9a46f2110fc37139aab92099d370c95f7e15238735b5fe19dd538c200a0152e4

Analysis

max time kernel
73s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
Size

399KB
MD5

dd064d8db1e9d7171d0d5343e41ea976
SHA1

bac6dbdfe093f00209f9ec11491924083c92932d
SHA256

9a46f2110fc37139aab92099d370c95f7e15238735b5fe19dd538c200a0152e4
SHA512

c2ebc89f54d4d7fefac473e344794fb9f90223d25e24790637f44d02ff6fcfd84bcb4b973e75037b45f23f9a9d08efe20b4d22d48c84eebb37e3247b1f4cca6b
SSDEEP

6144:7HArePp1FfINYC/hsjsrAY6Ic/8jrKEFDcmvKQbERvdestcWjl7:7grePdHQhs71IS8jrKEnxS1Zt7jl7

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-1-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1920-2-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1920-80-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1920-82-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/1920-96-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4856	1920	WerFault.exe	82
2700	5108	WerFault.exe	366

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{9F54E3D8-38AF-4AD1-8212-2B984DD1211C}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{C6083CA1-D6C1-4C45-A39C-F9D8FF178F73}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{893F3F06-CF9C-40F3-BF62-6D9ED23CEE04}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{5E277F10-9310-46FD-AF1F-0CBE1FF56864}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{AFA7A8AD-56E6-4052-847F-353D16AB0A8E}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{84F53866-0693-4B56-8D56-E29366AA94AD}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{7DB4CA4A-4DCB-4AE3-A444-C0370F5DC221}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{883CAB79-79D9-455C-82B2-36D208C36726}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{E5008518-C237-4AC6-9D68-300F42F9BDF0}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
Token: SeShutdownPrivilege	4320	explorer.exe
Token: SeCreatePagefilePrivilege	4320	explorer.exe
Token: SeShutdownPrivilege	4320	explorer.exe
Token: SeCreatePagefilePrivilege	4320	explorer.exe
Token: SeShutdownPrivilege	4320	explorer.exe
Token: SeCreatePagefilePrivilege	4320	explorer.exe
Token: SeShutdownPrivilege	4320	explorer.exe
Token: SeCreatePagefilePrivilege	4320	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeCreatePagefilePrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeCreatePagefilePrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeCreatePagefilePrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeCreatePagefilePrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1148	explorer.exe
Token: SeCreatePagefilePrivilege	1148	explorer.exe
Token: SeShutdownPrivilege	1148	explorer.exe
Token: SeCreatePagefilePrivilege	1148	explorer.exe
Token: SeShutdownPrivilege	1148	explorer.exe
Token: SeCreatePagefilePrivilege	1148	explorer.exe
Token: SeShutdownPrivilege	1148	explorer.exe
Token: SeCreatePagefilePrivilege	1148	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	836	explorer.exe
Token: SeCreatePagefilePrivilege	836	explorer.exe
Token: SeShutdownPrivilege	2884	explorer.exe
Token: SeCreatePagefilePrivilege	2884	explorer.exe
Token: SeShutdownPrivilege	2884	explorer.exe
Token: SeCreatePagefilePrivilege	2884	explorer.exe
Token: SeShutdownPrivilege	2884	explorer.exe
Token: SeCreatePagefilePrivilege	2884	explorer.exe
Token: SeShutdownPrivilege	2884	explorer.exe
Token: SeCreatePagefilePrivilege	2884	explorer.exe
Token: SeShutdownPrivilege	3100	explorer.exe
Token: SeCreatePagefilePrivilege	3100	explorer.exe
Token: SeShutdownPrivilege	3100	explorer.exe
Token: SeCreatePagefilePrivilege	3100	explorer.exe
Token: SeShutdownPrivilege	3100	explorer.exe
Token: SeCreatePagefilePrivilege	3100	explorer.exe
Token: SeShutdownPrivilege	3100	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1428	sihost.exe
1104	sihost.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
624	sihost.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe
452	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4320	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
836	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
2884	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe
3100	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
812	OfficeClickToRun.exe
3432	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 4320	3104	sihost.exe	101
PID 3104 wrote to memory of 4320	3104	sihost.exe	101

C:\Users\Admin\AppData\Local\Temp\dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 896
  2⤵
  - Program crash
  PID:4856
- C:\iM01800AkKfD01800\iM01800AkKfD01800.exe
  "\iM01800AkKfD01800\iM01800AkKfD01800.exe" "C:\Users\Admin\AppData\Local\Temp\dd064d8db1e9d7171d0d5343e41ea976_JaffaCakes118.exe"
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 888
    3⤵
    - Program crash
    PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1920 -ip 1920
1⤵
PID:4044

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:1104

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4320

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4676

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of FindShellTrayWindow
PID:624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3296

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4804

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:836

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3100

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:452

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1520

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:4352

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1104

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:3112

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:1888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3184

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1280

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4484

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1916

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1612

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3864

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1344

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4136

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2260

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2084

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3392

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2228

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:2436

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:824

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3924

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3964

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:4312

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4788

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2460

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1976

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:2252

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:4560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4640

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3160

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:4072

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2296

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2036

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1216

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3336

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:2656

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2824

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:4012

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3204

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3728

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5060

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1904

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1704

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:1216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4052

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:3064

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2360

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:3664

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2180

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:2468

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1344

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:428

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies registry class
PID:2560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4364

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4752

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4816

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5108 -ip 5108
1⤵
PID:1512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:740

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4084

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3748

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3124

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3828

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4060

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3292

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4020

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:832

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1284

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1900

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1220

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4108

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4000

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3136

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1360

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2732

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4296

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3956

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:216

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3224

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4908

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2388

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3028

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3100

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1944

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1412

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:968

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3248

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4348

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4844

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4620

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4080

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2772

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3676

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:400

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4668

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4520

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2768

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2528

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4064

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2756

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:8

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2152

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:852

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3492

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2044

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:824

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3608

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1132

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2792

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3168

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2140

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1980

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\iM01800AkKfD01800\iM01800AkKfD01800.exe

Filesize
399KB

MD5
fbe8d62d5aefbab93d9ce74ba1f53a3c

SHA1
c597a2abd58367c9def4f0b022e967156b18c613

SHA256
a1d4051a3191dd7b6200bf782b3bca39749db20a646382cd515a13dfc08d422c

SHA512
613071f0e7b90d061ca72aeb040cedfb9a4f30614274ed30fa1191d9c3a627f784e8849147981d36c28df7c7f5035f6b877eba4e023fafbd2fa4221484821dae

Download Submit
memory/1920-0-0x0000000002260000-0x0000000002263000-memory.dmp

Filesize
12KB

Download
memory/1920-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1920-2-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1920-8-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/1920-80-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1920-82-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1920-96-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download