cb956fcad614a4db3dda0f
SHA256432cc2ae26082f2fc2d96c1a981ac5c2402191432124e0fe12a9d89cf75881f4
SHA512ef93a4b89b756dc89b7f5cc3f12e5eda4a32625851d93822eef5e355ea7199cdce6aaf043e16e48dc8e4cbe96eda04f4ce6c01862bd239a8310d4978b14cbf33