872c0b1979cc395f2c175b3ce2bbbced14d92d7f4e3862c22476433b7fc61103

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Size

2.2MB
MD5

bcac6a9aabb1aa9be6769c0e96850254
SHA1

c79672cc176aab87c2dd4eff80fc371db5b1a339
SHA256

872c0b1979cc395f2c175b3ce2bbbced14d92d7f4e3862c22476433b7fc61103
SHA512

92ffb5a0ecc960ed59c958d238b8e4b32c59214a62dd7aa2ff7657c75d5c4d425f4352a282575fe5c3850eb8b08ff6af40a5d721eb2762c81f64b69a0175467f
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\dnsobjfwc.exe"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c006c007300610063006d0073006c00730061002e006500780065000000	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Executes dropped EXE 36 IoCs

pid	Process
1748	pooldispfwc.exe
548	smss.exe
4324	smss.exe
3980	smss.exe
3612	smss.exe
3772	smss.exe
2580	smss.exe
1704	smss.exe
4648	smss.exe
2824	smss.exe
3988	smss.exe
2128	smss.exe
1716	smss.exe
2176	smss.exe
3256	smss.exe
2116	smss.exe
2284	smss.exe
3864	smss.exe
4348	smss.exe
3784	smss.exe
3188	smss.exe
1520	smss.exe
5008	smss.exe
376	smss.exe
2056	smss.exe
64	smss.exe
3504	smss.exe
436	smss.exe
3188	smss.exe
3744	smss.exe
5116	smss.exe
2676	smss.exe
3024	smss.exe
2524	smss.exe
3848	smss.exe
4824	smss.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\dnsobjfwc.exe"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lsacmslsa.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ipnetobj.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dnsobjfwc.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netdisplsa.ocx	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\objprocobj.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\objprocobj.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmsrassql.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipnetobj.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnsobjfwc.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netdisplsa.ocx	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmsrassql.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lsacmslsa.exe	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4748	1748	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pooldispfwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70e7dc0189f5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103a4b1489f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd0000000002000000000010660000000100002000000026af0c7421c2cbc3ff13a8a0d150de647999ff923e7df6837388613b993e9e1e000000000e80000000020000200000008ce574b23cb1f38e919630da8a4e3fb853ae16e86065776356a4dc03fb04b2ba20000000fc1dd6a8b79c23c3bddc9a0347f560e26444e07035639f2a0691a99d01192e6840000000181a87ad2458ed159fb2ab15af2a8fa0d5e989cfdd08fc3a37a9199f9a87450108b768336d2e49b591b9a5d9e9b6c0b79a135cdd06c8b132092290ab34f61786	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000002f4fa2d594fc7331001ba4ea317ba4e9eae15d86f85535a7eb6a418012c6f624000000000e800000000200002000000037e7cdaf6a1b803be89b454bc1cbe47da98860f1929295dbd65da1742a796b6d20000000afe73f00600d0ee48153196523dce05c8f260c4045c0eac646e46f79e215e8a34000000099867a5e9bbb0504312c885bd570d0f8996378ff2dc48a167be807406ade9927fbbacbc1cd0ee2c0f8b8704fc5995abe30303dbc75f1cb7c5e08991edbe82273	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126920"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4099506763"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4103569124"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f5ae0f89f5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1EB2DD6D-617C-11EF-98CC-4E01FFCF908D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000a7ad7638b823b509de0a2c10946bc94d5fe1626bd52898ad73427c409bcbf38a000000000e8000000002000020000000cf29f265dd0a4335008e8bac9e924485ef95bdbebad5b7d6458015df0dfa392f20000000f25dbf81824be31c614b0aa0d2308e8788a158cf9da13df3343916fa82e0145940000000af8cea93095b5c4ef220ce3ef64ce0e49d4b1f85b5c92da3d7a278a58ccfeb6eeeaad29db2b1fa4088e432fa13618dbe69942e3dbcbb5dfe110084ba76518dfe	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000d831ff9bc0d5bd1d372c7f71906f7e75607b6ac43e1a2d90e80e267e9437790d000000000e80000000020000200000005386381916ddf32a540212b8d14140e82d3a44ebdf49cf2b6ef2899974c4a60f2000000000ad706a98842ec34cf54b5cfca60abb60f97e569163b690c77b33d08d8b90c940000000d26566ca828576d49388ce19f3fcc6c3bcda6563a9290947f9708f72b238a780858d0c5601125a72309fc2bdbe9df12a05fe614c89573708f108c738d59ff56f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4049150b89f5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431202101"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f705f488f5da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4103569124"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a014a2f888f5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0757b0689f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000d3bed55fdd85e175dd507da7bbf8af4c369f20836be1d87c694dda3de4c99a83000000000e8000000002000020000000c54fc1c4ae2044d54a85cc95bf22395cd4ee9f158e8ef1fe17901179a2cefb27200000003016ed14de27fa7783676a38f0a19eeab729ad946364c9ebf75dcd23b4f6716240000000aeca5e6f3496bd4fe60391a8befc3aab46ce97c96b1e27b52a21dd62a273d65e4f08699086ec5a308fc93f06dc153db622c12e13eda7cd81ab840487cf98244e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000003c48b166aa0e08644faa3c6d92df6bbec20cb9893bf8355a3d278ed1251be45a000000000e8000000002000020000000e431a300a234d23c629ab4af3096194c6a03993ec737bcf66fe0132d282ea18820000000b224323c97efe6f6ab33600d1481f5809fd03e175ada5e8b46475b0c9f87493f400000000a645f8158249a463bcee1faaa36c6d3016cbb51f0575301a24fe5d08a7da75d9f7cc9b2fefe3c5aa6ea98bec6e9444a34f97c8801f35ac65aa455bda7f85060	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00a340fd88f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000ea4dc3ccb2365212154434722c54b71bfffbdf8f8adcec06626a865193e38c93000000000e80000000020000200000000524bbd3a54bbeb633618c55bab6e9872b554c5e008134b82cf44ea957465c85200000000b5764349938ff6c122b4d5abecbb7e24d41fad7ba79b42ea4fc7c98ba4d30cb4000000021d1bbe5c22527ed3c064a1460c4480f3578a5a87b92b0cbf507debd1e302a973995f998479f0d5dd511db68415e789eb8f086ad2bc90bd92c120615abe53cad	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4099506763"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126920"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d969ef88f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7006d0ea88f5da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126920"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd000000000200000000001066000000010000200000004823a66564f27b5666efa2a8dc34659953cb625fde2e11e5764330c7f4d364a5000000000e800000000200002000000033445ab1e499af28bc0ddc763ee4336d885e9bfa839dcf4ccab503027c8e02d120000000a750198d3bba2d86009b31167136db8583110fae97dbf2b1aefccbbbd26f8ff6400000008620dfdbcb19ec819750df2a455dfc28e0d2d038f0be37cb18f8241660f7de74e39e46b13a606e18ad93c065d9c720ab319a5e5aff70894cc786f2485c67baae	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126920"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000006a1c13003b9c8eac5027959ab58687ab3533ebc3340d6b2082761e93463a45000000000e8000000002000020000000d21d24fb9c4e64a7418decf3e4366dae3e3ee65e979ca88b09bde8f593d1b2f4200000004901605cef0e121b787f7bcc0779e44221b844855c3004dfccbda32e3d2790c54000000028d3e803ff71e51d0ea1d68935d4d2fe1e9eced6e926c3235e4cbe053868398417e4721728eaae6310496be67752446d35196816147ed34050a4a7e940d98907	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000f06c65eefcbda2d3c5951908a5b9cef7e3a243c1300d3aa060a9b2edff6a119f000000000e80000000020000200000001fa4960b1883661a72b4dcc8d35b0cb400461f97e251060760064120aad9bab920000000078b44bef536dedc615b56e6493b9ac0389e78a1d7759b80c4291da3e7ae7de040000000acac5c4229681a680fad93b002676ec7ec7aeb172f87948f0c932c443da7e9d3759f21f54ea9fe75380ce78a41b72c82899583f0b3e6c10dacfc990043b733c6	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\netdisplsa.ocx"	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
3952	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeBackupPrivilege	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
Token: SeDebugPrivilege	1748	pooldispfwc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2036	iexplore.exe
2036	iexplore.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1748	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe	90
PID 3044 wrote to memory of 1748	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe	90
PID 3044 wrote to memory of 1748	3044	bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe	90
PID 1748 wrote to memory of 2196	1748	pooldispfwc.exe	91
PID 1748 wrote to memory of 2196	1748	pooldispfwc.exe	91
PID 1748 wrote to memory of 2196	1748	pooldispfwc.exe	91
PID 2196 wrote to memory of 548	2196	cmd.exe	93
PID 2196 wrote to memory of 548	2196	cmd.exe	93
PID 2196 wrote to memory of 548	2196	cmd.exe	93
PID 2196 wrote to memory of 3344	2196	cmd.exe	94
PID 2196 wrote to memory of 3344	2196	cmd.exe	94
PID 2196 wrote to memory of 3344	2196	cmd.exe	94
PID 2196 wrote to memory of 4324	2196	cmd.exe	95
PID 2196 wrote to memory of 4324	2196	cmd.exe	95
PID 2196 wrote to memory of 4324	2196	cmd.exe	95
PID 2196 wrote to memory of 4828	2196	cmd.exe	99
PID 2196 wrote to memory of 4828	2196	cmd.exe	99
PID 2196 wrote to memory of 4828	2196	cmd.exe	99
PID 2196 wrote to memory of 3980	2196	cmd.exe	100
PID 2196 wrote to memory of 3980	2196	cmd.exe	100
PID 2196 wrote to memory of 3980	2196	cmd.exe	100
PID 2196 wrote to memory of 1900	2196	cmd.exe	101
PID 2196 wrote to memory of 1900	2196	cmd.exe	101
PID 2196 wrote to memory of 1900	2196	cmd.exe	101
PID 2196 wrote to memory of 3612	2196	cmd.exe	102
PID 2196 wrote to memory of 3612	2196	cmd.exe	102
PID 2196 wrote to memory of 3612	2196	cmd.exe	102
PID 2196 wrote to memory of 3596	2196	cmd.exe	103
PID 2196 wrote to memory of 3596	2196	cmd.exe	103
PID 2196 wrote to memory of 3596	2196	cmd.exe	103
PID 2196 wrote to memory of 3772	2196	cmd.exe	104
PID 2196 wrote to memory of 3772	2196	cmd.exe	104
PID 2196 wrote to memory of 3772	2196	cmd.exe	104
PID 2196 wrote to memory of 436	2196	cmd.exe	109
PID 2196 wrote to memory of 436	2196	cmd.exe	109
PID 2196 wrote to memory of 436	2196	cmd.exe	109
PID 2196 wrote to memory of 2580	2196	cmd.exe	110
PID 2196 wrote to memory of 2580	2196	cmd.exe	110
PID 2196 wrote to memory of 2580	2196	cmd.exe	110
PID 2196 wrote to memory of 3108	2196	cmd.exe	115
PID 2196 wrote to memory of 3108	2196	cmd.exe	115
PID 2196 wrote to memory of 3108	2196	cmd.exe	115
PID 2196 wrote to memory of 1704	2196	cmd.exe	116
PID 2196 wrote to memory of 1704	2196	cmd.exe	116
PID 2196 wrote to memory of 1704	2196	cmd.exe	116
PID 1748 wrote to memory of 3952	1748	pooldispfwc.exe	117
PID 1748 wrote to memory of 3952	1748	pooldispfwc.exe	117
PID 1748 wrote to memory of 3952	1748	pooldispfwc.exe	117
PID 2036 wrote to memory of 1464	2036	iexplore.exe	120
PID 2036 wrote to memory of 1464	2036	iexplore.exe	120
PID 2036 wrote to memory of 1464	2036	iexplore.exe	120
PID 2196 wrote to memory of 4952	2196	cmd.exe	122
PID 2196 wrote to memory of 4952	2196	cmd.exe	122
PID 2196 wrote to memory of 4952	2196	cmd.exe	122
PID 2196 wrote to memory of 4648	2196	cmd.exe	123
PID 2196 wrote to memory of 4648	2196	cmd.exe	123
PID 2196 wrote to memory of 4648	2196	cmd.exe	123
PID 2196 wrote to memory of 3992	2196	cmd.exe	124
PID 2196 wrote to memory of 3992	2196	cmd.exe	124
PID 2196 wrote to memory of 3992	2196	cmd.exe	124
PID 2196 wrote to memory of 2824	2196	cmd.exe	125
PID 2196 wrote to memory of 2824	2196	cmd.exe	125
PID 2196 wrote to memory of 2824	2196	cmd.exe	125
PID 2196 wrote to memory of 224	2196	cmd.exe	126

Views/modifies file attributes 1 TTPs 34 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
224	attrib.exe
4800	attrib.exe
2056	attrib.exe
3108	attrib.exe
2524	attrib.exe
2892	attrib.exe
4212	attrib.exe
3880	attrib.exe
212	attrib.exe
5116	attrib.exe
2940	attrib.exe
1416	attrib.exe
3108	attrib.exe
4828	attrib.exe
4952	attrib.exe
4036	attrib.exe
844	attrib.exe
4628	attrib.exe
4720	attrib.exe
5008	attrib.exe
3344	attrib.exe
3488	attrib.exe
2612	attrib.exe
3472	attrib.exe
3716	attrib.exe
2700	attrib.exe
1444	attrib.exe
1900	attrib.exe
436	attrib.exe
3992	attrib.exe
2032	attrib.exe
4108	attrib.exe
556	attrib.exe
3596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bcac6a9aabb1aa9be6769c0e96850254_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\pooldispfwc.exe
  "C:\Users\Admin\AppData\Local\Temp\pooldispfwc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3344
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3980
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3596
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3772
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:436
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2580
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4648
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2284
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:844
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:4348
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:212
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:5008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:376
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2056
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:64
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3504
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:436
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3744
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5116
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2676
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:556
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\POOLDI~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 588
    3⤵
    - Program crash
    PID:4748
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Runs regedit.exe
    PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1748 -ip 1748
1⤵
PID:2824

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
51b8a3b656b2e2648697377e4a37451e

SHA1
a4c50b25c438ad48e5a0d0e86dfa44b5fba9157f

SHA256
cf22e82d8e21802d49eb45ec62d1b889277a149289630f3afe77315093830582

SHA512
097a3424ea3faa1833ec36d218bccccb66bb2aecfd813696c29fcb4f929814a1bd3c3434b8875ca4383de701a1634c3041d41c751473e6a01e29038592e0c3ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8865.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\dnserror[1]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKVWVXN7\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKVWVXN7\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
2KB

MD5
d844e9e39609a10f79199730bc4a504d

SHA1
9c6afccdf281340f38b4f087371b390d2f06ef0e

SHA256
d49c44d557ac03de2a6cf96dcf627021eb4a3193922db361bf1a99b6dda71a38

SHA512
a23853a5c0fe4c5614a1fc2f8aa78ea8fc87eb3fadeebbe97287d1986a59b4b611de83bdb2bd37fb0b7958a18f70be288a574812a7492174ff950044590b28ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
4KB

MD5
3b9bbac759715085ecf82a8ac75f2846

SHA1
1f496b308f742b103eb8f3eeaf88961d9fda8b86

SHA256
1a902bb56ed6756031a2f1da1893947584fd4b4284641bf45632e960050286aa

SHA512
410de51dd669d836bb545d156f5ca3f2971ef204f33fe6810d2567d81fd2213cf8eef9a8cc82c0a79855ada418611b952470063e13e82286e80bc599f5de7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\pooldispfwc.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\netdisplsa.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
C:\Windows\SysWOW64\objprocobj.exe

Filesize
2.3MB

MD5
c3d1895c9795a5a6e778bb78ab248f9e

SHA1
22cc5726cb25e1cbb55f2aad39a2c8166d556959

SHA256
2f56045501c2f35474f24160bf1fafe275148263d81d2fbffd46d6648eddad82

SHA512
3d2ad420db519d99eff79fcbe4eab10a2cf8dec6826a63b4f023e031ce4648b48358fc6406b20f23531def201d3b577eb6fa83a0cafb79ec2d39960d5e26797a

Download Submit
memory/3044-260-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3044-241-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3044-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download