7015fbbe40d9041e72fe13f794cdcfc3555f54edbe209bd6fcd6b71a30d22129

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Size

2.3MB
MD5

c847b7a2cf4a720d70aeef5b253b1f36
SHA1

c8485fb5223eb30d867348f9480e2121f57f9f1c
SHA256

7015fbbe40d9041e72fe13f794cdcfc3555f54edbe209bd6fcd6b71a30d22129
SHA512

3d028a371848406f8d1d4b8ce9939c93ec5ceeb2dce9830b54e20e7ca8492cb83148c679b465292b0307d8cf6a57681709d657d90338a68cd68f6beba273158c
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware collection discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\procdnssql.exe"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c00660077006300700072006f0063006600770063002e006500780065000000	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Executes dropped EXE 37 IoCs

pid	Process
1568	infopoolproc.exe
1724	smss.exe
568	smss.exe
1480	smss.exe
1936	smss.exe
2156	smss.exe
2560	smss.exe
2256	smss.exe
3064	smss.exe
2032	smss.exe
1868	smss.exe
2808	smss.exe
2548	smss.exe
1524	smss.exe
1336	smss.exe
1856	smss.exe
2240	smss.exe
872	smss.exe
3068	smss.exe
2532	smss.exe
344	smss.exe
1212	smss.exe
1716	smss.exe
1384	smss.exe
1760	smss.exe
1672	smss.exe
2020	smss.exe
836	smss.exe
2088	smss.exe
408	smss.exe
1864	smss.exe
2448	smss.exe
2100	smss.exe
2188	smss.exe
784	smss.exe
1476	smss.exe
880	smss.exe

Loads dropped DLL 38 IoCs

pid	Process
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe
1912	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	infopoolproc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\procdnssql.exe"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctfmonsvc.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fwcnetpool.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfdnspool.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ctfdnspool.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\procdnssql.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\procdnssql.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfmonsvc.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\svcsqldhcp.ocx	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svcsqldhcp.ocx	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwcnetpool.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fwcprocfwc.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwcprocfwc.exe	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000f383645516b358afb08ac2a35e7086d4db6a6c0e0ce0097f7a36a3641b45845f000000000e8000000002000020000000204bb30f5d970d96baac17fb27303769c25e6c372f54e81971f49d8d0ac8bcde200000002180071e739b3212157f545707fc6ee62f6118436644a06101ac69c7ec7febc34000000072eaae0dd3e5b46e10da993fb4e2e8c9504ffcbb08bb2739ecbb2452cffb44ad09369c457c52099757c9c348117276b6a89b6721c54ee778132a185661bad7a3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0313501d3f9da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000544859026a96a11ded65f306355bbf5dd141c28eda4b7f774f8434981c5f4a2f000000000e800000000200002000000080f0ff7b0a124946a9513c645f4c06130cad2109f1d419ed48c5377c5b579558900000007ff42da0686f626b96d85fd3b5d8a393a8d8c249e0d43731037c68154b85b8e37c0e20e51edeb5b6734d47b3fda21aa6b17c57d39e45af7ad96cb94448eb31f275ffcf8abadb9c1ddda91011301b53de6f9b8ce66c108f5372061eff3f67cdd4a0589c5b5026d67b70f8b235a344a3c3624c141222cf7c187d133d2d877d2570d59bf116e60fd3221e241eeebf88dc71400000001e3e9e412a743888eda9a832cdc43d9e6481f96f830fba730b77ffc9138e57bbc20eb7b55311870e9329650ed505dbe03ae5a7b8609da8c3317e1333ae6eb15c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11FD65A1-65C6-11EF-B9AB-7EBFE1D0DDB4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431070552"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\svcsqldhcp.ocx"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
2884	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeBackupPrivilege	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
Token: SeDebugPrivilege	1568	infopoolproc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2916	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2916	iexplore.exe
2916	iexplore.exe
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1568	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1568	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1568	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe	30
PID 2680 wrote to memory of 1568	2680	c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe	30
PID 1568 wrote to memory of 1912	1568	infopoolproc.exe	32
PID 1568 wrote to memory of 1912	1568	infopoolproc.exe	32
PID 1568 wrote to memory of 1912	1568	infopoolproc.exe	32
PID 1568 wrote to memory of 1912	1568	infopoolproc.exe	32
PID 1912 wrote to memory of 1724	1912	cmd.exe	34
PID 1912 wrote to memory of 1724	1912	cmd.exe	34
PID 1912 wrote to memory of 1724	1912	cmd.exe	34
PID 1912 wrote to memory of 1724	1912	cmd.exe	34
PID 1912 wrote to memory of 2296	1912	cmd.exe	35
PID 1912 wrote to memory of 2296	1912	cmd.exe	35
PID 1912 wrote to memory of 2296	1912	cmd.exe	35
PID 1912 wrote to memory of 2296	1912	cmd.exe	35
PID 1912 wrote to memory of 568	1912	cmd.exe	36
PID 1912 wrote to memory of 568	1912	cmd.exe	36
PID 1912 wrote to memory of 568	1912	cmd.exe	36
PID 1912 wrote to memory of 568	1912	cmd.exe	36
PID 1912 wrote to memory of 1492	1912	cmd.exe	37
PID 1912 wrote to memory of 1492	1912	cmd.exe	37
PID 1912 wrote to memory of 1492	1912	cmd.exe	37
PID 1912 wrote to memory of 1492	1912	cmd.exe	37
PID 1912 wrote to memory of 1480	1912	cmd.exe	38
PID 1912 wrote to memory of 1480	1912	cmd.exe	38
PID 1912 wrote to memory of 1480	1912	cmd.exe	38
PID 1912 wrote to memory of 1480	1912	cmd.exe	38
PID 1912 wrote to memory of 1708	1912	cmd.exe	39
PID 1912 wrote to memory of 1708	1912	cmd.exe	39
PID 1912 wrote to memory of 1708	1912	cmd.exe	39
PID 1912 wrote to memory of 1708	1912	cmd.exe	39
PID 1912 wrote to memory of 1936	1912	cmd.exe	40
PID 1912 wrote to memory of 1936	1912	cmd.exe	40
PID 1912 wrote to memory of 1936	1912	cmd.exe	40
PID 1912 wrote to memory of 1936	1912	cmd.exe	40
PID 1912 wrote to memory of 2072	1912	cmd.exe	41
PID 1912 wrote to memory of 2072	1912	cmd.exe	41
PID 1912 wrote to memory of 2072	1912	cmd.exe	41
PID 1912 wrote to memory of 2072	1912	cmd.exe	41
PID 1912 wrote to memory of 2156	1912	cmd.exe	42
PID 1912 wrote to memory of 2156	1912	cmd.exe	42
PID 1912 wrote to memory of 2156	1912	cmd.exe	42
PID 1912 wrote to memory of 2156	1912	cmd.exe	42
PID 1912 wrote to memory of 1596	1912	cmd.exe	43
PID 1912 wrote to memory of 1596	1912	cmd.exe	43
PID 1912 wrote to memory of 1596	1912	cmd.exe	43
PID 1912 wrote to memory of 1596	1912	cmd.exe	43
PID 1912 wrote to memory of 2560	1912	cmd.exe	44
PID 1912 wrote to memory of 2560	1912	cmd.exe	44
PID 1912 wrote to memory of 2560	1912	cmd.exe	44
PID 1912 wrote to memory of 2560	1912	cmd.exe	44
PID 1912 wrote to memory of 2688	1912	cmd.exe	45
PID 1912 wrote to memory of 2688	1912	cmd.exe	45
PID 1912 wrote to memory of 2688	1912	cmd.exe	45
PID 1912 wrote to memory of 2688	1912	cmd.exe	45
PID 1912 wrote to memory of 2256	1912	cmd.exe	46
PID 1912 wrote to memory of 2256	1912	cmd.exe	46
PID 1912 wrote to memory of 2256	1912	cmd.exe	46
PID 1912 wrote to memory of 2256	1912	cmd.exe	46
PID 1568 wrote to memory of 2884	1568	infopoolproc.exe	47
PID 1568 wrote to memory of 2884	1568	infopoolproc.exe	47
PID 1568 wrote to memory of 2884	1568	infopoolproc.exe	47
PID 1568 wrote to memory of 2884	1568	infopoolproc.exe	47

Views/modifies file attributes 1 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1924	attrib.exe
2496	attrib.exe
2420	attrib.exe
1492	attrib.exe
836	attrib.exe
2004	attrib.exe
1868	attrib.exe
1608	attrib.exe
1184	attrib.exe
1596	attrib.exe
2688	attrib.exe
1648	attrib.exe
1028	attrib.exe
1580	attrib.exe
2188	attrib.exe
2476	attrib.exe
2012	attrib.exe
2296	attrib.exe
2060	attrib.exe
1940	attrib.exe
1980	attrib.exe
1620	attrib.exe
1956	attrib.exe
668	attrib.exe
1388	attrib.exe
1708	attrib.exe
1324	attrib.exe
1268	attrib.exe
2296	attrib.exe
2660	attrib.exe
2792	attrib.exe
1684	attrib.exe
2476	attrib.exe
2072	attrib.exe
2268	attrib.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	infopoolproc.exe

C:\Users\Admin\AppData\Local\Temp\c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\infopoolproc.exe
  "C:\Users\Admin\AppData\Local\Temp\infopoolproc.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1724
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1936
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2156
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2560
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:836
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1336
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2532
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1268
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:344
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:668
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1212
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1384
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:408
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2448
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:784
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:880
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Runs regedit.exe
    PID:2884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc178fcec2562d502b5b990881952e6a

SHA1
deff82d6854d68c072163e0d2e4e36e2b2163f5e

SHA256
0d8bf25a7ab9af09d37d2be72aaa4d25f15df93e70131f355832f1702dc4e49d

SHA512
4a7cefaedb8948864da2144fedb386389de15ab3deeb3bc44a1aaeaa279b080c5009dbce6d2f7912ba5de0faaaebed723814cd82f097fef9598dce09ac1d5128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8d232aafad9db2931be0adfd4baef87

SHA1
f0d7e4662c9b2c7c41163843f580bc3165c627e4

SHA256
f123657f9cb55f5190e47134a4c35e426ce9c365fbe320911cb1e2f0db7481ed

SHA512
ba9bd28d0b4b7d65014ada8d441608b6e9b8cc45bff107c715848ba463cf77aa324637fe30059d10a4c91e25ecdcd51edc59239b72554b527d020058c0935b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d8e87baf19d82fee4368980b5148bc2

SHA1
3254478a069d045688057e4b45c0b1ed77bd8d49

SHA256
fd56a98dffb69ff2eabc24adf06ee665655b234dcf6e810bdc3698ee12f238eb

SHA512
0a7975f6d0ca99547287de80cd2ca8adbe981eb322e4160b5b93851540380f7c4c128f12a1df5a2cabef8155bd94fbd4d3acb5a97edfad4c921ecb1ece2f358b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0416efb71324db781b5113bbbbbcc54

SHA1
9d420253fd6b17df3321c3f1470f5e88bfabc8f5

SHA256
95072f529f151e92f9e1b589f4347804d477af8a78e5e1637c2c4ea548770387

SHA512
3d6de1a2e3165139b4771b47c64ccb9e0abb29a55516c367ed6b9b9514c7cdc47cda58ea60d3dc40d715ae27f95223eb6f90357699ea551041f3cb3c3418f637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42644a95b5156d5cfe0ceb6af454ebe3

SHA1
dd53b19c02a09b3aedd3cdf2ba0e270cf45fa3d3

SHA256
f9b52fb7fc3294ba731bce3b5bb23b2e6d52f252bc4bc4cc44b4b427b6dbc5d3

SHA512
358f42ff6f653236f288872b30a02bd4404ead7c3d9583f2de8e5b93452e7120e1847c6a2479725f23fc1c3ce316e3c19c69510dfc519237ac5955afe2fc6c05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
325a45d162469e594fdf60b1e452cfc8

SHA1
c4fef184dc3d2d264b9050470cc7cf30899e3bb1

SHA256
6c8f2ef91a38bfa822eef733e6451337f2a47c3abc79ba65d0ce9f1c096d18b8

SHA512
df61fb03f18c66fb8d49ce2f0051bd4e830dafef21bcad967e346a074cb27cad0a85b887199d94cc068cbc299c0b92b6841c65c7b9011ae2a96ca4f30d097acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e26b93dcf78703384b5d26ca93a6b97

SHA1
2237d369e87bc28a6b3a8e63636f79f8588415d0

SHA256
b7d61861c95985f6e38e052d661e374522a162f393443cede45a119c5f262374

SHA512
caa66081926766c548f64a91d0fbde3ae8ac51b2677224e3c4f1198e3fd1240ad2b017c5b7f13644708739594e9ce5076c0d5372a925f970fc9245ef4544b069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6601081995cf85bbcacbc55c67a7df42

SHA1
c46b983d6f799b3324fee925762bad2d0cadbb0a

SHA256
734cd2a0f2e300ccee9ae8ef8893e3bcb21ff7fe9fca45ffb168ba7d4582167a

SHA512
8795805f9544285a8b903ca13c852b66fb5c116e3a9d7a58b87ffac087b374aaf1864547cd3f59772fada1c15068a6a37dd43d3db120451e00c128988a5e7969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d6189705983c52477be85924d41ce6d

SHA1
81693bad02f44c0f8c7bfbb199f244133aea89ee

SHA256
a6c95bb90a6f4ccac49f5219ec99028f79e8c9acf506b363c81890a0a1682171

SHA512
d8497c91c6b610cf98a6fad621cc86e02ea395f9ce8c77582f12d929d70441bac0f1b1e1562d3111607439c98c3389997389ba7f4dd662c1943a1f6982a2682a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
896d57da0c89fc49d214344df8a3f0e4

SHA1
c26a1107233ee3f1741fd54ad6040ac48e665314

SHA256
397347cee64e0f3991d7541c0b7478057d5bc125286361bd86a445bf54e4b515

SHA512
e87ba8cc70c103c8c73cf75559456d7021fff9b6ad3b6f85fd34e9682badace7e0ac8df6f08909ad5fdea0119d72c741f72e1de1d0b37bbdbe5d731d11b097bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d06e7aab4bd8b278a4ad2303300d4b92

SHA1
73bd81dffacbd667095f7ce77ba5396aea389a02

SHA256
f0b3e45a636214655b6501f2e42ed5d16cb9eaa213517c69322dd1921b1b15d6

SHA512
0cf9145219f05fd9f40e39490c2c0d6a8bebc0a05e0a90541ddd9bf9c8454aaf9bf6cf40b63e08157ec978f294ac8ea6fb055a2ea8ce4c0c040cf83175478a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69106580deeb278e4dc724a5afd25a44

SHA1
e221289a44a70a2877d52905df832bab3cfb0909

SHA256
6642fd76a7cad7dc0bcc6dc99bcb2343eb17470faf2a5d43d1214cf18020243f

SHA512
0e9c0058c350dcf7b7bab0fc6dc180c71cec6ec12b1a6f00f8cd84782338287010928c1f76808fa73171c1ecc1a7506e4a5a460ed0600de0ce532b079274b983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7002feeb272cb8e5accda07cad1e553a

SHA1
5a6941fb265e84f70ef54d2c5efc6a3954c88dd5

SHA256
7e71ed8358152d47e5bacdce01de226170ce647124d1de8018c1016eda3f9605

SHA512
b5ffcd4bc6ab968cd249474d79d17471564980530fb2e73172eb84401e784e8f05a80e48304ed92d53c0060632704be29b67d0734cdcc9344344dcf794eb077e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9735db742beea52608512fd3a9258019

SHA1
1fc306e171480146d8a0a3d067c368f25bd230c6

SHA256
cf65059d209bbc1374cd6e0bf821eaba3b06f7fbe6b36df498adb36e6253a55a

SHA512
f3f0e4f9d03af199e6f8780af6631ab962a81f23a1d249056397731495ca1e9a20374b3a89acfeee735ffe967761f9a261f3d9c8fa6b9abeeecb6af7cd4e89c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6891ed11b569902d92eb72d2ffaa50b1

SHA1
f4060702e93c17ba633ef5a514af9aff1f266b43

SHA256
e123d349dc355940004af9e9bf7ba8f7e724ce780a98da8e19d281082c630e96

SHA512
9624530101c9fe3019285e96d93b22efa6cc5799fcdc3923ab05e19a4e387c5727d84b1cf7eadfae6dbdbe9081281d74dd2226e44a210dca844d1f64b6cb439c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f439e2f47f9c810070d05d82e525d23e

SHA1
99e0543eb7d56fb9056d2bec6bb33242862ed505

SHA256
338ad4c7e6e7dde0edc887b5a87aefcde8a2df22fbdaecb4a4893e1417a494c6

SHA512
987b1d6a04757fca84c8d9dae15da472715bba5c751b72bea6102c6a204156d39ebab63db79a1d77eee4a2389bb47f431fc1c7f7e241fb023ef90830e5a15381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c788d13be41edcba7242b76d63790e68

SHA1
9c4bbf1056944947f2d8057df0b2683e155cac15

SHA256
b23c9541902e12c692aa3c68447a4c6b0ecbe93569e1c2ea84657c83fc66a9b6

SHA512
d9f25a4307c466a5810c929e482fce375ded00448f609be2f8ba851a560ade959cbbc752b0d5faeef902e248767e456718df8a6a26231dd328e23f52217809e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81629d93b039abdd27d0e0a06a10ff23

SHA1
f5b3ecce0cb26d3a7ab2e39f1adec1aab836af7a

SHA256
cc4d912bc9d37265f87c139cc2d77727a855a6d543fcf9fa114fc9ec47b85170

SHA512
ed7e8304b079ba5de6d400eb7a39d6ea008b9cd90f426ed03710dff322338d32f07d8c40bf2e647a40d01933cc4da5c4abff8cff87ea110eb4197037760dc431

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f2354b219eb82a26464bb9dc70b261e

SHA1
fee26f4b9dc155495cea0ed644cd9c5e5ef08e9a

SHA256
9eb130abb452428d80ce9e2ca5d315eb855dd96866b903905459f641a02b04c7

SHA512
edebadd1d5be750191a7a1f90dcf6bc0323c9eede0cd09c155f3568d989d25fcb906d9caa3bc92596ca7bcc5231539121b6828a947b70f3be40479eafd791057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b0aa2d293d7fef373175c7980b3eb42

SHA1
eb1197d2c8aa364d82ebd2c8a86597242117c1ad

SHA256
2c1175a9db3665dd5670089eb218f387f5875efeff43dfe00ebe4eca4411c5a3

SHA512
7b2c43cdced9bf6b9e72746ac5152bac94cc70d5cc1a2c70d47ca677a3726944a674510227028b303bdf359d1f48b902b9b410f3e36540ce5dd1f890b0c365da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF569.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF5DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
3KB

MD5
dcc1a81a57e1fbb8bf78f9c433dcbdea

SHA1
295a7b0cff84469ae1fccce701b0d4d4baa9b7a5

SHA256
800a580bc2c70ee9bd3d88c5c2f533b5274ba932a3d47abc8d0c07e3534e1903

SHA512
606b5a655b46f26766a06977cbd6c1be63b7e500a616c253ab5576b76a410addd82307f2c28393e877838f0861c968ae8c50e40bfe588bb8fd242fe6e67af95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
4KB

MD5
2827c127b204b9ddb028d7243f37f712

SHA1
16815194abc6c3e06e4675294d0a19576fee17e7

SHA256
b7344988ab734e48c7e106fce25eb3172c537b4852e71d99a7c23a85cbfb09b5

SHA512
8e3a833a4f6770a70b68735f25197a6c4ed0f51952c9c143f3f13ba3786ac4d62956153a017f975d5fe20cad3140ead03985b1bc1564c967876278527271ba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\ctfmonsvc.exe

Filesize
2.3MB

MD5
c847b7a2cf4a720d70aeef5b253b1f36

SHA1
c8485fb5223eb30d867348f9480e2121f57f9f1c

SHA256
7015fbbe40d9041e72fe13f794cdcfc3555f54edbe209bd6fcd6b71a30d22129

SHA512
3d028a371848406f8d1d4b8ce9939c93ec5ceeb2dce9830b54e20e7ca8492cb83148c679b465292b0307d8cf6a57681709d657d90338a68cd68f6beba273158c

Download Submit
C:\Windows\SysWOW64\svcsqldhcp.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
\Users\Admin\AppData\Local\Temp\infopoolproc.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
memory/1568-305-0x0000000000270000-0x0000000000272000-memory.dmp

Filesize
8KB

Download
memory/2680-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2680-255-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2680-276-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download