e00016ae3f99c81e04e916f5476fc1d965f5553572f4b7b81c6d7f1209f8f807

Analysis

max time kernel
148s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
Size

124KB
MD5

3a267cfdc8cb0a4126c439e028fc46b2
SHA1

7635d7ac8308155d259484461c9da243da18c6bd
SHA256

e00016ae3f99c81e04e916f5476fc1d965f5553572f4b7b81c6d7f1209f8f807
SHA512

1d2ae1a8a9e22ab5bbeda306faf5bb1fa29bf5704b57a19ee04fdac8173415d7449c7ac1cc2a719788c7cc5d183450624300e091bcf43a9cc45b0fe8298e470a
SSDEEP

768:/0xUM1fz0WPBTKLijLzwvxqbtAHG15hGzpAnvCZgWyrB8aywc+57Tyw0ewDteA4V:u5T6imGtFTR8BGgz6OiT6iX

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 48 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win = "C:\\WINDOWS\\system32\\config\\winlogon.exe"	regedit.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\3.reg	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\4.reg	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\5.reg	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\8.bat	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\1.reg	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\2.reg	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	regedit.exe

Modifies Internet Explorer start page 1 TTPs 48 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jgysschool.com/jgys/student/gongzi.html"	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command\ = "C:\\WINDOWS\\SysWow64\\config\\winlogon.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\ = "Logfiles"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\PersistentHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyApp\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "MyApp"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content Type = "application/x-msdownload"	regedit.exe

Runs .reg file with regedit 64 IoCs

pid	Process
4404	regedit.exe
4956	regedit.exe
4536	regedit.exe
4528	regedit.exe
2112	regedit.exe
3996	regedit.exe
4592	regedit.exe
3272	regedit.exe
4924	regedit.exe
1296	regedit.exe
3512	regedit.exe
3372	regedit.exe
704	regedit.exe
4388	regedit.exe
2876	regedit.exe
928	regedit.exe
3944	regedit.exe
220	regedit.exe
856	regedit.exe
3828	regedit.exe
5076	regedit.exe
3976	regedit.exe
896	regedit.exe
896	regedit.exe
5076	regedit.exe
2736	regedit.exe
3152	regedit.exe
3604	regedit.exe
3820	regedit.exe
4828	regedit.exe
5020	regedit.exe
2784	regedit.exe
2304	regedit.exe
1920	regedit.exe
740	regedit.exe
2912	regedit.exe
5056	regedit.exe
1728	regedit.exe
2272	regedit.exe
2084	regedit.exe
2404	regedit.exe
4772	regedit.exe
2228	regedit.exe
3472	regedit.exe
1196	regedit.exe
1988	regedit.exe
1756	regedit.exe
2436	regedit.exe
3404	regedit.exe
452	regedit.exe
3416	regedit.exe
1400	regedit.exe
4120	regedit.exe
2276	regedit.exe
660	regedit.exe
2776	regedit.exe
4932	regedit.exe
964	regedit.exe
3576	regedit.exe
4844	regedit.exe
4012	regedit.exe
2812	regedit.exe
2936	regedit.exe
3692	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 5088	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	84
PID 2992 wrote to memory of 5088	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	84
PID 2992 wrote to memory of 5088	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	84
PID 2992 wrote to memory of 4536	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	85
PID 2992 wrote to memory of 4536	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	85
PID 2992 wrote to memory of 4536	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	85
PID 2992 wrote to memory of 4884	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	87
PID 2992 wrote to memory of 4884	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	87
PID 2992 wrote to memory of 4884	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	87
PID 2992 wrote to memory of 1232	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	88
PID 2992 wrote to memory of 1232	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	88
PID 2992 wrote to memory of 1232	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	88
PID 2992 wrote to memory of 1400	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	89
PID 2992 wrote to memory of 1400	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	89
PID 2992 wrote to memory of 1400	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	89
PID 2992 wrote to memory of 228	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	90
PID 2992 wrote to memory of 228	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	90
PID 2992 wrote to memory of 228	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	90
PID 2992 wrote to memory of 4516	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	93
PID 2992 wrote to memory of 4516	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	93
PID 2992 wrote to memory of 4516	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	93
PID 2992 wrote to memory of 3840	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	94
PID 2992 wrote to memory of 3840	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	94
PID 2992 wrote to memory of 3840	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	94
PID 2992 wrote to memory of 2876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	95
PID 2992 wrote to memory of 2876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	95
PID 2992 wrote to memory of 2876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	95
PID 2992 wrote to memory of 4964	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	96
PID 2992 wrote to memory of 4964	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	96
PID 2992 wrote to memory of 4964	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	96
PID 2992 wrote to memory of 2432	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	97
PID 2992 wrote to memory of 2432	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	97
PID 2992 wrote to memory of 2432	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	97
PID 2992 wrote to memory of 4876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	98
PID 2992 wrote to memory of 4876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	98
PID 2992 wrote to memory of 4876	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	98
PID 2992 wrote to memory of 620	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	99
PID 2992 wrote to memory of 620	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	99
PID 2992 wrote to memory of 620	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	99
PID 2992 wrote to memory of 2800	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	100
PID 2992 wrote to memory of 2800	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	100
PID 2992 wrote to memory of 2800	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	100
PID 2992 wrote to memory of 2936	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	101
PID 2992 wrote to memory of 2936	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	101
PID 2992 wrote to memory of 2936	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	101
PID 2992 wrote to memory of 896	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	102
PID 2992 wrote to memory of 896	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	102
PID 2992 wrote to memory of 896	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	102
PID 2992 wrote to memory of 3020	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	103
PID 2992 wrote to memory of 3020	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	103
PID 2992 wrote to memory of 3020	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	103
PID 2992 wrote to memory of 3688	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	104
PID 2992 wrote to memory of 3688	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	104
PID 2992 wrote to memory of 3688	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	104
PID 2992 wrote to memory of 2804	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	105
PID 2992 wrote to memory of 2804	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	105
PID 2992 wrote to memory of 2804	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	105
PID 2992 wrote to memory of 4348	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	106
PID 2992 wrote to memory of 4348	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	106
PID 2992 wrote to memory of 4348	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	106
PID 2992 wrote to memory of 2880	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	107
PID 2992 wrote to memory of 2880	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	107
PID 2992 wrote to memory of 2880	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	107
PID 2992 wrote to memory of 2368	2992	3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe	108

C:\Users\Admin\AppData\Local\Temp\3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a267cfdc8cb0a4126c439e028fc46b2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\8.bat
  2⤵
  PID:5088
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer start page
  PID:4536
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4884
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:1400
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:228
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4516
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3840
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:2876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2432
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:620
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2800
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:2936
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:896
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3020
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:4348
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2880
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2368
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4716
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2540
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2004
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2548
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  PID:1432
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:4404
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:5056
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:740
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:684
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3392
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:5076
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:4088
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3664
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:452
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:3372
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:2736
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:4772
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:972
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:4924
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:1028
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Runs .reg file with regedit
  PID:4956
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4640
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:1652
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:1728
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:3876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2008
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3100
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:704
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2000
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2380
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:3692
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:1984
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:928
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:1668
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:944
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2812
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3672
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2468
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:4296
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4864
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3932
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:1688
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:216
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4844
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3888
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2272
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:660
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4012
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2856
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4556
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:2116
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:4444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1756
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Runs .reg file with regedit
  PID:4828
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1820
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4076
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2600
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:2436
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Runs .reg file with regedit
  PID:3944
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer start page
  PID:2528
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5020
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2016
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2276
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Runs .reg file with regedit
  PID:4120
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:856
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4716
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2540
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2548
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:2784
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2304
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:5068
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:4664
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4592
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1696
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:4528
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2260
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:4544
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1316
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3664
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:916
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:3532
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2736
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2636
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:2324
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3744
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:1576
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Runs .reg file with regedit
  PID:2228
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4580
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:636
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:532
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:4128
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2692
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:1920
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3956
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:3828
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:3472
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:2776
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3464
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:704
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:112
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:1196
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:1832
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2296
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:3512
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:3604
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4932
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3668
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2412
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:4364
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4388
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:2812
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:4412
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:3976
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:964
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2392
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:116
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:1868
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:372
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4532
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3576
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:3004
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:3980
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:3152
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1296
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:4540
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:1788
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2400
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3508
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:4556
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2116
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:4444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1184
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1444
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3928
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2152
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:220
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2936
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:896
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:1472
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:3404
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:2276
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4120
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:2084
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:5016
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer start page
  PID:1440
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:4652
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2128
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:4404
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4492
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3820
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:2112
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:2236
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:60
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1000
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3660
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:1680
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2912
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:5076
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4996
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:2748
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - Runs .reg file with regedit
  PID:452
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:2560
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:1028
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:1576
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:3084
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3416
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:3780
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:760
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2008
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:4208
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:5116
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer start page
  PID:392
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3412
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:1500
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:64
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:3996
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:704
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:2020
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  PID:3704
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:224
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:2452
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:364
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:3512
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:3604
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4148
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:860
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  PID:1704
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  PID:1984
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  PID:928
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:4384
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3272
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2404
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:4388
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:1988
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\1.reg
  2⤵
  - Modifies Internet Explorer start page
  PID:3672
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\2.reg
  2⤵
  - Adds Run key to start application
  PID:3148
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\3.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\4.reg
  2⤵
  - Disables RegEdit via registry modification
  - Runs .reg file with regedit
  PID:4536
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\WINDOWS\system32\5.reg
  2⤵
  - Modifies registry class
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\SysWOW64\8.bat

Filesize
11KB

MD5
16b229fdb7eaf32fd45e65683e862286

SHA1
f5e06d185e409714fe8ab83cc4b10423ac630b09

SHA256
e66a3e0bf8d91aad7cfc1fc491222da4b8896748007d811c66d1ece60bd25be1

SHA512
aaee20aa488c6a7ba9f271b1dd7644acc4d7500dc93427e0c196ca3f77773ef73d1cb248b2a77ed6f31626906f8a846459fb878c278a9af9ebb192e245cd7170

Download Submit
C:\Windows\SysWOW64\1.reg

Filesize
557B

MD5
066019dffcca73a50173cece9ecda48e

SHA1
e235ac3df1591aba0c127bc33dce60e61deca6b0

SHA256
c90d7fd8caee732fdb95baf724ad03ab18a5f16f4cc7849ecff76544e311b941

SHA512
aeff739a01012dc1f0dcbe92aac3ad8a5eda05721dab2abe51b24fcdba23111de030da6379074906ccc4b6f1d448b27197d86596dadd109f1bf44a07e47ffa45

Download Submit
C:\Windows\SysWOW64\2.reg

Filesize
162B

MD5
67eb522f01ddf3540a1423d94bdca031

SHA1
5a70dfa47d9a7873f28d4fc1012536f023c35d1a

SHA256
2db7d61eb3af901cb76b221ab52c721139d84fc467c25daa6a5b91198208c849

SHA512
8d13094b1202f1b01ef0e4a16282e09e14fa28e8dfe7dec59dd7bbf8c03ab0313996f71f4446e8f4e0a1a42f59bae4e465eaf8434c536fec8a77c2e64910cec2

Download Submit
C:\Windows\SysWOW64\3.reg

Filesize
150B

MD5
c108d1477b9a9556017d3f082e9535fb

SHA1
0a6eabe5bf50bb111402b15c226511af118361df

SHA256
bd9e6ddbd2361c2bdb74f98c295146989e96d606f0fef5b2c91ec86b6c29f20b

SHA512
0d34c36d7ada05dcea4d74246ccf440011ff74c17a43eb8390fe6eb19cd8041f72e994cc64c3c33f92cc6c39e84c84359430fc34de678e6278f0493cfe9bca6f

Download Submit
C:\Windows\SysWOW64\4.reg

Filesize
160B

MD5
c6fbbff5fa1aca2a29088303fdb77053

SHA1
c50c4c767298a3342075eab37c9f96725e76bbe1

SHA256
0f2d8c9204c0d3cc12baae200dd81badbaf4e12d348596cb893d52779e9a697a

SHA512
48020c19de8c2f3d5016b55b2605481760ec209637b1300f192780d2ee6e037724bf5f622801811bdfeda3d35a366fb12064ae9823f8b0803341802d0cf3212f

Download Submit
C:\Windows\SysWOW64\5.reg

Filesize
427B

MD5
1a0ac885aa4c434f2ebfa6bfdf782819

SHA1
538fbc3c82db8468f4ec9bf8a3dedb0c13794431

SHA256
f7ad06cce6741d3dc6beb16b4dc6de9d443d52dcdcd1d4f7c2229d177c95989a

SHA512
efd2e15825393caaa7e61ac8687661203a69191a32fc28ce94019bcb44b0b96b3b50fdddd45a26d62a6603608ed12c5fcf28769796229adf317c5db7e84f1b0c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads