metasploit | 0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd

Analysis

max time kernel
142s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Size

444KB
MD5

ea8e3632cc014498f1ff82398d0a40d1
SHA1

a84c99f40e048e61980b2d7a5a987aa8a7894949
SHA256

0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd
SHA512

0245d75b71654ca18b0bea8ebe2d1d725d6bef90755bd818675938525dd73f96006e87bcbd0dead45f4dc81f3dd725952490f85f64a6586dc9de0d62debe9115
SSDEEP

12288:0A+9QKbU1mNjno+HuY/bYaQbd6+6eKka/x/2c9PFboEXpq:xKbUAjoWM9+eKkaj5q

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks BIOS information in registry 2 TTPs 44 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr

Executes dropped EXE 21 IoCs

pid	Process
2868	crss.exe.exe
2680	crss.exe.exe
2460	crss.exe.scr
1724	crss.exe.scr
1800	crss.exe.exe
2100	crss.exe.scr
2248	crss.exe.exe
1980	crss.exe.com
2204	crss.exe.com
2976	crss.exe.exe
2712	crss.exe.scr
2000	crss.exe.scr
1912	crss.exe.com
2208	crss.exe.com
2004	crss.exe.scr
2260	crss.exe.exe
1512	crss.exe.exe
2596	crss.exe.scr
2808	crss.exe.exe
2732	crss.exe.com
1876	crss.exe.com

Loads dropped DLL 42 IoCs

pid	Process
2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
2868	crss.exe.exe
2868	crss.exe.exe
2680	crss.exe.exe
2680	crss.exe.exe
2460	crss.exe.scr
2460	crss.exe.scr
1724	crss.exe.scr
1724	crss.exe.scr
1800	crss.exe.exe
1800	crss.exe.exe
2100	crss.exe.scr
2100	crss.exe.scr
2248	crss.exe.exe
2248	crss.exe.exe
1980	crss.exe.com
1980	crss.exe.com
2204	crss.exe.com
2204	crss.exe.com
2976	crss.exe.exe
2976	crss.exe.exe
2712	crss.exe.scr
2712	crss.exe.scr
2000	crss.exe.scr
2000	crss.exe.scr
1912	crss.exe.com
1912	crss.exe.com
2208	crss.exe.com
2208	crss.exe.com
2004	crss.exe.scr
2004	crss.exe.scr
2260	crss.exe.exe
2260	crss.exe.exe
1512	crss.exe.exe
1512	crss.exe.exe
2596	crss.exe.scr
2596	crss.exe.scr
2808	crss.exe.exe
2808	crss.exe.exe
2732	crss.exe.com
2732	crss.exe.com

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.com
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File created	C:\Windows\SysWOW64\crss.exe.exe	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaad4e631df0034488de	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaa04e631df0b2801826	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaaf4e631df0631748a4	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdab84e631df0f15c8876	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaa54e631df0c20ff8ee	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdab04e631df03017f846	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaa44e631df0722698d3	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaba4e631df0910f480c	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdabc4e631df031fa0883	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaac4e631df0b36de8e3	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaa64e631df0127558a9	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdab94e631df04175e84b	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdab14e631df0803e987b	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdaa14e631df002a9781b	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdabf4e631df0e180a8c4	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 7f9a21c5d0700593ec888dcd91b64d0cc25bcdf29a6cd6316bd1785c1deb1aec0bdabe4e631df051a9c8f9	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: 33	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Token: 33	2868	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2868	crss.exe.exe
Token: 33	2680	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2680	crss.exe.exe
Token: 33	2460	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2460	crss.exe.scr
Token: 33	1724	crss.exe.scr
Token: SeIncBasePriorityPrivilege	1724	crss.exe.scr
Token: 33	1800	crss.exe.exe
Token: SeIncBasePriorityPrivilege	1800	crss.exe.exe
Token: 33	2100	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2100	crss.exe.scr
Token: 33	2248	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2248	crss.exe.exe
Token: 33	1980	crss.exe.com
Token: SeIncBasePriorityPrivilege	1980	crss.exe.com
Token: 33	2204	crss.exe.com
Token: SeIncBasePriorityPrivilege	2204	crss.exe.com
Token: 33	2976	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2976	crss.exe.exe
Token: 33	2712	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2712	crss.exe.scr
Token: 33	2000	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2000	crss.exe.scr
Token: 33	1912	crss.exe.com
Token: SeIncBasePriorityPrivilege	1912	crss.exe.com
Token: 33	2208	crss.exe.com
Token: SeIncBasePriorityPrivilege	2208	crss.exe.com
Token: 33	2004	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2004	crss.exe.scr
Token: 33	2260	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2260	crss.exe.exe
Token: 33	1512	crss.exe.exe
Token: SeIncBasePriorityPrivilege	1512	crss.exe.exe
Token: 33	2596	crss.exe.scr
Token: SeIncBasePriorityPrivilege	2596	crss.exe.scr
Token: 33	2808	crss.exe.exe
Token: SeIncBasePriorityPrivilege	2808	crss.exe.exe
Token: 33	2732	crss.exe.com
Token: SeIncBasePriorityPrivilege	2732	crss.exe.com
Token: 33	1876	crss.exe.com
Token: SeIncBasePriorityPrivilege	1876	crss.exe.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2868	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2868	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2868	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2868	2420	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2680	2868	crss.exe.exe	30
PID 2868 wrote to memory of 2680	2868	crss.exe.exe	30
PID 2868 wrote to memory of 2680	2868	crss.exe.exe	30
PID 2868 wrote to memory of 2680	2868	crss.exe.exe	30
PID 2680 wrote to memory of 2460	2680	crss.exe.exe	31
PID 2680 wrote to memory of 2460	2680	crss.exe.exe	31
PID 2680 wrote to memory of 2460	2680	crss.exe.exe	31
PID 2680 wrote to memory of 2460	2680	crss.exe.exe	31
PID 2460 wrote to memory of 1724	2460	crss.exe.scr	32
PID 2460 wrote to memory of 1724	2460	crss.exe.scr	32
PID 2460 wrote to memory of 1724	2460	crss.exe.scr	32
PID 2460 wrote to memory of 1724	2460	crss.exe.scr	32
PID 1724 wrote to memory of 1800	1724	crss.exe.scr	33
PID 1724 wrote to memory of 1800	1724	crss.exe.scr	33
PID 1724 wrote to memory of 1800	1724	crss.exe.scr	33
PID 1724 wrote to memory of 1800	1724	crss.exe.scr	33
PID 1800 wrote to memory of 2100	1800	crss.exe.exe	34
PID 1800 wrote to memory of 2100	1800	crss.exe.exe	34
PID 1800 wrote to memory of 2100	1800	crss.exe.exe	34
PID 1800 wrote to memory of 2100	1800	crss.exe.exe	34
PID 2100 wrote to memory of 2248	2100	crss.exe.scr	35
PID 2100 wrote to memory of 2248	2100	crss.exe.scr	35
PID 2100 wrote to memory of 2248	2100	crss.exe.scr	35
PID 2100 wrote to memory of 2248	2100	crss.exe.scr	35
PID 2248 wrote to memory of 1980	2248	crss.exe.exe	36
PID 2248 wrote to memory of 1980	2248	crss.exe.exe	36
PID 2248 wrote to memory of 1980	2248	crss.exe.exe	36
PID 2248 wrote to memory of 1980	2248	crss.exe.exe	36
PID 1980 wrote to memory of 2204	1980	crss.exe.com	37
PID 1980 wrote to memory of 2204	1980	crss.exe.com	37
PID 1980 wrote to memory of 2204	1980	crss.exe.com	37
PID 1980 wrote to memory of 2204	1980	crss.exe.com	37
PID 2204 wrote to memory of 2976	2204	crss.exe.com	38
PID 2204 wrote to memory of 2976	2204	crss.exe.com	38
PID 2204 wrote to memory of 2976	2204	crss.exe.com	38
PID 2204 wrote to memory of 2976	2204	crss.exe.com	38
PID 2976 wrote to memory of 2712	2976	crss.exe.exe	39
PID 2976 wrote to memory of 2712	2976	crss.exe.exe	39
PID 2976 wrote to memory of 2712	2976	crss.exe.exe	39
PID 2976 wrote to memory of 2712	2976	crss.exe.exe	39
PID 2712 wrote to memory of 2000	2712	crss.exe.scr	40
PID 2712 wrote to memory of 2000	2712	crss.exe.scr	40
PID 2712 wrote to memory of 2000	2712	crss.exe.scr	40
PID 2712 wrote to memory of 2000	2712	crss.exe.scr	40
PID 2000 wrote to memory of 1912	2000	crss.exe.scr	41
PID 2000 wrote to memory of 1912	2000	crss.exe.scr	41
PID 2000 wrote to memory of 1912	2000	crss.exe.scr	41
PID 2000 wrote to memory of 1912	2000	crss.exe.scr	41
PID 1912 wrote to memory of 2208	1912	crss.exe.com	42
PID 1912 wrote to memory of 2208	1912	crss.exe.com	42
PID 1912 wrote to memory of 2208	1912	crss.exe.com	42
PID 1912 wrote to memory of 2208	1912	crss.exe.com	42
PID 2208 wrote to memory of 2004	2208	crss.exe.com	43
PID 2208 wrote to memory of 2004	2208	crss.exe.com	43
PID 2208 wrote to memory of 2004	2208	crss.exe.com	43
PID 2208 wrote to memory of 2004	2208	crss.exe.com	43
PID 2004 wrote to memory of 2260	2004	crss.exe.scr	44
PID 2004 wrote to memory of 2260	2004	crss.exe.scr	44
PID 2004 wrote to memory of 2260	2004	crss.exe.scr	44
PID 2004 wrote to memory of 2260	2004	crss.exe.scr	44

C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\crss.exe.exe
  C:\Windows\system32\crss.exe.exe 648 "C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\crss.exe.exe
    C:\Windows\system32\crss.exe.exe 696 "C:\Windows\SysWOW64\crss.exe.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\crss.exe.scr
      C:\Windows\system32\crss.exe.scr 760 "C:\Windows\SysWOW64\crss.exe.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 680 "C:\Windows\SysWOW64\crss.exe.scr"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 736 "C:\Windows\SysWOW64\crss.exe.scr"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 652 "C:\Windows\SysWOW64\crss.exe.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 776 "C:\Windows\SysWOW64\crss.exe.scr"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 660 "C:\Windows\SysWOW64\crss.exe.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 780 "C:\Windows\SysWOW64\crss.exe.com"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 752 "C:\Windows\SysWOW64\crss.exe.com"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 656 "C:\Windows\SysWOW64\crss.exe.exe"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 800 "C:\Windows\SysWOW64\crss.exe.scr"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 664 "C:\Windows\SysWOW64\crss.exe.scr"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 796 "C:\Windows\SysWOW64\crss.exe.com"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 764 "C:\Windows\SysWOW64\crss.exe.com"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 768 "C:\Windows\SysWOW64\crss.exe.scr"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 812 "C:\Windows\SysWOW64\crss.exe.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 788 "C:\Windows\SysWOW64\crss.exe.exe"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 828 "C:\Windows\SysWOW64\crss.exe.scr"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 792 "C:\Windows\SysWOW64\crss.exe.exe"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 832 "C:\Windows\SysWOW64\crss.exe.com"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
e8653896838ab5b43717e822a977cab2

SHA1
023f5cf814684b7646fc50d3ee9152e79783dd14

SHA256
f4472cd66c92954e8a088e3c1acb662211462e4228ce4024dcb379b35b64ac35

SHA512
056824fea26d29b73d6911b4dcc7aec72277d4c3c0c6784420cb25039ea96cee9c1f15e3ae136e4da1727d10ed71545ebd636b243026acef1bb5c94b02771587

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
b38326668be313b559c5df63795eaccc

SHA1
4a2e3cd17f215bc3aa05d0593028c7a6c9d3f9df

SHA256
81253c5801df08efaf570f916d19a3fe20e93e132b1d60388d3b0a81229755b8

SHA512
54bafaf9f50c9d107d46ce93895059f6ade41981bff511ae1380043aa2a0cdabad6af02de0758661c45d5713e3e33103914ce316fdfe7b823810693ab2df0669

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
009d95bde75700cff152c202addce142

SHA1
1153f6c7f8b099b7e88c8a4196ad11a9c249c832

SHA256
a60ebc1c5c9e169246435e454a9a084c950dfdbce2fabd1abd46586dda1065b5

SHA512
6ff8bfe185bbfcadce74660d5e0014c767fd0b47ff9f56ae5e4091f735044a6d508a34394acda4406328e53340c53772844eb2ee29835544dc104571d61825e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
85f6cbe0764c299db78a8e2ccbac401e

SHA1
0b4bbb2666b8765cee35bbae5e021a7bd027e496

SHA256
bfd604e4d28dbcb005775270bf6237578b38805e1e18dfa37c48483c937145dd

SHA512
b4277fb15008136c49ec8541ea8e7335b570490f515c9e022f9878953cbb04aba3dc9b74238c76839003271a1585ea61b36ddadc3a66c010b8072615787d71b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
789dba2d65b877ce4dde756013bf5de0

SHA1
d4f97156e035e8fc877a77213572daffd4386489

SHA256
7e526b7ffa302d3508cd748c14ca30d987080fdb4cc142d52834b64b45da2c11

SHA512
caa183816c550a7fa54d066ad9583f13a8ded8d82f8859585a816216b0d3a24fe79b90d6efa7d3db14fd28b4ced87e23c54ddf1aa38c99c8fbc5e8542d1758d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
1b3c6663573397f53680a0852963aff3

SHA1
4060eb27028e0c4e5dbad8535b127b3a14627bc5

SHA256
58cfe86529f0844b8dd9e02390f65fc163f2f6b30d25751bf0da916132440a45

SHA512
aa32a7228426dc623920aa7be9c8775ca87494e222b176b463b994b96f7839bfcfc30efc2d28679b4634108358f540f2ccb5cc4a631d9a10c5e15a26185a57bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
b8456f0ff8dd26463955ca27cb35ceb3

SHA1
66cef7f852483a14748141f3d4899e77466a6a51

SHA256
dda07ecc1328199f504ceeb3cb3b0bbaf8bacd5b2680f46018d30a60b81b4a9f

SHA512
650a1ecd8394e73ca7fac0ae5f8d2a8ca72605fb5e7b512f7f3ade51e060031e52bb0fe706c6bd554a5da1880f7133376003e1a9f594d68b718eb2a2c36bf709

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
243545c9ac4731be6ada39c104798210

SHA1
6a20f0bf200d197b45a2a59113320c1ee2670b1b

SHA256
b941c607e6c6baf091b9cb65567471898565b8c06b61c8fcc09dae773fdfd999

SHA512
6f6a47e5d9c1ca85a5504e0fd92d39f3af28d694a47e50a4b8ce2eb882fbf4a5628198a6fa7955648a2c8cd51299aba531cdb822faebc972938f0edada323829

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
355628242b7c5812ff74d10fbd0f374b

SHA1
4e57afc175ffd8e230d7554e075a9256fa0f38d8

SHA256
030248a586d2f144bb2b6d5532265f90368425a324dacafcffa004a0c2f053a1

SHA512
02f7ec4210494d8e6529559ab2868f0d254f3ca3215ca22baf30c3e852de898a0cbb7e6974beb86b88bcfa72b219a5c84e092c405d4d7c148a385d40fa380708

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
a8b615856e33a65b88b048f3a6f0ab14

SHA1
68e682b59e161153d09a8518edacbd8f0e9d6c20

SHA256
d10d05cc4e322132e05fbe2e4ecebb2152710e227a2339adc1fb24c79c87acee

SHA512
97294e6d503d3a44e2c293b87426be738d48d29348521403f6db26faf8fbe9bb35cca2a256ab081a216d642a485e91cf3a02efe9e480deab31a39034c540e0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
98d1a5c8c789672c9694d315ffa093e6

SHA1
66bffa99991b4502ff086ba14f20b9485ed9dcc9

SHA256
9443b4fa1b38363e1d594c3e6074d32e220500086eb88c3b061c55b7118e9bfe

SHA512
412b4d561f87989a1c8aced8ad95278359d399df5d3cb2cbe912384781f2a589e81207ede5320b7072964122a811310967dc674849bd76e9203b5411f18d1ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
6daa5da8408b494d9d7260cf114fe6a4

SHA1
dfef5574898179815c51a47309e3ddd1f97a4b92

SHA256
714e19e360609c7c7bff5b5bcf67e95b7ce95c4a7fc809d03bf0fcd76c4cce96

SHA512
7d1fea5b19887de638ad78782b71893e4cf4db475dc12fb064618cbd89eceb61e3b6733bc503252be4ef675970033c6b61dcd29c72a431f2924d469433eb7f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
43B

MD5
3a3d094833eeb8e7964a7a2acfe5d8b6

SHA1
9f97fc2c9287c39f9c4d14485cc2e9045799719a

SHA256
82778db8b45dd63150442ec00b16dae2b2e50da074772f1eafa46a61b3a51df5

SHA512
cf3b4141737f522b842ef7d9296a71e642881cf692524acb3d3aa1c061c2d930a6d15488a1b959fb32e196bd97c5f4d71341c5731a6eb21156f5a4f347ff4599

Download Submit
\Windows\SysWOW64\crss.exe.exe

Filesize
444KB

MD5
ea8e3632cc014498f1ff82398d0a40d1

SHA1
a84c99f40e048e61980b2d7a5a987aa8a7894949

SHA256
0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd

SHA512
0245d75b71654ca18b0bea8ebe2d1d725d6bef90755bd818675938525dd73f96006e87bcbd0dead45f4dc81f3dd725952490f85f64a6586dc9de0d62debe9115

Download Submit
memory/1512-477-0x00000000038D0000-0x0000000003A39000-memory.dmp

Filesize
1.4MB

Download
memory/1512-495-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1512-455-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1512-476-0x00000000038D0000-0x0000000003A39000-memory.dmp

Filesize
1.4MB

Download
memory/1724-109-0x0000000000220000-0x0000000000265000-memory.dmp

Filesize
276KB

Download
memory/1724-151-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1724-133-0x0000000003A80000-0x0000000003BE9000-memory.dmp

Filesize
1.4MB

Download
memory/1724-108-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1800-182-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1800-174-0x0000000003990000-0x0000000003AF9000-memory.dmp

Filesize
1.4MB

Download
memory/1800-176-0x0000000003990000-0x0000000003AF9000-memory.dmp

Filesize
1.4MB

Download
memory/1800-140-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1912-380-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1912-385-0x0000000003A70000-0x0000000003BD9000-memory.dmp

Filesize
1.4MB

Download
memory/1912-366-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1980-245-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2000-377-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2000-359-0x0000000003A20000-0x0000000003B89000-memory.dmp

Filesize
1.4MB

Download
memory/2004-432-0x00000000037D0000-0x0000000003939000-memory.dmp

Filesize
1.4MB

Download
memory/2004-450-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2004-431-0x00000000037D0000-0x0000000003939000-memory.dmp

Filesize
1.4MB

Download
memory/2100-177-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2100-195-0x0000000003BE0000-0x0000000003D49000-memory.dmp

Filesize
1.4MB

Download
memory/2100-185-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2204-279-0x0000000003970000-0x0000000003AD9000-memory.dmp

Filesize
1.4MB

Download
memory/2204-293-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2208-386-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2208-427-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2248-221-0x0000000003890000-0x00000000039F9000-memory.dmp

Filesize
1.4MB

Download
memory/2248-241-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2260-438-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2260-454-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-12-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2420-16-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2420-40-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-5-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-24-0x0000000003910000-0x0000000003A79000-memory.dmp

Filesize
1.4MB

Download
memory/2420-0-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2420-27-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2420-10-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-6-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/2420-8-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-9-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-7-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-11-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-94-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-96-0x0000000001DC0000-0x0000000001E05000-memory.dmp

Filesize
276KB

Download
memory/2460-93-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-103-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-82-0x0000000001DC0000-0x0000000001E05000-memory.dmp

Filesize
276KB

Download
memory/2460-88-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-91-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-92-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-95-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2460-101-0x0000000001DC0000-0x0000000001E05000-memory.dmp

Filesize
276KB

Download
memory/2460-102-0x0000000001DC0000-0x0000000001E05000-memory.dmp

Filesize
276KB

Download
memory/2596-506-0x0000000003AF0000-0x0000000003C59000-memory.dmp

Filesize
1.4MB

Download
memory/2596-478-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2596-499-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-53-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-61-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-54-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2680-100-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2680-81-0x0000000003B40000-0x0000000003CA9000-memory.dmp

Filesize
1.4MB

Download
memory/2680-66-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2680-67-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2680-65-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-64-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-63-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-99-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-62-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2680-68-0x00000000002C0000-0x0000000000305000-memory.dmp

Filesize
276KB

Download
memory/2712-333-0x0000000003B00000-0x0000000003C69000-memory.dmp

Filesize
1.4MB

Download
memory/2712-332-0x0000000003B00000-0x0000000003C69000-memory.dmp

Filesize
1.4MB

Download
memory/2712-327-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2712-304-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2732-550-0x0000000003920000-0x0000000003A89000-memory.dmp

Filesize
1.4MB

Download
memory/2732-549-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2732-528-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2808-545-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2808-527-0x0000000003930000-0x0000000003A99000-memory.dmp

Filesize
1.4MB

Download
memory/2868-37-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-34-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-42-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-44-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-48-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-38-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-41-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-43-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-39-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-46-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-28-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-26-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2868-70-0x0000000001DF0000-0x0000000001E35000-memory.dmp

Filesize
276KB

Download
memory/2868-52-0x0000000003A50000-0x0000000003BB9000-memory.dmp

Filesize
1.4MB

Download
memory/2976-303-0x0000000003830000-0x0000000003999000-memory.dmp

Filesize
1.4MB

Download
memory/2976-280-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2976-320-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download