c5517bc09544eab54352f4fb8bd14a6f7a45035225791aa63e78e69e5a91c4b0

Analysis

max time kernel
37s
max time network
132s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Size

3.4MB
MD5

3710884685acedbfb2791596649c03e3
SHA1

14c0269076f307105588cbeb38cc6fcd978309eb
SHA256

c5517bc09544eab54352f4fb8bd14a6f7a45035225791aa63e78e69e5a91c4b0
SHA512

69e4062d4615e8f47d74857a4f4f9e5397e0746c9fd5579da809ac976cb29311a4172a19ac82905a5752c99acdd6b2ea7fe121c38ea3fbde75d81c019e5d85f6
SSDEEP

98304:wHXd2IY9PhramTlVeTIKjBdllrEiUDH+o3sKGFJpJilv:KbePhtreTVrlrELr+3JW

Score

7^/10

adware discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001922c-9.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
860	Updater.exe
1668	ChromeHelper.exe
2456	FirefoxHelper.exe
2296	IeHelper.exe
1708	ChromeHelper.exe
2844	FireFoxHelper.exe
1196	IeHelper.exe
2932	ChromeHelper.exe
2332	FireFoxHelper.exe
2324	IeHelper.exe
2988	ChromeHelper.exe
2388	FireFoxHelper.exe
2512	IeHelper.exe

Loads dropped DLL 14 IoCs

pid	Process
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2780	regsvr32.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Updater\\Updater.exe"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Updater\\Updater.exe"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\\ProgramData\\Updater\\Updater.exe"	Updater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "Spy Alert"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\NoExplorer = "1"	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001922c-9.dat	upx
behavioral1/memory/2336-11-0x00000000003F0000-0x00000000003FC000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FirefoxHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFoxHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFoxHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IeHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFoxHelper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "1000"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MAO Settings	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB40EAF2-2025-4F74-B9EF-7C0782F26C84}	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}\ = "DynConIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB40EAF2-2025-4F74-B9EF-7C0782F26C84}\ver = "2.6.4327622"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\id = "744685c1f65540b883044731f2a51dbb"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ = "C:\\ProgramData\\SpyAlert\\IE\\common.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{384997EE-E3BE-49C4-9ECA-C62B7C08128A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\ = "Spy Alert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\ = "Common 430 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\vp = "2.6.4327622"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32\ = "C:\\ProgramData\\SpyAlert\\IE\\common.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CLSID\ = "{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ = "Spy Alert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID\ = "DynConIE.DynConIEObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\p = "27622"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\vp = "2.6.4327622"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\DynConIE.DLL\AppID = "{384997EE-E3BE-49C4-9ECA-C62B7C08128A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib\ = "{781ca792-9b6e-400b-b36f-15c097d2ca54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ = "IDynConIEObject"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\ = "{781CA792-9B6E-400B-B36F-15C097D2CA54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\id = "744685c1f65540b883044731f2a51dbb"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\ad = "spyalertapp.com"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\ad = "spyalertapp.com"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\ProgID\ = "DynConIE.DynConIEObject.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\HELPDIR\ = "C:\\ProgramData\\SpyAlert\\IE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{781CA792-9B6E-400B-B36F-15C097D2CA54}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject.1\ = "Spy Alert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{44ed99e2-16a6-4b89-80d6-5b21cf42e78b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DynConIE.DynConIEObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2830488C-079B-45C2-88B6-AFE4EAA2DF85}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB40EAF2-2025-4F74-B9EF-7C0782F26C84}\ProductNameShort = "SPYA"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}\p = "27622"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
1868	chrome.exe
1868	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe
Token: SeShutdownPrivilege	1868	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
860	Updater.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
860	Updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 2780	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	31
PID 2336 wrote to memory of 1868	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	32
PID 2336 wrote to memory of 1868	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	32
PID 2336 wrote to memory of 1868	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	32
PID 2336 wrote to memory of 1868	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	32
PID 1868 wrote to memory of 316	1868	chrome.exe	34
PID 1868 wrote to memory of 316	1868	chrome.exe	34
PID 1868 wrote to memory of 316	1868	chrome.exe	34
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 860	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	33
PID 2336 wrote to memory of 1668	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	35
PID 2336 wrote to memory of 1668	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	35
PID 2336 wrote to memory of 1668	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	35
PID 2336 wrote to memory of 1668	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	35
PID 2336 wrote to memory of 2456	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2456	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2456	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2456	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	36
PID 2336 wrote to memory of 2296	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2296	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2296	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	37
PID 2336 wrote to memory of 2296	2336	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe	37
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39
PID 1868 wrote to memory of 336	1868	chrome.exe	39

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FED6A736-129B-49C7-857E-25FC91E87DB3} = "1"	3710884685acedbfb2791596649c03e3_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3710884685acedbfb2791596649c03e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3710884685acedbfb2791596649c03e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2336
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\ProgramData\SpyAlert\IE\common.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:/Program Files/Google/Chrome/Application/chrome.exe" http://m.spyalertapp.com/r/?ts=TS_IN_SPYA&v=SPYA_Q0_2.6.43&pid=27622&gi=744685c1f65540b883044731f2a51dbb&i=q
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7309758,0x7fef7309768,0x7fef7309778
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:2
    3⤵
    PID:336
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:8
    3⤵
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:8
    3⤵
    PID:1608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:3060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:1444
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:2
    3⤵
    PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2264 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3308 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:8
    3⤵
    PID:1704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2160 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:2636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=656 --field-trial-handle=1168,i,91452630927973237,12984986580907708300,131072 /prefetch:1
    3⤵
    PID:1188
- C:\ProgramData\Updater\Updater.exe
  "C:\ProgramData\Updater\Updater.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:860
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1196
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2324
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2388
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1600
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1880
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:2268
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:2256
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1632
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:1232
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:2640
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:2916
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:2860
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1304
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1172
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:2260
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1836
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:2540
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:2228
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1468
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1876
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:3052
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:2956
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1896
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:1828
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1412
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:592
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:1236
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:2980
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1636
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:2704
- - C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
    "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
    3⤵
    PID:1304
- - C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe
    "C:\ProgramData\RHelpers\FireFoxHelper\FireFoxHelper.exe"
    3⤵
    PID:1988
- - C:\ProgramData\RHelpers\IEHelper\IeHelper.exe
    "C:\ProgramData\RHelpers\IEHelper\IeHelper.exe"
    3⤵
    PID:108
- C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe
  "C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1668
- C:\ProgramData\RHelpers\FirefoxHelper\FirefoxHelper.exe
  "C:\ProgramData\RHelpers\FirefoxHelper\FirefoxHelper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\ProgramData\RHelpers\IeHelper\IeHelper.exe
  "C:\ProgramData\RHelpers\IeHelper\IeHelper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RHelpers\ChromeHelper\ChromeHelper.exe

Filesize
246KB

MD5
02cdc9b19b07980e401e8bd15c03a323

SHA1
e463c68911c99b7f68c114d006bf7880d507ef8c

SHA256
7c7aff9c6f226272905c66631ff97d9f68ba10a80ac89547b160c4b896450592

SHA512
df052429731287571d0c5476e06edecfb36acd599bdfa539e0df804eacf4cca22e819aa5fce2313455aef2b5630e25249cdad3f32cb008bce473680a4153384f

Download Submit
C:\ProgramData\SpyAlert\Chrome\unzip\announce.js

Filesize
383B

MD5
f9b22790fe47d80a214c192d1034f60e

SHA1
742a661cb82d28707b3e5ed297e3e3834dafb06a

SHA256
a2dd7e64813177f4c3cedaf4991a8f6b68577a3e56fe17a5e57ec24db69ef1ac

SHA512
d0e7fbfcf08545b022a8b5e6f2b426b327bb19faf76a4381affca1715714016a7942943eb6ecff877948336c22583b62066db4eb6d8c4dedc08de8718ad55303

Download Submit
C:\ProgramData\SpyAlert\Chrome\unzip\manifest.json

Filesize
1KB

MD5
06acce20c1e3275973b7b901dc478a2a

SHA1
632d2a324191c3ac16e173158cd2dfd649d1f7a5

SHA256
f1b23d75fd43160b22c5e499c31b268673cf8cd7d10f59e40ad01c2b1889e401

SHA512
8b88689d62dd102376ff8c4de0184785765110d6b851ab07c47908d6e6bc60d6678e8505396d3a8f45085a79500b23258383342edfca74fdf3894cfee28f3f1f

Download Submit
C:\ProgramData\SpyAlert\Firefox\install.rdf

Filesize
915B

MD5
40b3d8fec1bc387ed31c251289af4f58

SHA1
48db1c5aa080e1519e2b5e4cb250644f5ad1e71c

SHA256
8f96dac86afe568bb0f2a91810e84431601957f77c7f1e13ef43b054e2b517e9

SHA512
a2c019481e6c2d6eb3161c259e6498e08b93501d4a21ea92cbe2eafc7f3790a47d2b27861deee332ca6d6ec0e50d9cd39742a42fd50d4812f8195927fa8eeb60

Download Submit
C:\ProgramData\SpyAlert\IE\common.dll

Filesize
383KB

MD5
fe896a381191c4c53cfa7e219a67d03b

SHA1
54af8904ebb671b9fdbd6023ef7776148ce091bd

SHA256
09eb6a535208b39cce192eef71dfc69a533e73a74de96733c16dee0bcfb3e426

SHA512
957c092b570cbcb31964f5bdce96d42026f0fa7d92d56ed1e6b45c1d78441c9bd3674b86104546cdaa9de35c30e473477ae045cbf57cbc433ba485dace163e82

Download Submit
C:\ProgramData\Updater\updater.exe

Filesize
291KB

MD5
c4954b5c4b8f8293fe7cb0de9b9fe32d

SHA1
66f8f8e572eaf1265fb5990e12aaef5f652af110

SHA256
70cce0c7aff82607a7f8627511df904e87e6eeafe75fe6b83940eb67f2c923e0

SHA512
7c2b4ddc64b09cad45e6c669ed8bdbee672dc9642c043908ddf0b75364152a803dc8c6916065becad7901e582b2fb7c58a384cd1a7ef4b8a4c9aaa295487c8f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
63ba7b4fae4bb44d010bbd8a928ff102

SHA1
8bd6100b00363453c4e66df8f64aedd12d40b977

SHA256
d53f36b6a8aabb1c18af49c4d214a669fe3a967fd8c2dc608182700bda494a7c

SHA512
bfae1f687d725150e471497405024a9d6d1b88cb372e276890e1e9c4653cb5574e809ca35e96189b71ce84effc2c1799bb138973d38c3c5dd3bc26557e211c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
567b3ad2015a427ddae88ccb8d378803

SHA1
d39637ec20c96998c02acf8bc31338cf75a47f08

SHA256
ea9c1e38b56979296c413078f15379035c0ce230a1ff4f53b6319cd3d2f1f947

SHA512
9cdb571f24e9ca65fc46727241cd73781bd02fcf7cd5c97451b3ed0c3b66f8cc671cb5461353fe59bd11f4698bc6d469e65841d1d56bdea126b8651a7c739e93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\Helper.dll

Filesize
1.2MB

MD5
7ee90ccf6869674fcf852557de88ea6d

SHA1
14ac643f0be8232bb99966df93fb0e1045a027f5

SHA256
c4e0adbc811be0450cb3cc3b08a4fe796a795ad5dfbfbf7d54da21431ef6d9ae

SHA512
9e37f76ac5b90be5f8b784c085154bd8752800fd21ad24975a6fd4ae04fe7307cab6616b4bb810e6bbf9c1ff42d60c077192340fc5eef17adc42d7b76709fb2d

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab73c0c2a23f913eabdc4cb24b75cbad

SHA1
6569d2863d54c88dcf57c843fc310f6d9571a41e

SHA256
3d0060c5c9400a487dbefe4ac132dd96b07d3a4ba3badab46a7410a667c93457

SHA512
99d287b5152944f64edc7ce8f3ebcd294699e54a5b42ac7a88e27dff8a68278a5429f4d299802ee7ddbe290f1e3b6a372a5f3bb4ecb1a3c32e384bca3ccdb2b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\util_ex.dll

Filesize
776KB

MD5
f9886cee41d173d573dce2686b309c15

SHA1
8b602e3c02b171583e49e1a3d07dbdff30726ed5

SHA256
bbd2a02336e04559da1487bd5f5ac70c4e040a9f5b2a0a3fc94641aeaa4d8b81

SHA512
f370cbb5c0e9f004d27b4b9fd185a7e5bfbcdfebecd70e423159da559846e5ca341a376afc07dcdcb1ff241ca09574969f077ca372b4c2786fb1c8329feb587a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdAD50.tmp\version.dll

Filesize
6KB

MD5
ebc5bb904cdac1c67ada3fa733229966

SHA1
3c6abfa0ddef7f3289f38326077a5041389b15d2

SHA256
3eba921ef649b71f98d9378dee8105b38d2464c9ccde37a694e4a0cd77d22a75

SHA512
fa71afcc166093fbd076a84f10d055f5a686618711d053ab60d8bd060e78cb2fdc15fa35f363822c9913413251c718d01ddd6432ab128816d98f9aabf5612c9f

Download Submit
memory/2336-36-0x00000000007F0000-0x00000000007FD000-memory.dmp

Filesize
52KB

Download
memory/2336-11-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download