Analysis Overview
SHA256
115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e
Threat Level: Likely malicious
The file c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Reads WinSCP keys stored on the system
Installs/modifies Browser Helper Object
Checks installed software on the system
Adds Run key to start application
Accesses Microsoft Outlook profiles
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Modifies registry class
Runs regedit.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:54
Platform
win7-20240704-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c006d006f006e006e0065007400730071006c002e006500780065000000 | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\mshostsql.exe" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD630381-62C7-11EF-960D-6A8D92A4B8D0} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000da81151633c6d24639cfc1c969ef10c74224040d1297b03386202b0845e2c1b0000000000e8000000002000020000000820b262f9f4f639fad951ce56d853f8bf66c5cf97671b56bf1e67c724152e31d200000004596df5075d3c3b819abe9be23c9366a2ab0a84c703dd739ec6bae250522bc53400000000c4b1c267c8c43666f15fc976fc30b4fee3ccf4df1dba62882448cfccf07e4d3f99698c6419782dca877bf8e48377bc9f9101bbcc3d32ce95f7566feff0017ff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c040e89bd4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430741391" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000ba294b7eedf6a267eaf30e79d9ed504bd011a238e2f0a5ec3706ea295f7ee220000000000e800000000200002000000027c7cac0a6342470b3c1c7e195d8817f41397f849f846ecd5679becf195e9d3e90000000931c4f22a60f47cc9c646670778f09095a12cb7c44e30e5c5a0e6de0d127ad2f0c35fe4b9dfcb3ff853d445a52a8b92d9445ca9a2191e5af2349029088ecdace0718fc4c9799ec7b5c768c49645874044514029b833fa75e74902ed7a6adc7d9725cd59627a950d0e77f708bd89ffd90c442c197bbae736fb7785a60e3b7d4ddcc86082cf9171b69cedacbe712b34994400000004fa98ddec04d93cfd73854a7818f381a33618cd62282fbab2de0015cf57850492fbbe1e79be4b352f76044acd985ae78dd418049e72861b6525a836c76574725 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\rassvcmon.ocx" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
"C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE""
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
Network
| Country | Destination | Domain | Proto |
| N/A | 10.17.0.71:21 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| RU | 82.146.51.22:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp |
Files
memory/3012-0-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bot.log
| MD5 | e6c6dadce4b7b24873c0cefa7f9fcc9e |
| SHA1 | dc26a848b0f0afe4f2e5e29a0c48955b9083a8ae |
| SHA256 | 1387e0e74004a224f499daee26bcb423c834677bc91ac77460e7d6226cd2703b |
| SHA512 | 7dfb668b682d210d61d35f552fbcceb4b7626f11a5ba9641cf61fb30aade05ba72b0405963dcc82538eb0aca6286152911c3b704b15fc15e321f9d2e4a704f74 |
C:\Windows\SysWOW64\rassvcmon.ocx
| MD5 | 3adea70969f52d365c119b3d25619de9 |
| SHA1 | d303a6ddd63ce993a8432f4daab5132732748843 |
| SHA256 | c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665 |
| SHA512 | c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8 |
C:\Windows\SysWOW64\dispipctf.exe
| MD5 | 38ad28dea89f24e2161a9d156c20df1c |
| SHA1 | 5dd31a3867d8e368c8056ca24e94b4f231d4dd03 |
| SHA256 | 7fdbadeee16a8502fb70ff1af33d02337c31dd7e83c26a128f66392dbadebc38 |
| SHA512 | b8595c647e1f4a050bc0bbc098ec575f882ea9d663a9b423c25793292d5fea95a5b9776d6216cafe30ca0aba15ec929a1bc183b1bfc659d812976f1c0a987645 |
\Users\Admin\AppData\Local\Temp\rassvcmon.exe
| MD5 | bf839cb54473c333b2c151ad627eb39f |
| SHA1 | 34af1909ec77d2c3878724234b9b1e3141c91409 |
| SHA256 | d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d |
| SHA512 | 23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d |
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd
| MD5 | e7efc2c945a798b4dab3fe50f1524592 |
| SHA1 | 0bb937ccd89e40c91c0e58b376873ef909fe805b |
| SHA256 | 624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc |
| SHA512 | e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257 |
\Users\Admin\AppData\Local\Temp\smss.exe
| MD5 | 6242e3d67787ccbf4e06ad2982853144 |
| SHA1 | 6ac7947207d999a65890ab25fe344955da35028e |
| SHA256 | 4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d |
| SHA512 | 7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf |
memory/3012-248-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3012-249-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3012-275-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\win5.tmp
| MD5 | ee926df00618b73a370f2dbcbe19ebeb |
| SHA1 | eb775efca19c657d4cc02d21190db4f522ae750d |
| SHA256 | 6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32 |
| SHA512 | 6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54 |
memory/2944-305-0x0000000000260000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4A79.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4B4A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 19a5f9fbb2066e5985cb9cd5cd8dda35 |
| SHA1 | 499e273aded9beb4bf147d5126fbb34184945fae |
| SHA256 | 8702c1985b596c17170a5f6012f1d61af2b8bf0afba54f80b01c00a075d71d54 |
| SHA512 | 24479b17c15270bae573bd149c533ad2ea3078194a71bd649aea48fdb132665aa75bc7711fe74475a6349b4577cfe13fdab3217fe8d02b6e1ed9f545061a0689 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93c635f51e47ea067964ecbef5372c19 |
| SHA1 | 25a15f2f915d3d5615bfc1014e5340bc46b7279d |
| SHA256 | 6c21c421a618a3f6992b50b51c77420960e02907b4289287dc2bf6e355dc41fe |
| SHA512 | a5bd798218c32d35a4fd4590baa3ba90d2bbfdeeb13df625ca6d125eaec3d6896610e7af3c490282b32421d9dc673f08dfeb4d892d6ed314f027d752b8ab52b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bce140e953437ba78349c9e4f3c02de7 |
| SHA1 | 113880de05ca40a014364da2f293f0f2bb944220 |
| SHA256 | d865dc10f6514bb8b62066a57321a0fa3f5222c8c2aa34e40ce719e94b2f0faf |
| SHA512 | d174386f08eed3a5f207018ff13175a378e0058ae2da543c083c478912b233aa41094109b0dd92fb324961dc0cf4c41560f1250da893b8c2b66b2cfe0d592e4c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbe0ed1be7f90f34ba8b43f821ee7824 |
| SHA1 | c040f7ae57223ab80051584111f45d31e95e9573 |
| SHA256 | c565c8cc37552dca9a285f1c6f210ade3bb8fa53068d65fbafb6e3e353537538 |
| SHA512 | 8902c379d699aa7e01d02124d70a8f139b28bdf27a06b34db81bf39cfef827826b6738bf90cf810828da5296504b6cc8c4fea06a00bf958f7cecebdaeae177ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df4749e7c97565e893408c8a2d66c60e |
| SHA1 | 252890a9ffda1d3071d6dadd4cc6763e2419c5dd |
| SHA256 | ba545440c62d697a6c1f5159271121d806535cdf4eea049f7b7eda616682e15b |
| SHA512 | facdce589090d4927ccd3e4b750d3b22477bf05432ad4630274ad6e7be609a2472e5d51afba08bdd8593151193570aaeb0b457e8f916e35e38d09016804b0e52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ca9c3f88e5a34a1cad9d5f89b5495f1 |
| SHA1 | b3269d5d3643e988209b227aef309c33b1a394c3 |
| SHA256 | 5791de24ef7a79daab727228e12d971686a6b988dbc9133b2fba3a8fb863e871 |
| SHA512 | 7473d17dd31c2f5c72455a807400108ab8456b19569c98d7e41af4c72ccfa1d5520a280f6fa5ade07d97814c6a75796e551b39312d68e8a878741e21c7b91d25 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7786ae91d170b0c8d5078a15c4183c98 |
| SHA1 | c352e2c00f40c4f896b2b987fd9373a83d516c81 |
| SHA256 | 9bfd4302e601f1975b8b60fb22531259c98bbddfe07667af3cf835e77905876a |
| SHA512 | 7e41b9327dd262b9702c4cdaf510ad5b6313906727603d3688058dfc094c26965a229e0e3fbe1dc914290774cb11d0a70e5f332da23be2ea4bfc07248e9a00c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e21d661f00e0eb54e6c409d72ae6ddb2 |
| SHA1 | 55cfd64a3bbb8ced0944fd2d0ec2eee9385cc5cf |
| SHA256 | 3a2368f9250d008ce10226fc32293209b8c93539e47ecea4763b5b873cca3ea6 |
| SHA512 | 9443514e11e65b208a1997ba939a043b7d77f20e2ec1479ef6fc44babdb048646d8569386c675169a88c1a75a4091d236e0cb7f4fc8795432e450ecc931b36aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de6af5157deb87fe447c709adf3cb0b0 |
| SHA1 | 0e0e06ab44a071ca8479d5f81cf3a9d280e608c9 |
| SHA256 | c8b12bcf4f76843541cab8f0820dffdf8dba8a9e1b6aff1a2130f03d9332b5a8 |
| SHA512 | 701df665656d3629253a182d362a7a5cf6b11ff49788297bdbf533a84d77090ea6b333d8dd07bedddaeb4bff36b882bfd0eca01cd7d1de7a01cc6a1cfb884c7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39e9183a2ada78930b8c9d84a9f80cac |
| SHA1 | 34218188cd20b9ccc69bd0652b3a2a4d523952c6 |
| SHA256 | 7a140698348096b0de57d17aabbaec09841c979fc00e2a334a11d8c44af98568 |
| SHA512 | ee9268aea366eb537fbc4be13143e25c0e50eb7c72b4c83a29f52bea21f5ebf1eaf64fb6fc2e6bed455cfd4c16e288c3a45583bf091dc0c19f0ed9fd613bdfd9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 509017a4c7c18ee03a95d1e418677ca3 |
| SHA1 | a022b0d1092a17dd5cfedb3e5916b85d7822ed59 |
| SHA256 | afdbc82e8943450c2b89b3ebb92c67ea3a19706e96d35205d3582230f9708347 |
| SHA512 | 7ce39591021e488b7753a02dc9cc7819f73b1e70b71427f3f4f7f3cb7bc942aa1eb3a5b348f3171647ecbebb2f975127a7d5229c9cafe58f5f0624b52c1cd22d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4574115816c3ed54ea1b5a2fd77ec063 |
| SHA1 | 1b572b975848185c704dc2dc3b5dd2069c2cdfb7 |
| SHA256 | 0bc646dd5c8114adfd1e18450309508f189c710ea9f7ffbd2535e400df8e346d |
| SHA512 | feeb9e5b570ccbc2155c8d931b0b7974d0e255066303c0b95fef7f5f52e9190635ce7fd5bc6c7645aee2a940fd911b5405dd737d1211a6098c3e7bedca3f42ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1bc4900a5bbe76da0ae4ac01af016fc |
| SHA1 | 0941307b2852d112a9541250775ad020e9bfac1b |
| SHA256 | 040c639781babc522049164660c0ee71b7700f84f192f38b4e6af5d64d0a568c |
| SHA512 | fb444a3b64a2fc8bd8383692c7ceec4e0ad9ba0595eafaf178da65f2add1839ce6577f539e94363e7ae29cd6803ee10b2256b7cf15fe16c24555bce6b2a30745 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 592273012067181412907c8af4da7651 |
| SHA1 | 8c344570b9d98a0616089068fd51264563e05369 |
| SHA256 | 0ad2ef578dec553d65da385d8b75a52e57c707d636925e49b2789abc1e145981 |
| SHA512 | c73db9df789b1060509c127bb1e99cff6ac756073f9954fdd8bc9118063716231dc49b90682d29f1682590086079651c050988c63f27d89f55724ba614ce3343 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8af10c10fd45b5c3351f33c2a59c6584 |
| SHA1 | aba9f43f8200cf749d7f01ba43adc6b75593ec83 |
| SHA256 | 727f542cb64a5cd947ad103f6ef7763a7266af817c891f363c7d1d7145ae64eb |
| SHA512 | 4db17ca63cd8ce582329ec313ee91850f400c032900880e35d24b4252268d20063a770d1991de9c39bb8ab7174b4d97a6ce7d1ef66470c5e6195c1d6d2f2caf3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35abf60b8fba418664b65b731c9f437e |
| SHA1 | 83f15a145d2d97808208886701ce87319ed055cb |
| SHA256 | f9b1c1b6db26fb3c0f444ea3da4038d7f1e02bee9e87eb9695113bad15d0fb3c |
| SHA512 | f75c5014ebe970dfaef34148a1d263f311429056ce287f75d6a52b5863d1c0d40a49212d3d433eb7b424d3cbf6e9a252fd57e8ce392d0255e4a13c86db5f3a08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b8430e5e373f3d8fe70e1b9300735a87 |
| SHA1 | 21415a41a5676def9b26655a4aa3c9c15b6dcf23 |
| SHA256 | 0688fdbe6753578950c32415a114bdd3466eaf8a90e3393f13668e6a2f9512dc |
| SHA512 | 14fe0b44448ef6770291dd40ad293291dca3e9dc87d09a3171e4ecac00fe69fa066bc474711c61f5df05d5fa6c3dfc35c1333d85b552de5da50ed65c4b8b9446 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:51
Reported
2024-08-25 09:54
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0063006d007300640069007300700063006d0073002e006500780065000000 | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\cmsprocsrv.exe" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Drops file in System32 directory
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\monmscms.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\monmscms.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\smss.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8059158cd4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0bca479d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a075f399d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601f3c7ed4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175529243" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f2d582d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000390f21ede3f20ec408cc236f6d0a5648e9d4e78f9907223abf3c96430d007d9f000000000e800000000200002000000046678da2b65467b92bfb57a4c04aa8929bc8021f168b2382af4ab8daf696316b20000000746b5836eadac6ce2069035f61ab3d14b4344b3c3e986bab8d1854f6f4ef63ee40000000821833d149ae6c8bc661cc7eff5673461d4b426f391a456b993b1b1593e269bb42f35254bdb03e94425e66b15fbbfb6c5a23dbdf64ea42ffff07d7f9217731fe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a4a94d8f5f6e091f690be49c74a7f6717aa8b335b1e38ab61e74a4be8517d1c3000000000e8000000002000020000000e329f759c181de27646f089ed1d91999b59a40bb4a8dbda35d4c13a653984de220000000c947b8cddec96bc4b8bde43253100fb757667a3787b63a52cfef336eb5597a3140000000aa4e04ca840f1b96ab1827cc4dd68e849f2d3bcc0ab4016f7dfbe738a0d6c95bfaa115803c7d72f7dc6d30072134509afa354c35c4df2221e43b6fa0e7f218a0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a17065a2c5a07981695e87b07de5f7fc110fe09048d60e7f82e9a506dffa0a08000000000e800000000200002000000028e095db32e3820b923fc5bb1d5d702c558787bb7b771b0ed539ad0b0152641520000000933217f12c1df5efbb5436f651a31a07ef7d05737d604e9e8df4f9b6ecca7ff240000000a5e2c7d1336d8dc9687fa8108a3d591305fab8684e335f412e003560e1987a43b9e7cf5229aec655b85b14b209bc4dea0171dfee936abdbc6f5bec6df3fdb442 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40765295d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f526a3d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175529243" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a2b890d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2175060308" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10498d9ed4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2175060308" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000ad7979842d4fbe49c7eccd7367fab6537b9b36b55e82b16ef0cce3ce1f2ea2b1000000000e8000000002000020000000435efb1a01f4333ce8d35adc0060c66b4f609af1bb57137292e715a7b9b92b9e2000000086a8cb99c32ca09defa49702ca5896157a8aabb376064135c6acc303f88cd9f840000000cfdc4b1ed4721d52ead1bbd6a90fe38b701bb9250152e91493262af0c90228921ddad6398273e0e539790634a7632df4426810469c736c550e02007afe03cfb4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431344496" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000002379699d7f9ad728e2288cc4ed82ca8e68f22bdfaa352ec270e6d69f3bcf8a8000000000e800000000200002000000045b6d6d99ad428034e42a7857e0d51a7e9a70693817e2086ba9c05653907717e20000000ccecae9a499837ccf0501fff4c5d4ab6cafb799a0acbfbffe2fe9969850fd97c40000000de48849399816014bb41b097c535088d87bf9e1b542311a86fbb3850bbf30a7a07190e39861d99198526ac45d1bee6a6018beb54bbb9078272cd5e0511b526c4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127252" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000020b32b21489332d90c96e1af1ed828c7d2cbbb7789f41a10c38448c792ebe8ca000000000e800000000200002000000015ff9c6d507830320a2b2520978fecbac0559f3f7ddf534a342224a70de5528620000000d04914c993715af55e9833579e4f271f649b6404698436a617a68ccded13b3e9400000002b9ec58bd6129b94db3652e06662848da2d9565e7607b1da7db8b6bd1d548e49b689c8fb2a9aef5eebf75866cf9902d45721b5f72812c0f61e5adc44ca65c429 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000231ac5af4075f7420d5a80839f8d7e216aaee8d964eb2669d3600324324e2045000000000e8000000002000020000000d70996a4ad3aba98657fd5ca87923cde2b8164bf67f476c102266bb9828527d0200000000f32f24eb72f729db37ab7c7093ba4d396eba3e238b2a021cfbe56f609c6792240000000c5082981104b6d90736d68b1442baa4bbeb7ce5494c42bf028d62275697c4f0efd7afa8ff9f75521b5cda14d7dc7977be49f3e128653fe930a14c69ec39ef942 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000a5c130e9e545be4afaf7662451e6e022e6b9a5f59d1e521aed9752d40649025b000000000e80000000020000200000009c0ce267412e126ed2a6b7a44e68f057f81cd3565b00629065ea130b2477b27b20000000bce64affe55d6665370f943d50b52b96d567c10e102969f947a2aa25c885d4984000000057512f2e46cc7c8c8735c2483cdf5038778eb410e94212a7207aeea9e87305b9984d1cd10fae7759bb91907fa0e101372e0f46d94d4e3b5d15d98d0868500128 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20cb7687d4f6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127252" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000058e2116dd20953c56e00ffea371615ba411fba557fdcf62276cb2da910e6422e000000000e8000000002000020000000374b9e3711c686b25dcc6dd38d9bacde98f586183570f3d78bf3f65738100101200000005c8bd66abdbe15da6c7904861069fe5808be64dc4f6b893b81f69d5cc7a4e7f140000000a05287af96d54d5b989f3089ca2732a5d08bd3f66cfb0fc3cb6f8022f906cf759c228477a1d68aacddc95114ba6d9523332ba9358b01a001ca088366df6e460e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c00000000020000000000106600000001000020000000b43fa40a0153b380c925d8b334a85d5a805449f90a1620558c100667a73a68a8000000000e80000000020000200000007432376a01aa3612feaf3ff898939ec30b46246e9b0206432771244237c132dc20000000447e864b81791a751d6ae46d892da8c93677cd29fef0df28547bbe084858a53f40000000004bdf34c6b6b5fd6d6a75cf9938952fcad8cdf5b9fd98a888e454bb59cfbaefe45e61f57a0d9d36cc94ee9934c28ac244cbe18ebbcaa28285fecc7be6d1e2bb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD177B3A-62C7-11EF-A2A4-F2CE673D6489} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\monnetproc.ocx" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj" | C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Processes
C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\monmscms.exe
"C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\monmscms.exe""
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 588
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:2
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 10.17.0.71:21 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 10.17.0.71:21 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| RU | 82.146.51.22:80 | tcp | |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| RU | 82.146.51.22:80 | tcp | |
| N/A | 10.17.0.71:21 | tcp | |
| RU | 82.146.51.22:80 | tcp |
Files
memory/3800-0-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bot.log
| MD5 | 37bed2ced761f9fe445a373604d80412 |
| SHA1 | af6fea06397851774ae7fa67da3c3337979ce890 |
| SHA256 | 3d4bf924bba391393a53cc9338a7aba835cc184101ff8188a9a2bdd5cda3ddf5 |
| SHA512 | 211040b4ee3b5696896ca5c8bfed67db4ddb567a7f3b1278e06e9345679ce6eb919e08f682dd364e660a4d9c4748bba165c67acefe72ba070d354d1cc05e234a |
C:\Users\Admin\AppData\Local\Temp\bot.log
| MD5 | 9a9950905053f01fcffc9f7379945508 |
| SHA1 | f75fff05b979042cef8829328a81765de1928612 |
| SHA256 | 81fdead0fa716e988c8cde1c491a284679975466ab60094043c0985ba5500b7a |
| SHA512 | 686df799e306bb80de7debdfa4502eb031ca445e349ae857d1501658576e77222ab1337e41af976cee6845968d5b1a86cc054381370557df86cd0f4d9b04a907 |
C:\Users\Admin\AppData\Local\Temp\advsec32.dll
| MD5 | 3adea70969f52d365c119b3d25619de9 |
| SHA1 | d303a6ddd63ce993a8432f4daab5132732748843 |
| SHA256 | c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665 |
| SHA512 | c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8 |
C:\Windows\SysWOW64\hostpoolras.exe
| MD5 | 9240adb5ce18633c3b5dbd6554dd4778 |
| SHA1 | 3c3b3e168a2e06160096ba64ca7e21b8c176629d |
| SHA256 | 214adac31f2d43a59f45105b35e13ea8bcd72896cffb601ad09f0b82c9ca374a |
| SHA512 | 3ec0e426a4fb64877f4af3f54809562293daa660f97ee13f635a73b7d803a15b5e5bb292eb7bad56b90b7ad1dee639fe06aef24834b31b23b6b2599fb1309f6c |
C:\Users\Admin\AppData\Local\Temp\monmscms.exe
| MD5 | bf839cb54473c333b2c151ad627eb39f |
| SHA1 | 34af1909ec77d2c3878724234b9b1e3141c91409 |
| SHA256 | d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d |
| SHA512 | 23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d |
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd
| MD5 | e7efc2c945a798b4dab3fe50f1524592 |
| SHA1 | 0bb937ccd89e40c91c0e58b376873ef909fe805b |
| SHA256 | 624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc |
| SHA512 | e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257 |
C:\Users\Admin\AppData\Local\Temp\smss.exe
| MD5 | b3624dd758ccecf93a1226cef252ca12 |
| SHA1 | fcf4dad8c4ad101504b1bf47cbbddbac36b558a7 |
| SHA256 | 4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef |
| SHA512 | c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838 |
memory/3800-239-0x0000000000400000-0x000000000044E000-memory.dmp
memory/3800-258-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\win5.tmp
| MD5 | ee926df00618b73a370f2dbcbe19ebeb |
| SHA1 | eb775efca19c657d4cc02d21190db4f522ae750d |
| SHA256 | 6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32 |
| SHA512 | 6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4452.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\httpErrorPagesScripts[1]
| MD5 | 9234071287e637f85d721463c488704c |
| SHA1 | cca09b1e0fba38ba29d3972ed8dcecefdef8c152 |
| SHA256 | 65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649 |
| SHA512 | 87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\errorPageStrings[1]
| MD5 | d65ec06f21c379c87040b83cc1abac6b |
| SHA1 | 208d0a0bb775661758394be7e4afb18357e46c8b |
| SHA256 | a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f |
| SHA512 | 8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\dnserror[1]
| MD5 | 2dc61eb461da1436f5d22bce51425660 |
| SHA1 | e1b79bcab0f073868079d807faec669596dc46c1 |
| SHA256 | acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993 |
| SHA512 | a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\NewErrorPageTemplate[1]
| MD5 | dfeabde84792228093a5a270352395b6 |
| SHA1 | e41258c9576721025926326f76063c2305586f76 |
| SHA256 | 77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075 |
| SHA512 | e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\down[1]
| MD5 | c4f558c4c8b56858f15c09037cd6625a |
| SHA1 | ee497cc061d6a7a59bb66defea65f9a8145ba240 |
| SHA256 | 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781 |
| SHA512 | d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |