Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
c07a58218ce9fe1f80bc6da7940d520d
-
SHA1
279407aebe4756b53cb166d0e2ff9ad2d7745e1f
-
SHA256
115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e
-
SHA512
2da6e69b801da12998574dee313e2c7101fe4c2da4fb1c96c8f0c43e0b6740f3ecb211d99f9cf4112333479c2ba65a42dfe8e9c1ee78d804d055e06443e06e7c
-
SSDEEP
3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0063006d007300640069007300700063006d0073002e006500780065000000 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Executes dropped EXE 36 IoCs
pid Process 1088 monmscms.exe 1040 smss.exe 4332 smss.exe 800 smss.exe 2056 smss.exe 2256 smss.exe 224 smss.exe 4356 smss.exe 2644 smss.exe 868 smss.exe 832 smss.exe 4876 smss.exe 4996 smss.exe 544 smss.exe 1196 smss.exe 4792 smss.exe 2196 smss.exe 4856 smss.exe 4340 smss.exe 3652 smss.exe 1556 smss.exe 4132 smss.exe 2012 smss.exe 2836 smss.exe 4288 smss.exe 3392 smss.exe 4496 smss.exe 1376 smss.exe 1228 smss.exe 2624 smss.exe 4288 smss.exe 1004 smss.exe 856 smss.exe 2288 smss.exe 3428 smss.exe 3044 smss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cmsprocsrv.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\cmsdispcms.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmsdispcms.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\pdbprocsvc.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\pptpsvcdns.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pptpsvcdns.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\cmsprocsrv.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\monnetproc.ocx c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\monnetproc.ocx c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File created C:\Windows\SysWOW64\hostpoolras.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hostpoolras.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\pdbprocsvc.exe c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2152 1088 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ielowutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language monmscms.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8059158cd4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bca479d4f6da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a075f399d4f6da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601f3c7ed4f6da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175529243" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f2d582d4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000390f21ede3f20ec408cc236f6d0a5648e9d4e78f9907223abf3c96430d007d9f000000000e800000000200002000000046678da2b65467b92bfb57a4c04aa8929bc8021f168b2382af4ab8daf696316b20000000746b5836eadac6ce2069035f61ab3d14b4344b3c3e986bab8d1854f6f4ef63ee40000000821833d149ae6c8bc661cc7eff5673461d4b426f391a456b993b1b1593e269bb42f35254bdb03e94425e66b15fbbfb6c5a23dbdf64ea42ffff07d7f9217731fe iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a4a94d8f5f6e091f690be49c74a7f6717aa8b335b1e38ab61e74a4be8517d1c3000000000e8000000002000020000000e329f759c181de27646f089ed1d91999b59a40bb4a8dbda35d4c13a653984de220000000c947b8cddec96bc4b8bde43253100fb757667a3787b63a52cfef336eb5597a3140000000aa4e04ca840f1b96ab1827cc4dd68e849f2d3bcc0ab4016f7dfbe738a0d6c95bfaa115803c7d72f7dc6d30072134509afa354c35c4df2221e43b6fa0e7f218a0 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a17065a2c5a07981695e87b07de5f7fc110fe09048d60e7f82e9a506dffa0a08000000000e800000000200002000000028e095db32e3820b923fc5bb1d5d702c558787bb7b771b0ed539ad0b0152641520000000933217f12c1df5efbb5436f651a31a07ef7d05737d604e9e8df4f9b6ecca7ff240000000a5e2c7d1336d8dc9687fa8108a3d591305fab8684e335f412e003560e1987a43b9e7cf5229aec655b85b14b209bc4dea0171dfee936abdbc6f5bec6df3fdb442 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40765295d4f6da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f526a3d4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175529243" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a2b890d4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175060308" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10498d9ed4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175060308" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000ad7979842d4fbe49c7eccd7367fab6537b9b36b55e82b16ef0cce3ce1f2ea2b1000000000e8000000002000020000000435efb1a01f4333ce8d35adc0060c66b4f609af1bb57137292e715a7b9b92b9e2000000086a8cb99c32ca09defa49702ca5896157a8aabb376064135c6acc303f88cd9f840000000cfdc4b1ed4721d52ead1bbd6a90fe38b701bb9250152e91493262af0c90228921ddad6398273e0e539790634a7632df4426810469c736c550e02007afe03cfb4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431344496" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" regedit.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000002379699d7f9ad728e2288cc4ed82ca8e68f22bdfaa352ec270e6d69f3bcf8a8000000000e800000000200002000000045b6d6d99ad428034e42a7857e0d51a7e9a70693817e2086ba9c05653907717e20000000ccecae9a499837ccf0501fff4c5d4ab6cafb799a0acbfbffe2fe9969850fd97c40000000de48849399816014bb41b097c535088d87bf9e1b542311a86fbb3850bbf30a7a07190e39861d99198526ac45d1bee6a6018beb54bbb9078272cd5e0511b526c4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000020b32b21489332d90c96e1af1ed828c7d2cbbb7789f41a10c38448c792ebe8ca000000000e800000000200002000000015ff9c6d507830320a2b2520978fecbac0559f3f7ddf534a342224a70de5528620000000d04914c993715af55e9833579e4f271f649b6404698436a617a68ccded13b3e9400000002b9ec58bd6129b94db3652e06662848da2d9565e7607b1da7db8b6bd1d548e49b689c8fb2a9aef5eebf75866cf9902d45721b5f72812c0f61e5adc44ca65c429 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000231ac5af4075f7420d5a80839f8d7e216aaee8d964eb2669d3600324324e2045000000000e8000000002000020000000d70996a4ad3aba98657fd5ca87923cde2b8164bf67f476c102266bb9828527d0200000000f32f24eb72f729db37ab7c7093ba4d396eba3e238b2a021cfbe56f609c6792240000000c5082981104b6d90736d68b1442baa4bbeb7ce5494c42bf028d62275697c4f0efd7afa8ff9f75521b5cda14d7dc7977be49f3e128653fe930a14c69ec39ef942 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a5c130e9e545be4afaf7662451e6e022e6b9a5f59d1e521aed9752d40649025b000000000e80000000020000200000009c0ce267412e126ed2a6b7a44e68f057f81cd3565b00629065ea130b2477b27b20000000bce64affe55d6665370f943d50b52b96d567c10e102969f947a2aa25c885d4984000000057512f2e46cc7c8c8735c2483cdf5038778eb410e94212a7207aeea9e87305b9984d1cd10fae7759bb91907fa0e101372e0f46d94d4e3b5d15d98d0868500128 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cb7687d4f6da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000058e2116dd20953c56e00ffea371615ba411fba557fdcf62276cb2da910e6422e000000000e8000000002000020000000374b9e3711c686b25dcc6dd38d9bacde98f586183570f3d78bf3f65738100101200000005c8bd66abdbe15da6c7904861069fe5808be64dc4f6b893b81f69d5cc7a4e7f140000000a05287af96d54d5b989f3089ca2732a5d08bd3f66cfb0fc3cb6f8022f906cf759c228477a1d68aacddc95114ba6d9523332ba9358b01a001ca088366df6e460e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000b43fa40a0153b380c925d8b334a85d5a805449f90a1620558c100667a73a68a8000000000e80000000020000200000007432376a01aa3612feaf3ff898939ec30b46246e9b0206432771244237c132dc20000000447e864b81791a751d6ae46d892da8c93677cd29fef0df28547bbe084858a53f40000000004bdf34c6b6b5fd6d6a75cf9938952fcad8cdf5b9fd98a888e454bb59cfbaefe45e61f57a0d9d36cc94ee9934c28ac244cbe18ebbcaa28285fecc7be6d1e2bb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD177B3A-62C7-11EF-A2A4-F2CE673D6489} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\monnetproc.ocx" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Runs regedit.exe 1 IoCs
pid Process 2196 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeBackupPrivilege 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe Token: SeDebugPrivilege 1088 monmscms.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2144 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2144 iexplore.exe 2144 iexplore.exe 2460 IEXPLORE.EXE 2460 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 1088 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 97 PID 3800 wrote to memory of 1088 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 97 PID 3800 wrote to memory of 1088 3800 c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe 97 PID 1088 wrote to memory of 4424 1088 monmscms.exe 101 PID 1088 wrote to memory of 4424 1088 monmscms.exe 101 PID 1088 wrote to memory of 4424 1088 monmscms.exe 101 PID 4424 wrote to memory of 1040 4424 cmd.exe 103 PID 4424 wrote to memory of 1040 4424 cmd.exe 103 PID 4424 wrote to memory of 1040 4424 cmd.exe 103 PID 4424 wrote to memory of 1100 4424 cmd.exe 105 PID 4424 wrote to memory of 1100 4424 cmd.exe 105 PID 4424 wrote to memory of 1100 4424 cmd.exe 105 PID 4424 wrote to memory of 4332 4424 cmd.exe 106 PID 4424 wrote to memory of 4332 4424 cmd.exe 106 PID 4424 wrote to memory of 4332 4424 cmd.exe 106 PID 4424 wrote to memory of 3076 4424 cmd.exe 112 PID 4424 wrote to memory of 3076 4424 cmd.exe 112 PID 4424 wrote to memory of 3076 4424 cmd.exe 112 PID 4424 wrote to memory of 800 4424 cmd.exe 113 PID 4424 wrote to memory of 800 4424 cmd.exe 113 PID 4424 wrote to memory of 800 4424 cmd.exe 113 PID 4424 wrote to memory of 2972 4424 cmd.exe 114 PID 4424 wrote to memory of 2972 4424 cmd.exe 114 PID 4424 wrote to memory of 2972 4424 cmd.exe 114 PID 4424 wrote to memory of 2056 4424 cmd.exe 115 PID 4424 wrote to memory of 2056 4424 cmd.exe 115 PID 4424 wrote to memory of 2056 4424 cmd.exe 115 PID 4424 wrote to memory of 512 4424 cmd.exe 116 PID 4424 wrote to memory of 512 4424 cmd.exe 116 PID 4424 wrote to memory of 512 4424 cmd.exe 116 PID 4424 wrote to memory of 2256 4424 cmd.exe 117 PID 4424 wrote to memory of 2256 4424 cmd.exe 117 PID 4424 wrote to memory of 2256 4424 cmd.exe 117 PID 4424 wrote to memory of 3436 4424 cmd.exe 118 PID 4424 wrote to memory of 3436 4424 cmd.exe 118 PID 4424 wrote to memory of 3436 4424 cmd.exe 118 PID 4424 wrote to memory of 224 4424 cmd.exe 119 PID 4424 wrote to memory of 224 4424 cmd.exe 119 PID 4424 wrote to memory of 224 4424 cmd.exe 119 PID 4424 wrote to memory of 3328 4424 cmd.exe 121 PID 4424 wrote to memory of 3328 4424 cmd.exe 121 PID 4424 wrote to memory of 3328 4424 cmd.exe 121 PID 4424 wrote to memory of 4356 4424 cmd.exe 122 PID 4424 wrote to memory of 4356 4424 cmd.exe 122 PID 4424 wrote to memory of 4356 4424 cmd.exe 122 PID 1088 wrote to memory of 2196 1088 monmscms.exe 123 PID 1088 wrote to memory of 2196 1088 monmscms.exe 123 PID 1088 wrote to memory of 2196 1088 monmscms.exe 123 PID 2144 wrote to memory of 2460 2144 iexplore.exe 126 PID 2144 wrote to memory of 2460 2144 iexplore.exe 126 PID 2144 wrote to memory of 2460 2144 iexplore.exe 126 PID 4424 wrote to memory of 2096 4424 cmd.exe 129 PID 4424 wrote to memory of 2096 4424 cmd.exe 129 PID 4424 wrote to memory of 2096 4424 cmd.exe 129 PID 4424 wrote to memory of 2644 4424 cmd.exe 130 PID 4424 wrote to memory of 2644 4424 cmd.exe 130 PID 4424 wrote to memory of 2644 4424 cmd.exe 130 PID 4424 wrote to memory of 636 4424 cmd.exe 131 PID 4424 wrote to memory of 636 4424 cmd.exe 131 PID 4424 wrote to memory of 636 4424 cmd.exe 131 PID 4424 wrote to memory of 868 4424 cmd.exe 132 PID 4424 wrote to memory of 868 4424 cmd.exe 132 PID 4424 wrote to memory of 868 4424 cmd.exe 132 PID 4424 wrote to memory of 2676 4424 cmd.exe 133 -
Views/modifies file attributes 1 TTPs 34 IoCs
pid Process 3156 attrib.exe 3436 attrib.exe 1112 attrib.exe 4432 attrib.exe 2676 attrib.exe 1172 attrib.exe 1540 attrib.exe 2972 attrib.exe 3840 attrib.exe 536 attrib.exe 4976 attrib.exe 3660 attrib.exe 876 attrib.exe 3148 attrib.exe 2476 attrib.exe 2756 attrib.exe 4524 attrib.exe 512 attrib.exe 1112 attrib.exe 856 attrib.exe 5032 attrib.exe 2056 attrib.exe 2096 attrib.exe 2676 attrib.exe 1588 attrib.exe 2472 attrib.exe 3076 attrib.exe 4336 attrib.exe 1100 attrib.exe 3328 attrib.exe 636 attrib.exe 3944 attrib.exe 440 attrib.exe 2976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\monmscms.exe"C:\Users\Admin\AppData\Local\Temp\monmscms.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\monmscms.exe""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3076
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:800
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- Views/modifies file attributes
PID:512
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3436
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- Views/modifies file attributes
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2644
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:636
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3840
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:4876
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:536
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4996
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:544
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4336
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4792
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4340
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3944
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3652
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- Views/modifies file attributes
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:440
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- Views/modifies file attributes
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:3392
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:4496
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3660
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- Views/modifies file attributes
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4524
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:2288
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2472
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 5883⤵
- Program crash
PID:2152
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Runs regedit.exe
PID:2196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:81⤵PID:1440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1088 -ip 10881⤵PID:1900
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
- System Location Discovery: System Language Discovery
PID:4588
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2460
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
2KB
MD52dc61eb461da1436f5d22bce51425660
SHA1e1b79bcab0f073868079d807faec669596dc46c1
SHA256acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993
SHA512a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d
-
Filesize
1KB
MD5dfeabde84792228093a5a270352395b6
SHA1e41258c9576721025926326f76063c2305586f76
SHA25677b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075
SHA512e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd
-
Filesize
4KB
MD5d65ec06f21c379c87040b83cc1abac6b
SHA1208d0a0bb775661758394be7e4afb18357e46c8b
SHA256a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA5128a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
748B
MD5c4f558c4c8b56858f15c09037cd6625a
SHA1ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA25639e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44
-
Filesize
11KB
MD59234071287e637f85d721463c488704c
SHA1cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA25665cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA51287d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384
-
Filesize
168B
MD5e7efc2c945a798b4dab3fe50f1524592
SHA10bb937ccd89e40c91c0e58b376873ef909fe805b
SHA256624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc
SHA512e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257
-
Filesize
4KB
MD53adea70969f52d365c119b3d25619de9
SHA1d303a6ddd63ce993a8432f4daab5132732748843
SHA256c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665
SHA512c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8
-
Filesize
2KB
MD537bed2ced761f9fe445a373604d80412
SHA1af6fea06397851774ae7fa67da3c3337979ce890
SHA2563d4bf924bba391393a53cc9338a7aba835cc184101ff8188a9a2bdd5cda3ddf5
SHA512211040b4ee3b5696896ca5c8bfed67db4ddb567a7f3b1278e06e9345679ce6eb919e08f682dd364e660a4d9c4748bba165c67acefe72ba070d354d1cc05e234a
-
Filesize
6KB
MD59a9950905053f01fcffc9f7379945508
SHA1f75fff05b979042cef8829328a81765de1928612
SHA25681fdead0fa716e988c8cde1c491a284679975466ab60094043c0985ba5500b7a
SHA512686df799e306bb80de7debdfa4502eb031ca445e349ae857d1501658576e77222ab1337e41af976cee6845968d5b1a86cc054381370557df86cd0f4d9b04a907
-
Filesize
104KB
MD5bf839cb54473c333b2c151ad627eb39f
SHA134af1909ec77d2c3878724234b9b1e3141c91409
SHA256d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d
SHA51223cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d
-
Filesize
18KB
MD5b3624dd758ccecf93a1226cef252ca12
SHA1fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA2564aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838
-
Filesize
240B
MD5ee926df00618b73a370f2dbcbe19ebeb
SHA1eb775efca19c657d4cc02d21190db4f522ae750d
SHA2566aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32
SHA5126b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54
-
Filesize
1.7MB
MD59240adb5ce18633c3b5dbd6554dd4778
SHA13c3b3e168a2e06160096ba64ca7e21b8c176629d
SHA256214adac31f2d43a59f45105b35e13ea8bcd72896cffb601ad09f0b82c9ca374a
SHA5123ec0e426a4fb64877f4af3f54809562293daa660f97ee13f635a73b7d803a15b5e5bb292eb7bad56b90b7ad1dee639fe06aef24834b31b23b6b2599fb1309f6c