963480a52d930ff04c6921ebcc1cee7d766463a3a38f7f385eb85e42e340dfca

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 22:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe
Size

2.9MB
MD5

07a5643e72fc220e3e2419850af461a1
SHA1

c50837178bd7d4807d522df816a2d801636b0d35
SHA256

963480a52d930ff04c6921ebcc1cee7d766463a3a38f7f385eb85e42e340dfca
SHA512

9a5c5e256c702f6ed0a4d8323fefb138e335a2c8fb822727bf7fc0e68151d9ff58a2a2801ec5b84a85c434392b3550dda0d883fe5032415b2b6a54958d71b85c
SSDEEP

49152:R9T5L5Hrr0f7uziwZ5E1uHW8gRHSTdA54rTUm/sP7g9zMbjfFOe5fskzCq4ebA5n:7T5lrtiwTYuHW8gh625YxGM9ktV5fR+P

Score

7^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2396	Crawler.exe
340	Crawler.exe
2216	Crawler.exe

Loads dropped DLL 12 IoCs

pid	Process
2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
340	Crawler.exe
340	Crawler.exe
340	Crawler.exe
340	Crawler.exe
1348	regsvr32.exe
1740	regsvr32.exe
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CrawlerToolbar = "\"C:\\Program Files (x86)\\Crawler Toolbar\\Crawler.exe\" /STARTUP"	Crawler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Crawler Toolbar\Buttons\is-SVIGD.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Buttons\is-I1MVV.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Buttons\is-LDVLB.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\unins000.dat	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Buttons\mail_crawler_plugin.xml	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\is-ADH4E.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Buttons\is-99RDV.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\setupcfg.ini	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Buttons\WSG.xml	Crawler.exe
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Crawler.ini	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\is-UA7J2.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\is-MECNK.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Buttons\is-CL30F.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Buttons\capricot_green.xml	Crawler.exe
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Buttons\maps_crawler_weather_plugin.xml	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\Plugins\libeay32.dll	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\is-2VNF8.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Plugins\is-QC905.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Plugins\plugins.ini	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\is-DF75R.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\is-9O5K6.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\setupcfg.ini	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Plugins\ssleay32.dll	Crawler.exe
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\uninstall.ini	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\unins000.msg	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\Crawler Toolbar\Buttons\maps_crawler_search.xml	Crawler.exe
File created	C:\Program Files (x86)\Crawler Toolbar\unins000.dat	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
File created	C:\Program Files (x86)\Crawler Toolbar\Plugins\is-H1PH5.tmp	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crawler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crawler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crawler.exe

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000005d494e53fb33df1c6921d3ea570cdd8d924c8dec724657fac6dfe3f169ec4a1e000000000e8000000002000020000000ab076232873b48f5ac8b9aa5fa027ec17aede9028f0a9a4d64780bc92d16eba0100000004957271f9f62a5db732fee38e27b4e674000000031a29514f44b3ff95f71d2fa7b35041b549082f43d4dbcbefc321633beb59061526187ba62538f3757f435fc98232a60661bbbff41cbe95dc6fa752a29bafd69	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\AppName = "Crawler.exe"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\SuggestionsURL_JSON = "http://www.crawler.com/s.aspx?q={searchTerms}"	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000bfc48749319115f705555f7dee9783c535f67f78d9ad217d31e7ad08a7499106000000000e80000000020000200000007ef2ad482c79c91e4de7d74797035491456e1c67868d6f123865767ab2ae1ed8100000002f148b3c575b41f468af7e182b20ced24000000032b02bbf33b529dc807ac83bf1536a4ccea6a2ede574c6eb32a4b9115b5462f85e72f7209bcd16bcef903929dfdc735d3fe6e941084a386474988eecce60d48f	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppName = "Crawler64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\URL = "http://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=10001&iwk=844&lng=en"	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000085e21b66ced83a5cdf93dc378554c04374bf6020bf3595c86415024852679fb1000000000e8000000002000020000000ba593c24ce3bb014a7b26d93c5c9c9528a32395965625a6f51befff37c259cec10000000f9f60c03bc338369c3eeffb61e598d9f400000001521775a66514b4e88484c4c34fc12deef3bbe6ced544d621850a2276f80f3a4f7e849472d7ee8b15c7ddde3d9f2aece8616ccbab0e17f63296a5c80c06b0e3c	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000f34a7c02fab3e10160d879fc2cc647943c7642a990da82818c3b17b5da000ce2000000000e800000000200002000000062b5cc252777b817726b39873fc71602e86f6da2e9e377026381ec8dbfcc421d10000000d472f7140eb26ebd59a1df566f369ac440000000b8dd16cf610f2dccd22a25c8c41390d11199e4e3f29606effc3c8d431beab6b6e64cb18764ef6779bfa6cafbf9fbb7579f50d3c93615473b10a02583ed45a89d	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppName = "Crawler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\Policy = "3"	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000e213e16d418da032770ef3c5da6fa844a4f52e04eb670e99ca7994375192e400000000000e80000000020000200000008483306e1a7fb565f6665a3fa736d2d04adaa9669e3655f48507e2d4712c5659100000006b12a626d0fbadbda9d7a3672b91905f400000003af800a9173514c4334f985f619e708061b6efd945817d1a19dfeb9c17e61b379bdd89d302974bb40af913db3132fff28e5d007a1dd053204656c4a51fd150d4	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000002c350474ad880bee463cd314129d7ab20d2b4fcaad36bc59e1e10afa4d576167000000000e8000000002000020000000ba61763f67cfc8751321df5138c79ee056cf10936f384462125f44ee33d9e67f100000005b109cfee41b8e3c2a0a22053c71bb5e4000000074577aeee7c27d07e83559a61c6d9316c17ad1683dc901b6d071e57af7434ea6e58082b2cd7424ae5eee97804a20d94ad87a201f862a06368e65c5289d6ec10c	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000b6c11e2606e51cd25970b7ec8343677d6b5df301cf95832363b399a9ab25beff000000000e800000000200002000000036e37ad78eb459a6e5f095f38e0cec0ca918d617618c8b00932315901a05c35a100000002acd79fa3fe97e9aaf48367020e8307e40000000984cab98f414622e612b1d95c1fb43bf72511ab87068ec56975f65519193c38d89a5f41bb8db1cb58adab3787141ec1a5e14cb52f3ff45a70374058aa534cbc5	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Policy = "3"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{C4D78C72-08DB-4A3F-9175-B265157283F3} = 00	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}.ico"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\AppName = "Crawler.exe"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppName = "Crawler64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000004ccdfad66e246fee1cfa62075ff874c49ed2e16ac6d70429d4469bfbd312b3eb000000000e8000000002000020000000ddf270cda554dfba4bb43fc190b2a3314ff518791aa67cb42a4cfc64e2edb6be10000000defc36b104f85c0df297dcadc4e2f6c840000000fd4f90f6fc8f47604a849fa7a2d75811e9248ccbb6398f766419f1331da9b92213590f2265feb094389cc4d8aa29f8991410d9b0771de8f1e108067180bcd8c7	Crawler.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000079d358e9d11f63c5e9a2969353f4cab558d34ac5f2365ed48ca0ea3ee062165e000000000e8000000002000020000000ccc67233772ac7f4de0c1320ce000615d34179adbe076b771c5278556147ed29100000008f78a60a23e4fb470b39942ab1f2c22f40000000b9e7a73da1eec13e446ba9fc91dc1d28ff9b4633374a5a670e6442e062886619e4b3cc00736d24f03ac667530a8be3d5642d6d2c850faaa1c8a13cbf10baaef4	Crawler.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000196e104c65128f13bef0f609df6354913bf08071d145c9f5d24dd72dddd76598000000000e80000000020000200000005f394c00731bb8cbd9acc49058307f1b1df348f25a2ecf3632d890fe1681cae410000000eacdf57cfdc81135a644f541a1855eb440000000b7e888dabf776bec173405b11bbd609dc97c0b146288431d15a5f65f10ff37ac30858bb7bf6da28f51fb3c270897c83c541638b78c72f10b8a21a229d94d04db	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\Policy = "3"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{C4D78C72-08DB-4A3F-9175-B265157283F3} = 00	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000ec2fabdaaabe1c00c96b8f9cbd8788937e32846a78d3d540d975ad585675062e000000000e8000000002000020000000cd5ff91f42c25ed5195b0035ed78defb1f0d9c714de8fb9c3b9f503e3aa3172510000000b198d105fe0a5532500e8db745dae66c40000000b5922cddea2f59d6c432a64d87c15a3269cc56ef1df8fda3143d7ab6746fe277502b1236be1416ecdf03c528eae1a17f18473a12faaec50e33b264f770c4094f	Crawler.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\FaviconURLFallback = "http://www2.crawler.com/favicon3.ico"	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000a8eb865adc4b8171959bae0d72d062526d26bcc3161b326b8991f7cacb91d6d2000000000e800000000200002000000063e4076486ff1e8ff797e44e9abbf8b56f131a09287134b5f03d62f689d6bf9d10000000995365891664c92c0231683c4a96d912400000005e5bf65dbc07b0be831cd528461f1a7d2e683b40b8c72096e51a5dfccc7ad270e53207484268f797453f9af33c21685b4c26478b72ac04e927814c2b2c9d388a	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000000a88b17cb31464de66be59c59e20732169bee532c0fdb941f56c89d2196f7c74000000000e80000000020000200000004623a029e0c1e92f426d5a6a7fdf03dab3a44ccd39df1420d798bffcf41636651000000048a9414ceee8b09d6f298a7b3d141d4d400000006d49edf1a730a254b7a928933f878fb3ad158e50e6d2c4fa383829815026a82bc64a3d8cf7275b0f413d7ad1818e6a0b43844cbbd7196ac064589f9582beb166	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000768cc4e2179043770ffee9401dd62d56729d31c6406b7192a81f536d519ba157000000000e80000000020000200000009f1fc09f9028e551c1530c317a67825bb897aa50c703f9379d4f27c6b8017f7d10000000acb7c64736c0b802298ec69b4a17ebcc400000003e0e10c825331b8d7db3ef1132db066c63dbac22edb0457fdbe7cd4f1f693f295c8d3d63b8105ba03bc3caf71a3264492482fa32f3c0dc7311efad2a17557c96	Crawler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Policy = "3"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\DisplayName = "Crawler Search"	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000010544c1a8ec890c5d9ec57df1092a9f0640db0015b1a3806da0ca48e32eff82a000000000e8000000002000020000000c7a9c8a8002f6da5a5ab6a461db309a88939f9675ea0ba42c2f38d80aec3675610000000f89b584f1dd32d85c5b63590b67e423740000000ee8b9f187f88f2888a281d85fd7b689d06043e3b747c0a976214c7345efac0e272eca76009cd0c843c974d8d104558cd9965dbeffc8a4a65bbeac8bdf78d95da	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000070bd027b296252fc0ed9fd09c16b334cad9d8d7a5a56a72e1f298d7653262ad3000000000e80000000020000200000008b8e79c885e080544201dd4b444bc8253a164d197b1721edd08933a4af617e4f10000000b7d4ff581558e1dda8943b65aecb58ef400000002f3f17118d77080af7726de70422e9cc11503dc37055f6fef1e18199dee290d60ad7d1b447123405144c84bac0f6c9a81abdbb9c34bf1ca12452f4bcca469b62	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}\ShowSearchSuggestions = "1"	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000fe530bfccec38997238fb01a96ba7a8566bd6ed7b01797732a1ba029173e22d0000000000e8000000002000020000000065471ef97abbe926da2ef25f913043ead58d04a1d112783c28a23d7b407e0a8100000008efd32ebf67a80d922bcb4b365d4430d4000000004657b6bb64adab06b445ef8e4a0d461f49006ce2f11fd777222202520e925e0df320cbc7140d5576ce9e00c1c040cfbd3f66b6eb3780693a40b7911bb2df437	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppName = "Crawler.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000bda44b43596b8a345b047a5eb2dd72ab90c04b6c35a92fb65bf6a1160d0d421e000000000e800000000200002000000066b8a60e9d9c9b3bfbf4f989c1e54b54b7da0c5fef194fb332ec59f0e16bda4410000000762b9da220f080c961df774b882b44db40000000dca52e9d454489e78519254136e5608a49991e8796ad880b90002549026c67afd6e02ef483bb6e17466232e4de136b413a8a14476228e4a83f3fab054eb1c850	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IEWatsonEnabled = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C4D78C72-08DB-4A3F-9175-B265157283F3}\AppPath = "C:\\Program Files (x86)\\Crawler Toolbar"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000c55b1f8d5eb5de45a7da636e24d5e0a7ab01e089851b8f88483338cc0398e29c000000000e8000000002000020000000791b36ea1d024d88024347ad1ae6e40e6b3c8aebf75fe31d62f6ab54a783a39f100000008d6157c7d3eb6a9bc4abba3ca3564bb840000000e616a8dca71c44f81cdf13a0e62b410a47da93f82e462837d18e785b093e9bbd18582fe0c838f2586d8c2b7f98a076140289ed1629ee196d5890c18ff5617354	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000657ce6ce26c8b1078c2b577c278868e324960600e72db4391c7feddd1ff09529000000000e8000000002000020000000bc029537c780c0168969d24e2270d371476da3add0850b2ceac35166eeb78308100000009690c818f291e9e772719b0150436627400000009eda95e9be488591edc9ce2791d98cd8e44b2494d048a6841c3f477a9f715f9a0ea4eda1d6f29bbac591d32e2e8d444e4c2e46cefdbffd4eb1c4550d58bb8d2a	Crawler.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.JSServer\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38CF96AD-0ACC-49DF-91B7-5D7F640BF1B7}\TypeLib\ = "{694AB2B2-6141-4567-9B66-B60FD06AD30F}"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DC4F899-9C79-4462-863D-4EC61F3EFA52}\ = "IJSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDDAFD4A-10D1-406A-8796-D13B54DB5E04}\TypeLib\Version = "1.0"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38CF96AD-0ACC-49DF-91B7-5D7F640BF1B7}\TypeLib	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38CF96AD-0ACC-49DF-91B7-5D7F640BF1B7}\TypeLib\Version = "1.0"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.Toolbar\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDDAFD4A-10D1-406A-8796-D13B54DB5E04}	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\InprocServer32\ = "C:\\PROGRA~2\\CRAWLE~1\\Crawler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.JSServer\Clsid\ = "{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\crawler\ = "crawler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\InprocServer32\ = "C:\\PROGRA~2\\CRAWLE~1\\CRAWLE~1.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\InprocServer32\ = "C:\\Program Files (x86)\\Crawler Toolbar\\Crawler.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38CF96AD-0ACC-49DF-91B7-5D7F640BF1B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\InprocServer32\ = "C:\\Program Files (x86)\\Crawler Toolbar\\Crawler.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.JSServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.CRT404\Clsid\ = "{4545C96B-15D0-4E22-8DDE-6F2CAF531281}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA66632B-E294-4249-B007-64C07C7E0147}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\crawler\ = "crawler"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.AppServer	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2DC4F899-9C79-4462-863D-4EC61F3EFA52}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{694AB2B2-6141-4567-9B66-B60FD06AD30F}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Crawler Toolbar\\"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDDAFD4A-10D1-406A-8796-D13B54DB5E04}\ProxyStubClsid32	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.AppServer\Clsid\ = "{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA66632B-E294-4249-B007-64C07C7E0147}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\ProgID\ = "Crawler.JSServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{694AB2B2-6141-4567-9B66-B60FD06AD30F}\1.0	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.AppServer\	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\ProgID\ = "Crawler.AppServer"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\Version\ = "1.0"	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BAA73D86-AFBD-4F73-8243-E7D193FA6C8B}\TypeLib\ = "{694AB2B2-6141-4567-9B66-B60FD06AD30F}"	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA66632B-E294-4249-B007-64C07C7E0147}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4545C96B-15D0-4E22-8DDE-6F2CAF531281}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9234F5E0-56CC-4F0B-AAE4-0D4BD5032180}\Implemented Categories\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4D78C72-08DB-4A3F-9175-B265157283F3}\Implemented Categories\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{694AB2B2-6141-4567-9B66-B60FD06AD30F}\1.0\HELPDIR	Crawler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA66632B-E294-4249-B007-64C07C7E0147}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DC4F899-9C79-4462-863D-4EC61F3EFA52}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.JSServer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22C1406C-6350-4D3B-9F62-2A3F370AD9A7}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Crawler.Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{694AB2B2-6141-4567-9B66-B60FD06AD30F}\1.0\FLAGS\ = "0"	Crawler.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Crawler.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\495847A93187CFB8C71F840CB7B41497AD95C64F	Crawler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\CA\Certificates\495847A93187CFB8C71F840CB7B41497AD95C64F\Blob = 030000000100000014000000495847a93187cfb8c71f840cb7b41497ad95c64f140000000100000014000000cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d0400000001000000100000004df6e0fc400cae9c052fae98c66d379f0f00000001000000140000004843a82ed3b1f2bfbee9671960e1940c942f688d1900000001000000100000003c31c095e651fa664cbfb198e9c0c008180000000100000010000000d8b5fb368468620275d142ffd2aade374b0000000100000044000000370044003200360036004400390045003100450036003900460041003100450045004600420039003600390039004200300030003900420033003400430038005f00000020000000010000000e0600003082060a308204f2a00302010202105200e5aa2556fc1a86ed96c9d44b33c7300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3130303230383030303030305a170d3230303230373233353935395a3081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e67203230313020434130820122300d06092a864886f70d01010105000382010f003082010a0282010100f5234b5ea5d78abb32e9d457f7efe4c7267ead1998fea89d7d94f6366b10d77581307f04687fcb2b751ecd1d088cdf6994a737a39c7b80e099e1ee374d5fce3b14ee86d4d0f52735bc250b38a78c639d17a308a5abb0fbcd6a62824cd521da1bd9f1e3843b8a2a4f855b90014fc9a776107f27037cbeae7e7dc1ddf905bc1b489c69e7c0a43c3c41003edf96e5c5e49471d65501c700264a403cb5a126a90ca76d808e90257bcfbf3f1ceb2f96fae58777c6b556b27a3b5430531bdf6234ff1ed1f45a932885e54c174e7e5bfda493997fdfcdefa475efef15f647e7f81972d82e341aa6b4a74c7ebdbb4f0c3d57f130d6a6368ed68076d7192ea5cd7e342d890203010001a38201fe308201fa30120603551d130101ff040830060101ff02010030700603551d20046930673065060b6086480186f845010717033056302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f637073302a06082b06010505070202301e1a1c68747470733a2f2f7777772e766572697369676e2e636f6d2f727061300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e67696630340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e766572697369676e2e636f6d2f706361332d67352e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d301d0603551d250416301406082b0601050507030206082b0601050507030330280603551d110421301fa41d301b3119301706035504031310566572695369676e4d504b492d322d38301d0603551d0e04160414cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301f0603551d230418301680147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d010105050003820101005622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3	Crawler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Crawler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Crawler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Crawler.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2908 wrote to memory of 2336	2908	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe	28
PID 2336 wrote to memory of 2396	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	30
PID 2336 wrote to memory of 2396	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	30
PID 2336 wrote to memory of 2396	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	30
PID 2336 wrote to memory of 2396	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	30
PID 2336 wrote to memory of 340	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	31
PID 2336 wrote to memory of 340	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	31
PID 2336 wrote to memory of 340	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	31
PID 2336 wrote to memory of 340	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	31
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1348	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	33
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 1740	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	34
PID 2336 wrote to memory of 2216	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	35
PID 2336 wrote to memory of 2216	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	35
PID 2336 wrote to memory of 2216	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	35
PID 2336 wrote to memory of 2216	2336	07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp	35

C:\Users\Admin\AppData\Local\Temp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\is-19EVB.tmp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-19EVB.tmp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp" /SL5="$40152,2428727,70144,C:\Users\Admin\AppData\Local\Temp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Program Files (x86)\Crawler Toolbar\Crawler.exe
    "C:\Program Files (x86)\Crawler Toolbar\Crawler.exe" /regserver
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2396
- - C:\Program Files (x86)\Crawler Toolbar\Crawler.exe
    "C:\Program Files (x86)\Crawler Toolbar\Crawler.exe" /install
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:340
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Crawler Toolbar\Crawler.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1348
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Crawler Toolbar\Crawler64.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1740
- - C:\Program Files (x86)\Crawler Toolbar\Crawler.exe
    "C:\Program Files (x86)\Crawler Toolbar\Crawler.exe" /afterinstall
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies system certificate store
    PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Crawler Toolbar\Buttons\WSG.xml

Filesize
3KB

MD5
c3c4014bc922100408e25799cb298f5a

SHA1
9c74fbb24f189bf40d01fc4f6acd206663e24a8b

SHA256
f0fd5504e1966fc31371ee6289819bfb3b0561220e5d3e106274ed40e4611a9b

SHA512
4d93d258654f7cfe12702f486580b50bc8aace75a63a465e3166c8d51e6af40b0021954c68ea8bda63c16ea8f7244837f0e8cf4d3425f0edd1083f995bb8bd22

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Buttons\capricot_green.xml

Filesize
53KB

MD5
99936e1644e6df80d80da53cc1bf37ff

SHA1
5b7269aa31366ec9345e8334afa5db45c397271e

SHA256
feeaf83ee9ed52d3119a893ec409b958264bef64e2e78791e342afbf8699e212

SHA512
19b17baa2deb974da1cd86090099e80c3a7e197f2131dbd750b41f5d476af0d24a066697ab9e4dd497af734c28d603832c1ac01e8d4f8a5c56ee035ba71d4fe5

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Buttons\mail_crawler_plugin.xml

Filesize
7KB

MD5
dc7693a39d6164894818d1875927caf3

SHA1
07c6b3e47c3c6fd0c81e296bed4788d151d6ad49

SHA256
3ec384cf1270946fbf07efbf52d7ee51bc4d9e6c6242e0425419a142343bd09f

SHA512
1e79337fb7429b0c4c0e7d8ce31e0079d6c3b2b881d8d22ac2713af5cfd283d9c7a156961621113a08a53e4f64cfae00e9bc0b7a771ebb79d3e8780fc84e822c

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Buttons\maps_crawler_search.xml

Filesize
5KB

MD5
01044ddde125c0d592877fedc13dd21e

SHA1
cbab569393c78735711ad3cce8995eb83a12ac52

SHA256
7afc82e3ee115a5cb809d20dab5ec3117fcaa8a59bed254776264895bafb23a1

SHA512
f5308e140ed4c62a46d31a2c7b577666ab8897857830eb93cdd93f970afc2e2585f587f4a9553accc65b9119ddd1176ec26624c82ba1916d7fbf6ceb64dd5b16

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Buttons\maps_crawler_weather_plugin.xml

Filesize
5KB

MD5
5b541fa1a499f55c674f54684ab259f1

SHA1
7f88e7cd18b0071eeef261dd6de365055236d7ac

SHA256
d1c96cabb3d31a6ce470f42d618f00c8c365ab5c5e6ee5c2fdfce6f6d4d56c3f

SHA512
3fba0483cb9050abf10189789dcd8955eaf80cce331b58a298fad48cd8e2a71edeb63944af37909ca3884a295e0c5f57c1b0fcc7ea590891f4c8ff7826386312

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Crawler.dll

Filesize
1.1MB

MD5
895a94d52cefa40d0870ecbe426e5584

SHA1
91bd4203bdfbe0c05ef001b66e8b025789398306

SHA256
5b049ecc3fe7e9929a3727050dc702da2b2933a87d3718701fdd71e2968ee4c9

SHA512
ae7ca6be41678406fd17e3d938a5e46cedbab89b45c557cb31b0e82636b28990d758543abfa5e015511e3af81120bceff2d62b3bbb09de101c8b9fe6b9bab764

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Crawler.ini

Filesize
2KB

MD5
c9fee062c46e928824c3c65e23bff1cb

SHA1
8a6220ae814f9342aed001018c0bc4ee2be99c63

SHA256
35d3a3183ce4536d03e6d199f59f2dd16c8abbffef63fd86bd95612f5da0c016

SHA512
85dac6ce4e1ebb1a232e1543025fc5af95a00b9c5c0964c3906e146fff6751934fb1540506d43400c06f37857a7bee231ed5eeec5681ecd1b70ab9d61276c0a7

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Crawler.ini

Filesize
2KB

MD5
f6b1c9b2d68f761e6e7a9e1d39317bd8

SHA1
ffbe1d705b3e098d6b6fa58a8f0ebec004644d6f

SHA256
06c3fecae872739ca0ce76499303aef4466373ecc831def1475ab75f3ab51cc5

SHA512
af558cfc27d71b6c29284304739d17cf9b93fc51bd0766882603e9f8b3c6fd34a1553a3d225eabe48c6f36bf41cc4dfcd02733bb0d816040c4ff8b7fc8f66105

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Crawler64.dll

Filesize
1.7MB

MD5
14eaae8ef6f7140ea22b97eedbc75c8c

SHA1
6e579b66c8ad6f7601dc90daf4043b5161cd9359

SHA256
fcb2ab323da45f37b87a079ae157b28ab81d9337486adeeb82e95d2cac9f467e

SHA512
192a851caaf664954f81977c5c50a8abf6f68715bf2bc43cab601614fdf04f08958b5bcb28652640809e971053c42bede66e296e07e8e76ad34a650b868f6c37

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Plugins\cmail.dll

Filesize
1.2MB

MD5
73bc873f4160a171707d3234137ba41e

SHA1
0a9fb37052371d254417057a7c529165a35480c8

SHA256
6a5d5d0bbec9017999abc418aac8b1c598349211ef68cc437fb543ae315d997d

SHA512
c75f4886083f1aabaa406e7db6fa810205276abf9628b261e04bd2c8869411c97194b9584634b5fadbd592b7c1fdaf472356593f8a1448d23dea5b08f083aae9

Download Submit
C:\Program Files (x86)\Crawler Toolbar\Plugins\cwsg.dll

Filesize
1.1MB

MD5
f9a279fe16cdb8589920c7d656492eb5

SHA1
92f0aba125f64fd8c6c806589de370cfa4ee99ca

SHA256
66d1466598680c040ab77c2b0b4f6103c5312bac9bfafe36cc06e50cca5e15e6

SHA512
7a9cb7fab33deb6788cfb8a0ff0981de0bda84669e6b68e94f76dbdca5741e3298636e486fd53425209e149755b6388b4360d59eaca61795970de2b4fd6fce72

Download Submit
C:\Users\Admin\AppData\LocalLow\Crawler Toolbar\config.ini

Filesize
33B

MD5
94df3a23fe8cf65900e1c39b026e622d

SHA1
f104a6ed5342baca7edc04430fae8f73c67812f2

SHA256
9ff2cbe505b42f3aab2868d68daf3d988bbdc1679e317bb9ddbe83e038c32b54

SHA512
9fc59ed1b70bbabef770b52cd86795138b53f26178b42e9a707fd645047c9db3f545a06656b68a7f1accef5ccf3d798f96e6d7ea2e7fd61fa6d452a452724816

Download Submit
C:\Users\Admin\AppData\LocalLow\Crawler Toolbar\translate.ini

Filesize
88KB

MD5
e8f04e949fb2a72e460e516099ff8557

SHA1
16379d4ec586ff6b2cfff0b26702acd58bd84e55

SHA256
9fecf907284921e59b52a61ec87427935be03124fcef6659230368eb085fde9f

SHA512
6a3dff5f661524e5e044a2ac5f213301af893d78240796649f3a7fbcd26674afbd8d48959e199573b097b11e75d670782ced7df08f50ab0fcab36436f0851d6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{A26C36F3-9D6C-4551-86A4-B3E9C4B7B3CD}.ico

Filesize
3KB

MD5
cf8d44b5052a584c5957d737c0d1ff0e

SHA1
457490e9904a57560c6d443a69ca3cfe7b6df82e

SHA256
f1038cc916ffdcdc48122269805595e9a838c4421c134ee2dc9fd9f44f3e6779

SHA512
5a321f79c27b5d82133fe5577020a5b2679fdc4568802afb7b642c3fca64c8f968e819926171f99c6d130e279bf48d099398386cba3b4fce71b28145c946b97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE275.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE297.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UH974.tmp\RI_AfterDot.bmp

Filesize
84B

MD5
7ccd5a0af4da51cf4962f184fcf9456a

SHA1
de37f4521fa7fee49b37898f4136728e8971ee0f

SHA256
8f2374b30622dfae1fd0b9706520de34c5e1597c1531fddbff65bc0201132ac7

SHA512
d7c4fbc6a4413dc457400fa2e026dea5d639a5b413164cc6939284c46bb46b6ae8ff10184ba2da4f32ace89646b026400db2a49dd9894d71e88d003a91c8267a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UH974.tmp\setupcfg.ini

Filesize
44B

MD5
e7a597bce7865e79e4ac4260a8f71444

SHA1
b503a8c6a5dc0f17820a1519369c0f501d670882

SHA256
2643df6fe5ce9676be43604926ecbbe15e19162cdb3815fd1228036e87bfcade

SHA512
67b98d967aee9eec3396ecb5388a3bdcfc5adcaa01be354d5d7c6568b9df189b4893acd2e854d9be9cbe3b48029173e0dca984e07e681af48244dac859f77f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UH974.tmp\tbr_dots.bmp

Filesize
164B

MD5
adc799ec79eeaef366ea4dddf099c3ae

SHA1
556c915615a34a2499604b7b732ab304b20fdd4e

SHA256
7e7f18c73560f9c020abe1ab1f22705083281e2ea16ab0030fc927901b5b5d1e

SHA512
76962a17cc26d3f9886828be4e43373ac530165e1c627272ed7c0bc731133e97608e55d2e31f44592aad0d0974352155f41a0718aa0666ec128406b1050c1d6c

Download Submit
\Program Files (x86)\Crawler Toolbar\Crawler.exe

Filesize
1.3MB

MD5
9d5457c2c663f41e72be62909a6c5f65

SHA1
c0c439fd86b1823a2f9f63d54fb1e2e555170114

SHA256
d73fe164b1abd3106da1eaf23983053abac8f199ef0dc29206043d2c4764c7c0

SHA512
fee8106d384970ae82e04a6fd3769eb5467f0e6644aa8e445fdcf6ca0d8c137d25e1f124b52ae97082432e98f37f659c8d779e95875e08d766663e363e0aa551

Download Submit
\Users\Admin\AppData\Local\Temp\is-19EVB.tmp\07a5643e72fc220e3e2419850af461a1_JaffaCakes118.tmp

Filesize
1.2MB

MD5
e7106fbf42fbc6d5b08a18ada4f781b4

SHA1
36d4a629f79d772c0b0df8bd2ae2ea09108d239d

SHA256
64e1f1fa7d91920b17bc7bc679a4cd8d87ff5b104318b6921bb6bf6a19055635

SHA512
adf876296a952aadeb4f25211c0939bf5a278809b5d3007ad7e26c5d4975e7684d242c1b3de796efd474a47cb7ecdb80f9047935924a1108bf0e4d7c973d1845

Download Submit
\Users\Admin\AppData\Local\Temp\is-UH974.tmp\DownLib.dll

Filesize
183KB

MD5
db25dfdd4c1f2b65c68a230881072695

SHA1
94cd6a3438041f0e61b0a1bea7b66461854efe69

SHA256
1b66aaf1e7e3c493dd96af3b7442ea60072f6e93ba45281eacd31a14ca7e7e73

SHA512
db69e4ab2218856e5184d9094e7e39705b83e3efdc15225067205c8faf6e5836145364f1d509192defa3b48864e72b9f8c0f2dc53a7adb2b86c655318b7afc2c

Download Submit
\Users\Admin\AppData\Local\Temp\is-UH974.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/340-197-0x00000000037D0000-0x000000000390E000-memory.dmp

Filesize
1.2MB

Download
memory/340-271-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/340-287-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/340-219-0x00000000037D0000-0x00000000038F4000-memory.dmp

Filesize
1.1MB

Download
memory/1348-226-0x0000000000B20000-0x0000000000C48000-memory.dmp

Filesize
1.2MB

Download
memory/1740-229-0x0000000001EF0000-0x00000000020A6000-memory.dmp

Filesize
1.7MB

Download
memory/2216-276-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2216-368-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2336-365-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2336-9-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2336-274-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-275-0x0000000006490000-0x00000000065B8000-memory.dmp

Filesize
1.2MB

Download
memory/2336-273-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2336-22-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-406-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-386-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-224-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2336-396-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-391-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-232-0x0000000006490000-0x00000000065B8000-memory.dmp

Filesize
1.2MB

Download
memory/2336-223-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2336-376-0x0000000003AD0000-0x0000000003B07000-memory.dmp

Filesize
220KB

Download
memory/2396-172-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2908-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2908-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2908-221-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download