13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Size

1.6MB
MD5

fe079c4129d51477df121333b64bbcd7
SHA1

0f5806f04a5376b372ad55a8ef5050dc8f815aed
SHA256

13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74
SHA512

31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\dhcpctfnet.exe"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c00640068006300700073007600630064006e0073002e006500780065000000	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Executes dropped EXE 37 IoCs

pid	Process
3028	fwcprocfwc.exe
4060	smss.exe
2368	smss.exe
3612	smss.exe
432	smss.exe
3356	smss.exe
3120	smss.exe
216	smss.exe
3316	smss.exe
2524	smss.exe
672	smss.exe
1276	smss.exe
2488	smss.exe
1984	smss.exe
4020	smss.exe
768	smss.exe
4940	smss.exe
1780	smss.exe
1160	smss.exe
1568	smss.exe
512	smss.exe
5100	smss.exe
4912	smss.exe
1424	smss.exe
3012	smss.exe
1984	smss.exe
2104	smss.exe
2760	smss.exe
5008	smss.exe
4864	smss.exe
2988	smss.exe
2688	smss.exe
1668	smss.exe
3452	smss.exe
700	smss.exe
2220	smss.exe
4632	smss.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\dhcpctfnet.exe"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\objdnsip.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhcpsvcdns.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dhcpsvcdns.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mspoolms.ocx	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnssvcpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dnssvcpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hostpdbmon.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hostpdbmon.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhcpctfnet.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dhcpctfnet.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspoolms.ocx	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\objdnsip.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4368	3028	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000f01183bdd08cd0c85e3683d59ab64e97a2d52202006908a05d894cac816dd8ea000000000e80000000020000200000008dc4c6569c4d56b9bcbba6130d162b413318cfd78b92c4d09d097bcd9270797320000000adb567ebb2ab430a7915647978c0f5eed078dec84a90e785070be0b917d198bf40000000276fd064750acbeaceed99a5da7c303cb33af271d4916e6cb883eb5edbf5e0a5d1e6284ddaf683dbadaf0d6969756ea151b0d215b8b3dd7b42648b0b3ee32191	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90399b173f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134271"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb510000000002000000000010660000000100002000000000ad19a449cc704e6b9013ab0b0fb3ab090d4545b2500a1bd406de25eec8112e000000000e80000000020000200000000f29dd82facd8b8a405fbe51f77fc8c33a933fb85c2fa2d7a907cb3f518adadb200000008c5c7b16fb90afd485f1cf990c11ffc47faf5876a37778bac1174d06f54e991440000000fa7e4ad0a1397e81db4e5f4975afada7fb6148b592f56661d5a37b9e02f27c69a3fb02702503e612a7b1d43a53c9a24c49209d5233b7bb11671960f4331357b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000a6e01702d19ff51a1d964370683f336bb36732d2b11a8da30e92732bbfb8f33c000000000e80000000020000200000009989719b4be29356e602ab2f7d57b13d9af6ac98fbaf1d747bb9a7e61594df392000000086e11bd991f51aa6328b1c05a459c43dde9799bf4788ba78d59ec1ca79eb6521400000000838edc571200d55d086ec21dc3723d64e83dd321849fdada4286573898f0041140c80b38da3b96ab40dea41affa941be0f992455464d22459d78749cbf8a3a6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000c383e482902bc1780d834b0a08fe6e5bed121534c529fb2bb41a623ee8da1db7000000000e800000000200002000000010d9140d1fd3a8425038c08cf13d6bd05de94f8ba5918df18fcea11818f715342000000084e96bddcda651b622dc294d3c59ae615fd7d1c26f0ad809c58c8bfcb109d80340000000d2b832b0930b1c86081455f33fe9143ae2b089791a04d843e7da549cb3638d3262113b5e34904a855bdb71e7a4121a8aaedef94987772b89a720c03c5ce2c9ab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31134271"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb510000000002000000000010660000000100002000000061d5ee5bb1b0b675e5972b9b39e60d97109d49d451e0bf5da0444344b9c7b712000000000e80000000020000200000008b6b4e35997bd1a023480f65e1e44a24c5e89488bdf69469f63159d47e008f2820000000b08b58dacb2220d7ee6c8c0e4e745b6fe39513e5afedf7451631a7b88fc2652b40000000aac86c12d898c0f9d106a40b71b247198c2b4cd7d4d39b6f1d01b966b6be271f1488e8d5e13401ab3937189c5cc88e5fdfaf6193b956c17e03ca247a2752452e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000009cb19aa5017daf827ab492583d168a7b7addedb24bd39c49a2a6ad4983a4ae63000000000e8000000002000020000000522d9e6ca72b0fc28da59526130b7898dafa81301dfd23e703638afbe34495d620000000340227b413423450785ad6fb26223f414517be4536c5f2240b31041a8215e7cf400000000b932eda6c62152b69e3bb5e9eb876162cba129cd421526102d71627f7fb8532f4281bec6b774d4069f5835dda772953cd77842255b9256b69c4fa4e4dc92066	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134271"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e5341c3f12db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2065092a3f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "304955844"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602ad1203f12db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434358946"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb510000000002000000000010660000000100002000000057c27cf8b6f7a3c1a636ef4e74f8a48037c8c084ff71c27b25217f53298908c7000000000e8000000002000020000000abd9bd81faa1ece4ad55448dd0c253f1bd1fc9ef178d2228f1a51ac7d8f1ef4c20000000cb36caaf52f6fc516203e025188addf5c1927f7b5c5e38342a8c0f3a6db654764000000097fcb2e42c3b7b4313d4f0a7399b38227086958ebeb581f3dad73db2a8a8b7994c8575428970831470adadfd88f4e0adb659a21991cd62e900567c28537ed954	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c066600e3f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "304955844"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b86f253f12db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8064aa2e3f12db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03744333f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3DB56844-7E32-11EF-B1C5-F2CBF1DCE4A5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000009ffa8d91f4ccae65a1192d147bb4d25bb883e91cb38d8127571a8619cd8f2335000000000e80000000020000200000008c393a8f788f69274770d4a950bb6102df81a987c4ecdc888f024ab85b058f36200000008da6c62b47e68e7c231874634bc26ff0b7236202e663eb63716fbb0a063ffb3a40000000c9aac7adba736418a0afa07c01e83d01684dc193146c9c61215a42d6efb86a28007a5aa30fd8bef8cc7bcca7e96933e368f21ff2bef9336ec2ac6a7b32f3cfee	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "305425106"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206601133f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31134271"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb5100000000020000000000106600000001000020000000d1b80f91d0c69cc1c5db497f5888a04ebb63aa2c7c635f583c61685699770d04000000000e8000000002000020000000224cd14629b0b5d45feaeb797503ae00aba726fc9e2a349cd6434e9ca81739a820000000d61fab0d3f5bf2fc5442510f53f1b59a28f57825fe00000422d859a563cea50140000000966dddac10742f38ed6b93a5780723bde479343ecd2196bf42bae7a82ef6841d4656a1887f2dc1778c7fb696789c84bfff9758e6852929683e897a1a840b9f7c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000068fd66d6220e584abe447a4e1268eb51000000000200000000001066000000010000200000006195e5c16dc637d822c4f41c04dbf4be50425ae69ad56958dbbfe3c35a21296b000000000e8000000002000020000000b1e24f235e41a9a61c8335452ba134b2f626012766cf0e0cfb8221a1d3300d6520000000dba404396b53c6a455991e982aba6f1e4f710a1bd872086b02e2348a619d764240000000db6024049619d4860f2db6745d0eefceddb2ee23e06c994acf6fdcf082ee27d45f6861e09f847d45f096c8cd2461073343e9584a3ed9dd96b3b598a3f8561795	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5004c9093f12db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "305425106"	IEXPLORE.EXE

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\mspoolms.ocx"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
2576	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeDebugPrivilege	3028	fwcprocfwc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4788	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4788	iexplore.exe
4788	iexplore.exe
1864	IEXPLORE.EXE
1864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3028	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	82
PID 3944 wrote to memory of 3028	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	82
PID 3944 wrote to memory of 3028	3944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	82
PID 3028 wrote to memory of 1852	3028	fwcprocfwc.exe	83
PID 3028 wrote to memory of 1852	3028	fwcprocfwc.exe	83
PID 3028 wrote to memory of 1852	3028	fwcprocfwc.exe	83
PID 1852 wrote to memory of 4060	1852	cmd.exe	85
PID 1852 wrote to memory of 4060	1852	cmd.exe	85
PID 1852 wrote to memory of 4060	1852	cmd.exe	85
PID 1852 wrote to memory of 4396	1852	cmd.exe	90
PID 1852 wrote to memory of 4396	1852	cmd.exe	90
PID 1852 wrote to memory of 4396	1852	cmd.exe	90
PID 1852 wrote to memory of 2368	1852	cmd.exe	91
PID 1852 wrote to memory of 2368	1852	cmd.exe	91
PID 1852 wrote to memory of 2368	1852	cmd.exe	91
PID 1852 wrote to memory of 4224	1852	cmd.exe	96
PID 1852 wrote to memory of 4224	1852	cmd.exe	96
PID 1852 wrote to memory of 4224	1852	cmd.exe	96
PID 1852 wrote to memory of 3612	1852	cmd.exe	97
PID 1852 wrote to memory of 3612	1852	cmd.exe	97
PID 1852 wrote to memory of 3612	1852	cmd.exe	97
PID 1852 wrote to memory of 2104	1852	cmd.exe	100
PID 1852 wrote to memory of 2104	1852	cmd.exe	100
PID 1852 wrote to memory of 2104	1852	cmd.exe	100
PID 1852 wrote to memory of 432	1852	cmd.exe	101
PID 1852 wrote to memory of 432	1852	cmd.exe	101
PID 1852 wrote to memory of 432	1852	cmd.exe	101
PID 1852 wrote to memory of 3464	1852	cmd.exe	102
PID 1852 wrote to memory of 3464	1852	cmd.exe	102
PID 1852 wrote to memory of 3464	1852	cmd.exe	102
PID 1852 wrote to memory of 3356	1852	cmd.exe	103
PID 1852 wrote to memory of 3356	1852	cmd.exe	103
PID 1852 wrote to memory of 3356	1852	cmd.exe	103
PID 1852 wrote to memory of 4072	1852	cmd.exe	104
PID 1852 wrote to memory of 4072	1852	cmd.exe	104
PID 1852 wrote to memory of 4072	1852	cmd.exe	104
PID 1852 wrote to memory of 3120	1852	cmd.exe	105
PID 1852 wrote to memory of 3120	1852	cmd.exe	105
PID 1852 wrote to memory of 3120	1852	cmd.exe	105
PID 1852 wrote to memory of 3448	1852	cmd.exe	107
PID 1852 wrote to memory of 3448	1852	cmd.exe	107
PID 1852 wrote to memory of 3448	1852	cmd.exe	107
PID 1852 wrote to memory of 216	1852	cmd.exe	108
PID 1852 wrote to memory of 216	1852	cmd.exe	108
PID 1852 wrote to memory of 216	1852	cmd.exe	108
PID 3028 wrote to memory of 2576	3028	fwcprocfwc.exe	109
PID 3028 wrote to memory of 2576	3028	fwcprocfwc.exe	109
PID 3028 wrote to memory of 2576	3028	fwcprocfwc.exe	109
PID 4788 wrote to memory of 1864	4788	iexplore.exe	112
PID 4788 wrote to memory of 1864	4788	iexplore.exe	112
PID 4788 wrote to memory of 1864	4788	iexplore.exe	112
PID 1852 wrote to memory of 4728	1852	cmd.exe	114
PID 1852 wrote to memory of 4728	1852	cmd.exe	114
PID 1852 wrote to memory of 4728	1852	cmd.exe	114
PID 1852 wrote to memory of 3316	1852	cmd.exe	115
PID 1852 wrote to memory of 3316	1852	cmd.exe	115
PID 1852 wrote to memory of 3316	1852	cmd.exe	115
PID 1852 wrote to memory of 1764	1852	cmd.exe	116
PID 1852 wrote to memory of 1764	1852	cmd.exe	116
PID 1852 wrote to memory of 1764	1852	cmd.exe	116
PID 1852 wrote to memory of 2524	1852	cmd.exe	117
PID 1852 wrote to memory of 2524	1852	cmd.exe	117
PID 1852 wrote to memory of 2524	1852	cmd.exe	117
PID 1852 wrote to memory of 1172	1852	cmd.exe	118

Views/modifies file attributes 1 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1172	attrib.exe
4224	attrib.exe
1808	attrib.exe
1292	attrib.exe
4300	attrib.exe
2176	attrib.exe
1360	attrib.exe
760	attrib.exe
4800	attrib.exe
748	attrib.exe
4224	attrib.exe
2104	attrib.exe
3464	attrib.exe
1764	attrib.exe
3748	attrib.exe
4072	attrib.exe
4728	attrib.exe
4528	attrib.exe
4360	attrib.exe
1636	attrib.exe
4048	attrib.exe
4504	attrib.exe
2056	attrib.exe
4296	attrib.exe
3544	attrib.exe
2188	attrib.exe
3236	attrib.exe
4396	attrib.exe
3448	attrib.exe
2608	attrib.exe
3464	attrib.exe
4772	attrib.exe
3800	attrib.exe
4596	attrib.exe
4920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe
  "C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4060
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4396
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2368
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:432
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3356
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:216
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3316
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2524
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2488
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4940
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1780
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1160
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:760
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1568
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4912
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3012
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1984
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2104
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2760
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:748
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1668
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3452
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:700
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\FWCPRO~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 588
    3⤵
    - Program crash
    PID:4368
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Runs regedit.exe
    PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
1⤵
PID:4652

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4788 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e81809e35464c6a8ccffb00fa7424f8a

SHA1
aca926d8ab54a834b33db7c5fb4355287d2cd2a7

SHA256
01c74bfb667bcffad25fd994026261a336a8e8dcf85ad629a75c87e838fcf744

SHA512
d807413cf4356a8861ae6bbfe5fd2792bdb5b81ec9fe64f6d567e505d001c847d8eeb4bc730599a5428afcf561d35ddf022d1d3079036d65a0e382d4737d5c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
17b44899530ec721094b8b00427e4432

SHA1
7c3096cf8a53424a3070ca9d72b50b7f0ef6bade

SHA256
d9663b68f3f5c550c3975986dbff09737703dd730297b84db90c79eac1bf20be

SHA512
fa98f4cb5f76b6b56bfcd24b40a8f0fff49a90d2e8048687f08c096be8eea1a6eec807613f03907127c961464a64be31a59e44cf4c4cda0ec4ce1c36728298b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9A95.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\NewErrorPageTemplate[1]

Filesize
1KB

MD5
dfeabde84792228093a5a270352395b6

SHA1
e41258c9576721025926326f76063c2305586f76

SHA256
77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

SHA512
e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3HDB1LPD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5JGBC19U\dnserror[1]

Filesize
2KB

MD5
2dc61eb461da1436f5d22bce51425660

SHA1
e1b79bcab0f073868079d807faec669596dc46c1

SHA256
acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

SHA512
a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LNHEOAK4\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\advsec32.dll

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
2KB

MD5
8e212694348776ed5863f6ca7668ef75

SHA1
9be15852ea8def700c788dd9d7eaf877431879cd

SHA256
6aa01ca893cbba618ef84a6bc038119bd53b5f14bfa502d78e1b8275d89d1117

SHA512
6da0334c8d1dde4b9603f1fd9e751b64bcb19e24d0d690b64ed80632f455a34f3eae0695b4a87f3d78be8077b5aa48356973eb9e795869240795c145427a5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
5KB

MD5
243eb2b5da3cc18aadbe659500973d57

SHA1
c0ffe5e82cdbe3a7f0682510a02916836c7de6d8

SHA256
b3085e476db7fd21441e0454dc106483871479a003df4dd2a272e6c553241853

SHA512
c126cc3e3fbde0321fdf4e95536c7a0fe351436f3efe2ca2d61877f02ac6886ea0e329d1243d2f09830d66c606de86dca6a36cae2fee709e86c46644363b2731

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwcprocfwc.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
18KB

MD5
b3624dd758ccecf93a1226cef252ca12

SHA1
fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

SHA256
4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

SHA512
c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\dnssvcpptp.exe

Filesize
1.6MB

MD5
fe079c4129d51477df121333b64bbcd7

SHA1
0f5806f04a5376b372ad55a8ef5050dc8f815aed

SHA256
13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

SHA512
31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf

Download Submit
memory/3944-261-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3944-242-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3944-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download