8d70f29c3c5dc0f9f11a171560aee956e7b588c9272511ca78aa712923681336

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe
Size

56KB
MD5

ea90986ca1ccc0e9e15c76011923b03d
SHA1

afd26f693018bd7ae7c1d9c84858c5077a868c33
SHA256

8d70f29c3c5dc0f9f11a171560aee956e7b588c9272511ca78aa712923681336
SHA512

2ac1020bffff0cbff7c6d9e2b4a4f2f81101855dc020f532ba767ef53ef52ee2a04694e8bb0f0efbff87afce2fa4407a4c73bca0ed1c7910a72fddab2f508f54
SSDEEP

768:cS1q1Q4RDU7wuFHfhXkoYqbvda7k9rhSV1YDrou9e0emRkc+y4IX9EPvmtK:71q1Q4qLf1nhrrou9e0eS94qtK

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2236	Systom.exe

Loads dropped DLL 2 IoCs

pid	Process
1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe
1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crsss = "C:\\Windows\\system32\\Systom.exe"	reg.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	Systom.exe
File opened (read-only)	\??\r:	Systom.exe
File opened (read-only)	\??\s:	Systom.exe
File opened (read-only)	\??\e:	Systom.exe
File opened (read-only)	\??\g:	Systom.exe
File opened (read-only)	\??\j:	Systom.exe
File opened (read-only)	\??\k:	Systom.exe
File opened (read-only)	\??\l:	Systom.exe
File opened (read-only)	\??\t:	Systom.exe
File opened (read-only)	\??\w:	Systom.exe
File opened (read-only)	\??\z:	Systom.exe
File opened (read-only)	\??\m:	Systom.exe
File opened (read-only)	\??\n:	Systom.exe
File opened (read-only)	\??\q:	Systom.exe
File opened (read-only)	\??\x:	Systom.exe
File opened (read-only)	\??\h:	Systom.exe
File opened (read-only)	\??\i:	Systom.exe
File opened (read-only)	\??\o:	Systom.exe
File opened (read-only)	\??\u:	Systom.exe
File opened (read-only)	\??\v:	Systom.exe
File opened (read-only)	\??\y:	Systom.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\f:\auToRun.inf	Systom.exe
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\auToRun.inf	Systom.exe
File opened for modification	C:\auToRun.inf	Systom.exe
File created	\??\c:\auToRun.inf	Systom.exe
File opened for modification	\??\c:\auToRun.inf	Systom.exe
File created	\??\f:\auToRun.inf	Systom.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	Systom.exe
File opened for modification	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\auToRun.inf	Systom.exe
File created	C:\Windows\SysWOW64\Systom.exe	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Systom.exe	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	Systom.exe
File opened for modification	\??\c:\Program Files\ExportWrite.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	Systom.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	Systom.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\401-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-9.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Green Bubbles.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-11.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-10.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-sonic-clickme_31bf3856ad364e35_6.1.7600.16385_none_560dd693a7476c8c\ClickMe.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-12.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-16.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-4.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-7.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-12.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-13.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Garden.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\500-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.1.7601.17514_none_2dd00d963fe4475e\iisstart.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-6.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-11.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\500-18.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-16.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-14.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\403-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\404-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Stars.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-9.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\500-19.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Bears.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-7.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\401-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-15.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-10.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\501.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\404-2.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\404-3.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\500-16.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\401-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-1.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\403-5.htm	Systom.exe
File opened for modification	\??\c:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403.htm	Systom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Systom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0602e41f021c001	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1808937010"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000be0f6453c24e3c4085f3be33fbc39a58000000000200000000001066000000010000200000009bc7863dc3d3e85ae6b2afb8b7a42577bbd4ee6a00f5a483295ab728f1d1b632000000000e800000000200002000000091a37dbe16d5ea619b96ab291056f1a51d2be1799377bf7684ba477a0fcf0aac900000000b813cfca44ec9d542981fc7e5787444480f8c7fce3c7221b9ce30b91e6fbfe8aea03385551c9ed1e700b48e375c6217428bffd1c415eefbba16a60af14eff31b76f9a8de10a5fa5556637549f166c746f37e04191226655280470212d01975d374a4206e64c1ce2396f74a3c186ecbff8b74cfac9a923ed05a56b6f399b72c5afba54dd9728dda52905c4039d74543c4000000085cbfd17e7ba0c9169611dd85d6781feaf6a64fc1679b7a452c83daddec98d3aeec1b5c0995cb5b866f97919e438fcad840896313383585977578b60e92df181	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000be0f6453c24e3c4085f3be33fbc39a580000000002000000000010660000000100002000000092fb087d059a6d7003c26d20f9a03278bef00e0469d077a9d6eb61da89ca5e62000000000e80000000020000200000000d6ab8d4e769181f77d073aad6cedb227f5460342243b5e169cf8303f1251dc420000000a452f593f5674803a9a71c9c5fac425fe7da3b6644407ed2d3a06117cdf51e794000000014d10743aad85c38ae27b00185f88014c61d4102315d73a18e212745e2285af77d9f9ac1529ab085c17856b4acd26148f43a516dc4a000c5ce57a7fdff805ef5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6A82A351-8DE3-11D4-9E60-7A7F57CBBBB1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2788	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2236	Systom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2684	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	iexplore.exe
2684	iexplore.exe
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE
1868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2236	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2236	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2236	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	30
PID 1792 wrote to memory of 2236	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	30
PID 2236 wrote to memory of 2788	2236	Systom.exe	31
PID 2236 wrote to memory of 2788	2236	Systom.exe	31
PID 2236 wrote to memory of 2788	2236	Systom.exe	31
PID 2236 wrote to memory of 2788	2236	Systom.exe	31
PID 2236 wrote to memory of 2700	2236	Systom.exe	33
PID 2236 wrote to memory of 2700	2236	Systom.exe	33
PID 2236 wrote to memory of 2700	2236	Systom.exe	33
PID 2236 wrote to memory of 2700	2236	Systom.exe	33
PID 2236 wrote to memory of 2944	2236	Systom.exe	35
PID 2236 wrote to memory of 2944	2236	Systom.exe	35
PID 2236 wrote to memory of 2944	2236	Systom.exe	35
PID 2236 wrote to memory of 2944	2236	Systom.exe	35
PID 2236 wrote to memory of 2556	2236	Systom.exe	36
PID 2236 wrote to memory of 2556	2236	Systom.exe	36
PID 2236 wrote to memory of 2556	2236	Systom.exe	36
PID 2236 wrote to memory of 2556	2236	Systom.exe	36
PID 2236 wrote to memory of 2940	2236	Systom.exe	38
PID 2236 wrote to memory of 2940	2236	Systom.exe	38
PID 2236 wrote to memory of 2940	2236	Systom.exe	38
PID 2236 wrote to memory of 2940	2236	Systom.exe	38
PID 2236 wrote to memory of 1584	2236	Systom.exe	39
PID 2236 wrote to memory of 1584	2236	Systom.exe	39
PID 2236 wrote to memory of 1584	2236	Systom.exe	39
PID 2236 wrote to memory of 1584	2236	Systom.exe	39
PID 2236 wrote to memory of 2792	2236	Systom.exe	40
PID 2236 wrote to memory of 2792	2236	Systom.exe	40
PID 2236 wrote to memory of 2792	2236	Systom.exe	40
PID 2236 wrote to memory of 2792	2236	Systom.exe	40
PID 2236 wrote to memory of 2896	2236	Systom.exe	43
PID 2236 wrote to memory of 2896	2236	Systom.exe	43
PID 2236 wrote to memory of 2896	2236	Systom.exe	43
PID 2236 wrote to memory of 2896	2236	Systom.exe	43
PID 2236 wrote to memory of 2684	2236	Systom.exe	46
PID 2236 wrote to memory of 2684	2236	Systom.exe	46
PID 2236 wrote to memory of 2684	2236	Systom.exe	46
PID 2236 wrote to memory of 2684	2236	Systom.exe	46
PID 1792 wrote to memory of 2568	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	48
PID 1792 wrote to memory of 2568	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	48
PID 1792 wrote to memory of 2568	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	48
PID 1792 wrote to memory of 2568	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	48
PID 1792 wrote to memory of 3020	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	49
PID 1792 wrote to memory of 3020	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	49
PID 1792 wrote to memory of 3020	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	49
PID 1792 wrote to memory of 3020	1792	ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe	49
PID 2684 wrote to memory of 1868	2684	iexplore.exe	52
PID 2684 wrote to memory of 1868	2684	iexplore.exe	52
PID 2684 wrote to memory of 1868	2684	iexplore.exe	52
PID 2684 wrote to memory of 1868	2684	iexplore.exe	52
PID 2236 wrote to memory of 1148	2236	Systom.exe	54
PID 2236 wrote to memory of 1148	2236	Systom.exe	54
PID 2236 wrote to memory of 1148	2236	Systom.exe	54
PID 2236 wrote to memory of 1148	2236	Systom.exe	54
PID 2236 wrote to memory of 768	2236	Systom.exe	55
PID 2236 wrote to memory of 768	2236	Systom.exe	55
PID 2236 wrote to memory of 768	2236	Systom.exe	55
PID 2236 wrote to memory of 768	2236	Systom.exe	55
PID 2236 wrote to memory of 308	2236	Systom.exe	58
PID 2236 wrote to memory of 308	2236	Systom.exe	58
PID 2236 wrote to memory of 308	2236	Systom.exe	58
PID 2236 wrote to memory of 308	2236	Systom.exe	58

C:\Users\Admin\AppData\Local\Temp\ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\Systom.exe
  C:\Windows\system32\Systom.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V crsss /T REG_SZ /D C:\Windows\system32\Systom.exe /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate /v DisableWindowsUpdateAccess /t REG_dword /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_dword /d 00000001 /f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\EXPlorer\Advanced" /v Hidden /t reg_dWord /d 00000000 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 00000001 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 00000000 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t REG_SZ /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN" /v CheckedValue /t REG_dword /d 00000002 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://xx.522love.cn/tongji/tj.asp
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2172
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - Modifies Internet Explorer settings
    PID:1672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_EXPAND_SZ /d /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" add "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 00000001 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e132ecbfeb5a9bb26ec986c8acd50dde

SHA1
57a9aa020d6666e14b6e85ae9687ec6aea955d5b

SHA256
79f285eb6728fdadf17aa29cf0425be46f09d8f05a77c5e24bc1deb1eb229d59

SHA512
afd1bdd0f9179e0121b49d3f3973e3750575a06ee7b34cd391addd36a467b59ef32d1be02a15d634b89b01a8da60781cb6c75a3d4a9f671e9916217d87206260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e74786bbb497a83f72f560c5049f9327

SHA1
72f163c7e70752e8fbb24f9879e3ab15f8bf1c36

SHA256
0d865be9a036d7aa3c141416a785e117699e89919e93c8d0470e5410302d839a

SHA512
3179a2fef4f15826f3c8ec7c43b925e69578aab529cd148de5d01725e5d443dc06b3e89ab836f345ec552e3191371026ce68d26ae28b19c1604f99a09b6a6e99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12741be8d7edea765804a5b2b9329541

SHA1
5aeb578f915d3a80f8406bde8c7fcd5dd9578ba0

SHA256
dde8be4477a91e32f40a4b1e7cb548c7ed7d86c4adefb4793a3a572af0904c63

SHA512
a699cb22647f48ca2cf104411fbadd568b0a2cdbda31109e37c3e9dccf28e1a88034362df9ac09f7ffc8c2b0ed6db77d785e4354febbb877b82c927f14c7f98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58d3e687753ab31dece74a36cad0246b

SHA1
1f5c76acd84649c8ce0049d085e06fc5df72e3af

SHA256
49dc8804a8641b3583575e18cd1409e8415075e3c3ca6e48ef9b5508ab2212be

SHA512
7659aa8f411568748896932c7c1252a11ca32d69d0bbb3308eb5b88faa4006a5825d11c51cd8cfaf252e0f1da469825102aecc202554234a3b636c067908acf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d39693ed6a997b549c3f67feeb67fe75

SHA1
0a0cde62dd9c04dc7f94fc827fc2ba82a136c74c

SHA256
b1208c35ab9ab51c2449c051fddeadda8ab572673ffd2abd62c168e3644d4ac1

SHA512
aae0e1dee363f641f81fb1f7a8efd22fa81f2ad75507fb53aa63a50040c21526123834ccf33018993c3c7abcb379cbae6a7d0b322e87ae625efb9a3be51158b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03cc231f8e0a075f65c5f593f34478e2

SHA1
a14e7c5a959f755f2675e35d5ddae896b38b3b3c

SHA256
5d5420e3b0e83e933c8493e745aa9eaf807182cc0a89f8d9060af0e78e17e9b9

SHA512
8260920f7a19aa720db615ed70e13f4bfa543a8e0aeaf61ab00c5ff0a1eb688c4345024b190102efee628401ab838b866043fdab327c2aa0fd1afb64d34ae957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0fb665aee4bc397146f2d65c7cdcd47

SHA1
49faf0f8dfaf81e7a53e202d60407dec126f31e7

SHA256
12a564ae43466771b3644387707f25fe23906b26eba17cf441d4ce57b9afbb81

SHA512
4a2bcc369be3b83d6d87284ad32dce54517aebfa8c091702977c06504db35c9af2e8d4883a8c2f4947c6ae15ec7af39b3a1875ff31b29b046f9ae507fdcc778d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bdb9f0d4ed937df8a8052edbd267352

SHA1
e11cd91990bcd4b724518985a6a8136b03d44bb4

SHA256
16ebdae2583dfeebe60bf0ad018986bcdff90c90b4249a7217c95c6d2a56ccb7

SHA512
34e6fc1c2b37212bcd18ae4c6a1105305d19620984a213e80f289266789962cb839e3d5465e4935e700bbfcdc1bb910e5d43beb488a8518ea52fef65e9954cc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c53f2276b09a151e3a3e2155a977f4

SHA1
7e9d3e8e441abc52b8f235c32aedd014761e6702

SHA256
0a82860deb58446b9cdd2bec1fda2b08c4ca594aa177f9d36dd937700d07fd35

SHA512
10cb40ffd0b629441d601d8e81fdc0705b0265dde3b6bb85c3aef4c3ec370bf57ff98b8e0947df7516053ca802b3b1d2a0049b5de0634961e5f536ad44ca7ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3b12eb91f20320febe34bcc51dcd42d

SHA1
aa4333c1afc5efff37ba3ac9423381085eeeeef7

SHA256
6bc1cc568eb749287cf9703db3d6ece099df34e6894355da0675ed015d75a704

SHA512
efdb58dac6238eaa007d7f3a7536316719e825a9e0b2a70f24b2ac82e2a78a0f696dfe8a7f30aed555ff36a6a47fba68e15d991dd538cee6413590170ae9a6ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a01b75a78e97d38114b214264fd93fcc

SHA1
1974d3931fea621b62c0bb20648ec0eb149be7ef

SHA256
9d0b1c00c208c0fdfac0d1fde9fdec401e7883de95bb8ed8d2e8e2d707254810

SHA512
c70ab49bade92c1bcfe5b26e77a51c8caa2fd83f7bad5172019e9ee678325cb1e6d103686f0cae1c517b5f8456159e1d2147b1b255362fc239f7a1b790ca33d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba8bfee19d78fe9b1517f19d6e9127b6

SHA1
293a6f885ffa75ca31913a028bfdbdf2f7c72f5c

SHA256
754dc0bf65a22cccecfba6ff753fa4299a72166a962c9278e481bc669e60e82c

SHA512
1d00f1a16e6842065dd0a37a2315ebcd2129010f32355fea2eaca4efd71f3f6bb1f40ae21c15223fe047968e82a27d06a83d2ef76b72271780aa89aef241707f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24703265cb9d8b1873bb466e4a40b8c0

SHA1
0d998d9e9e5534d2dc0b0589a22f6b9f783027b9

SHA256
88a00928cbfe7dd9ef0b0acdb41cc6d346586a7d97eca6e0cd9ecbc0762a7ebf

SHA512
0b9bd8611cf1857671e9b6a51b82588786671d8f4706a94ee1970578b9ed45b3e6e0fd2308ad5915f92681e29f02f0add7ae9b3dd10bad8afc4f4c8d851234d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2db893f2c3b7069788436291b80ef26

SHA1
01ca7efcb236616467853acd2d211a8eb4be980a

SHA256
a82ac203c7ff401c2840d680aa5845c2bef23efffe7e48acd2dc022890273ea2

SHA512
5c1615c34c06c030648e7ea184fdef123fdb85deefddace6605be98bd38a334e21ea356706c3e2aeb051342ce69fa11a1cbbdc55de4f6cf8763fc2b9ed5ae2d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97484ae774fd07e54bd8c7f8a911be9b

SHA1
d4dc707b9a34de0531a2ca9fb1c8c9cddf855035

SHA256
b9a2fb917480d83377eda437e17655cb8601f1f61005957b841694a41d02fd37

SHA512
8953c0202514a441d988b81194cf646a72239d8175cfc5768e3946ea2729cbdeac3d8ba8984650a05f2b8ad9f754976021e823bfacbae312685a5a50649d6374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e808bd7444192dc5e6674d0447567fce

SHA1
952a55ff22efab87c3e3985952e05395dfa32ee4

SHA256
2b6c321268387eab1b725ab4dbf63909c09d0fcfdcae94eb29772181d36408a3

SHA512
6ace767ffd2ff0f82d67ed1938806c34da3248d0b98ddeedc7bec71f9e0ebc8659b93df405c5da292e94501b7b13a36ec950d0c04eb5280532de38ebcec1c764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a60cade61a61090ec8f5dbce8d2f944

SHA1
0b9f1a2b44a17da30e2a17f45492d2962a0cbe16

SHA256
f77a773a3bebf3c9ff982489beb1d06500bb53c94ca542948070d0e454dd2155

SHA512
daebe6d2489e83e41b6ba2675dce954880ed50716e5260d4032ec28921694c0ad922e7faa5a27cb7698b6a3a3bff7154b75d180d44fc84ac015f4926257abea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e20f91f86dcc37e9965d9c1005b8e7bf

SHA1
a1a82f732ac4145ac827ce9ac77714043ecdf086

SHA256
d4ff00f20219b42da31795b591519e356bc667d1b45eabb060709b890bfaaaa3

SHA512
d0a3f2c621831dcfc79848d0569a633ad686d7d9f8a6d19a71a816996d891bf7a9421bb92c4b3ee10f93202ca722f3e054bc7690401a7ae6471ee9be06471fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8360325f340a7aaed7f836e087c4319

SHA1
e5c45bd7210f72df18d6fec0fbcf8990edab91a4

SHA256
643bf5c0d1ae6887ced7fec7d105310b1254dabea2bf40b50805b51da3e40bc1

SHA512
203b0c68e13002aa387a3d3bc58f01e2c0ecbe22e4ab99ef5936ee1588dc9bd425a08daea04648084e77d56912621ab71df14e65ba980ead389a46e1f454312b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c23121715a18d924c91f92e517daca8c

SHA1
e5aa51f246d7281e1d584e0c726939f28a78bd61

SHA256
927bf7dcca3ef26b243c5cc459a41b13d5164c418f4468b9005a20cf31f7c31e

SHA512
5c0fb11d54b1f72697fae9b833f8398f2986cbb1be39278ba737a010ae374395dbb189627de92bc7685bc26511961ab60c5a83015ce7bacd899619951d2919f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef72588701cf4465cc770363de37a8c9

SHA1
8b72fe1faffb856ee3e50479e1d501e7e9d5ab8e

SHA256
ada6e5052b0191f68db8efd47d6146b9b1ea4a745e22c057ac4f575b343a7e39

SHA512
ae3f7996259cfa40759f607bbbbe89c2b2218e92355080e79473507de9c875422ace8d976d959c8e4396206ccbc8bdb629d7ff47412066386693f8badc099c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28373a3e08fb81d0658c9f9a26e70bb7

SHA1
d016622472199e921fecac4b9846f618f108f9af

SHA256
442af9df8a35dffdbb8a2a3186653aac5822dcdbeb7fa7efd6e9647ee47b0c92

SHA512
373f406206aed974b9308692bc32ad612c82e5ed77fc57d13a8886c536752699327c6c67933753596963c4ccd7ce476b5aae50e1046703ffef542a4f2c0f6ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
054e87c90938ee09b34ca02e502a617b

SHA1
1c23fbd68fad931d3a24342f998edd0e36e1b8e9

SHA256
623475e01cc598e061fc258bf9857e020014fd1eebc9a87090bb6eb6df3a88d9

SHA512
3b4ed2e2a47dcfb6667e4fcad7cf89fc6ad486caf3bac9355157fd6804e818416d898217b048a3b52115a358100cd0b25db0180420541f6816273ab1939d7036

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ef807b3f16f48c45f68e15563c1b497

SHA1
fb994644d973e39bea39c60a3228aa43e427d9d9

SHA256
cd01c882c1098b22c57f26887af82afb8288192e8a370fe57e0f7b54700f9277

SHA512
28e908efee944eaa8cf88eba2d99ad3854be5ee9a6b3adeecd071beccd56b0ffcc62477811969accd7c2fdf0a574c9b082e4dede222f1efba4cf90f64eaa24dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ad1a148055e6a9fbe60c29095508076

SHA1
12fbb377ed698968763012e7991c94f42bb05702

SHA256
786c8699db4a97eb012ae35bc82e4a5c21e8a95888799a2acb61d012752f0fdc

SHA512
0dba5ebd00bddee22854cf470146e9eca1cdbdd23363fda600a7fadf91165fc6c68aa06f6f6c5f38af9769a800d49ae52320b5c00979d49363471b7493c33596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90248c2c3d755493b1840e69e260e903

SHA1
ae65a3d8ae66dd3ac2089d68af77a520071462e6

SHA256
7870f01f3be2bf079d3dbf94bca61ec05a2da2ac383aba5aa36975ed9ac802ab

SHA512
8ebb9590cfccf82d54f0394046e24237633c9a715f97607f46f3692b7c8a256316c4f49ace18cdff3d4a4ffe76349480d9e7dd186fcbdcf8fe4a7fb005faea7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab68B5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6915.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea90986ca1ccc0e9e15c76011923b03d_JaffaCakes118.bat

Filesize
212B

MD5
85ed54dfb35efa31b1f3c482eb2aed9e

SHA1
0fd85799f94dc301cb9171833abe25a14a72e838

SHA256
bfb3f795b142a16f9879c75900682a5c87363e0386623ad691fb216806517a87

SHA512
6e94ae13b5fbf32607f9b7a9d3903d24243122ca0579e1f951ed11d51e8af338a4ee07d0e719aca34dc858e937b62c98a0fa368e50e226a89f3b63d5f5cb184a

Download Submit
C:\Windows\SysWOW64\auToRun.inf

Filesize
159B

MD5
52a91a3dc7dd66febd48249e964bdf68

SHA1
563fc702c1a46cccb33f75e954d7175cfb6b0729

SHA256
accf8344413f2fd07111e6c29969ace60f8b7d06049216f677730e62e68b0b2e

SHA512
0cf51ce1fbf9b234b3d5aac11d024c1954b1de2874bf47026491ad0e4c9d0a0307483a88c833fd20d7fdb23ed620301c55fadd66a0cbaf32f55558eba07d660b

Download Submit
\Windows\SysWOW64\Systom.exe

Filesize
56KB

MD5
ea90986ca1ccc0e9e15c76011923b03d

SHA1
afd26f693018bd7ae7c1d9c84858c5077a868c33

SHA256
8d70f29c3c5dc0f9f11a171560aee956e7b588c9272511ca78aa712923681336

SHA512
2ac1020bffff0cbff7c6d9e2b4a4f2f81101855dc020f532ba767ef53ef52ee2a04694e8bb0f0efbff87afce2fa4407a4c73bca0ed1c7910a72fddab2f508f54

Download Submit
memory/1792-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-746-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1409-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-655-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-712-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-700-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-319-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1375-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-769-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1421-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1444-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1478-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1501-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1524-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-1547-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads