metasploit | 0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Size

444KB
MD5

ea8e3632cc014498f1ff82398d0a40d1
SHA1

a84c99f40e048e61980b2d7a5a987aa8a7894949
SHA256

0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd
SHA512

0245d75b71654ca18b0bea8ebe2d1d725d6bef90755bd818675938525dd73f96006e87bcbd0dead45f4dc81f3dd725952490f85f64a6586dc9de0d62debe9115
SSDEEP

12288:0A+9QKbU1mNjno+HuY/bYaQbd6+6eKka/x/2c9PFboEXpq:xKbUAjoWM9+eKkaj5q

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks BIOS information in registry 2 TTPs 46 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	crss.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	crss.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe

Executes dropped EXE 22 IoCs

pid	Process
1376	crss.exe.scr
1068	crss.exe.scr
2084	crss.exe.com
3652	crss.exe.scr
3756	crss.exe.com
4876	crss.exe.scr
468	crss.exe.exe
3228	crss.exe.com
1532	crss.exe.scr
784	crss.exe.scr
3024	crss.exe.scr
5104	crss.exe.scr
4988	crss.exe.scr
3992	crss.exe.exe
4288	crss.exe.com
1328	crss.exe.exe
3440	crss.exe.com
5084	crss.exe.com
3508	crss.exe.com
3872	crss.exe.scr
2420	crss.exe.com
3472	crss.exe.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.com
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.scr	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File created	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.exe
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File created	C:\Windows\SysWOW64\crss.exe.scr	crss.exe.scr
File opened for modification	C:\Windows\SysWOW64\crss.exe.exe	crss.exe.com
File opened for modification	C:\Windows\SysWOW64\crss.exe.com	crss.exe.scr

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe.com

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386580fe91aec0a295dbb2b	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865833e91aec0aae086a4f	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865813e91aec0aaa27ab8e	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386581ee91aec0a1be33b76	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865835e91aec0a0efd2ac0	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865818e91aec0abb167bf9	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386583be91aec0a6f431a7f	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386581ce91aec0a7bb0fb0c	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386583ee91aec0a1fccfab7	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865831e91aec0ace5baa35	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865800e91aec0af8caeba9	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865811e91aec0aca746bf4	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386583de91aec0acfb65af0	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386580be91aec0ae9fb3bde	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865801e91aec0a48e38b94	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865837e91aec0a6eaeeaba	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865836e91aec0ade878a87	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865830e91aec0a7e72ca08	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386581de91aec0acb999b31	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865805e91aec0a88450b61	crss.exe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865802e91aec0a98992bd3	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386580ce91aec0af9271b6c	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386583ce91aec0a7f9f3acd	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd3865807e91aec0ae816cb1b	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\0 = 729a1ac434530495d6896bec9691410ec67ccfd5966ed8166fd386581fe91aec0aabca5b4b	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version	crss.exe.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}	crss.exe.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C64E7A-48A1-AD6F-8AE0-676D8AE0676D}\Version\ = "1.0"	crss.exe.com

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: 33	4648	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4648	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
Token: 33	1376	crss.exe.scr
Token: SeIncBasePriorityPrivilege	1376	crss.exe.scr
Token: 33	1068	crss.exe.scr
Token: SeIncBasePriorityPrivilege	1068	crss.exe.scr
Token: 33	2084	crss.exe.com
Token: SeIncBasePriorityPrivilege	2084	crss.exe.com
Token: 33	3652	crss.exe.scr
Token: SeIncBasePriorityPrivilege	3652	crss.exe.scr
Token: 33	3756	crss.exe.com
Token: SeIncBasePriorityPrivilege	3756	crss.exe.com
Token: 33	4876	crss.exe.scr
Token: SeIncBasePriorityPrivilege	4876	crss.exe.scr
Token: 33	468	crss.exe.exe
Token: SeIncBasePriorityPrivilege	468	crss.exe.exe
Token: 33	3228	crss.exe.com
Token: SeIncBasePriorityPrivilege	3228	crss.exe.com
Token: 33	1532	crss.exe.scr
Token: SeIncBasePriorityPrivilege	1532	crss.exe.scr
Token: 33	784	crss.exe.scr
Token: SeIncBasePriorityPrivilege	784	crss.exe.scr
Token: 33	3024	crss.exe.scr
Token: SeIncBasePriorityPrivilege	3024	crss.exe.scr
Token: 33	5104	crss.exe.scr
Token: SeIncBasePriorityPrivilege	5104	crss.exe.scr
Token: 33	4988	crss.exe.scr
Token: SeIncBasePriorityPrivilege	4988	crss.exe.scr
Token: 33	3992	crss.exe.exe
Token: SeIncBasePriorityPrivilege	3992	crss.exe.exe
Token: 33	4288	crss.exe.com
Token: SeIncBasePriorityPrivilege	4288	crss.exe.com
Token: 33	1328	crss.exe.exe
Token: SeIncBasePriorityPrivilege	1328	crss.exe.exe
Token: 33	3440	crss.exe.com
Token: SeIncBasePriorityPrivilege	3440	crss.exe.com
Token: 33	5084	crss.exe.com
Token: SeIncBasePriorityPrivilege	5084	crss.exe.com
Token: 33	3508	crss.exe.com
Token: SeIncBasePriorityPrivilege	3508	crss.exe.com
Token: 33	3872	crss.exe.scr
Token: SeIncBasePriorityPrivilege	3872	crss.exe.scr
Token: 33	2420	crss.exe.com
Token: SeIncBasePriorityPrivilege	2420	crss.exe.com
Token: 33	3472	crss.exe.exe
Token: SeIncBasePriorityPrivilege	3472	crss.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1376	4648	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	83
PID 4648 wrote to memory of 1376	4648	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	83
PID 4648 wrote to memory of 1376	4648	ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe	83
PID 1376 wrote to memory of 1068	1376	crss.exe.scr	96
PID 1376 wrote to memory of 1068	1376	crss.exe.scr	96
PID 1376 wrote to memory of 1068	1376	crss.exe.scr	96
PID 1068 wrote to memory of 2084	1068	crss.exe.scr	97
PID 1068 wrote to memory of 2084	1068	crss.exe.scr	97
PID 1068 wrote to memory of 2084	1068	crss.exe.scr	97
PID 2084 wrote to memory of 3652	2084	crss.exe.com	98
PID 2084 wrote to memory of 3652	2084	crss.exe.com	98
PID 2084 wrote to memory of 3652	2084	crss.exe.com	98
PID 3652 wrote to memory of 3756	3652	crss.exe.scr	99
PID 3652 wrote to memory of 3756	3652	crss.exe.scr	99
PID 3652 wrote to memory of 3756	3652	crss.exe.scr	99
PID 3756 wrote to memory of 4876	3756	crss.exe.com	100
PID 3756 wrote to memory of 4876	3756	crss.exe.com	100
PID 3756 wrote to memory of 4876	3756	crss.exe.com	100
PID 4876 wrote to memory of 468	4876	crss.exe.scr	101
PID 4876 wrote to memory of 468	4876	crss.exe.scr	101
PID 4876 wrote to memory of 468	4876	crss.exe.scr	101
PID 468 wrote to memory of 3228	468	crss.exe.exe	102
PID 468 wrote to memory of 3228	468	crss.exe.exe	102
PID 468 wrote to memory of 3228	468	crss.exe.exe	102
PID 3228 wrote to memory of 1532	3228	crss.exe.com	103
PID 3228 wrote to memory of 1532	3228	crss.exe.com	103
PID 3228 wrote to memory of 1532	3228	crss.exe.com	103
PID 1532 wrote to memory of 784	1532	crss.exe.scr	107
PID 1532 wrote to memory of 784	1532	crss.exe.scr	107
PID 1532 wrote to memory of 784	1532	crss.exe.scr	107
PID 784 wrote to memory of 3024	784	crss.exe.scr	108
PID 784 wrote to memory of 3024	784	crss.exe.scr	108
PID 784 wrote to memory of 3024	784	crss.exe.scr	108
PID 3024 wrote to memory of 5104	3024	crss.exe.scr	110
PID 3024 wrote to memory of 5104	3024	crss.exe.scr	110
PID 3024 wrote to memory of 5104	3024	crss.exe.scr	110
PID 5104 wrote to memory of 4988	5104	crss.exe.scr	111
PID 5104 wrote to memory of 4988	5104	crss.exe.scr	111
PID 5104 wrote to memory of 4988	5104	crss.exe.scr	111
PID 4988 wrote to memory of 3992	4988	crss.exe.scr	112
PID 4988 wrote to memory of 3992	4988	crss.exe.scr	112
PID 4988 wrote to memory of 3992	4988	crss.exe.scr	112
PID 3992 wrote to memory of 4288	3992	crss.exe.exe	113
PID 3992 wrote to memory of 4288	3992	crss.exe.exe	113
PID 3992 wrote to memory of 4288	3992	crss.exe.exe	113
PID 4288 wrote to memory of 1328	4288	crss.exe.com	114
PID 4288 wrote to memory of 1328	4288	crss.exe.com	114
PID 4288 wrote to memory of 1328	4288	crss.exe.com	114
PID 1328 wrote to memory of 3440	1328	crss.exe.exe	115
PID 1328 wrote to memory of 3440	1328	crss.exe.exe	115
PID 1328 wrote to memory of 3440	1328	crss.exe.exe	115
PID 3440 wrote to memory of 5084	3440	crss.exe.com	116
PID 3440 wrote to memory of 5084	3440	crss.exe.com	116
PID 3440 wrote to memory of 5084	3440	crss.exe.com	116
PID 5084 wrote to memory of 3508	5084	crss.exe.com	117
PID 5084 wrote to memory of 3508	5084	crss.exe.com	117
PID 5084 wrote to memory of 3508	5084	crss.exe.com	117
PID 3508 wrote to memory of 3872	3508	crss.exe.com	118
PID 3508 wrote to memory of 3872	3508	crss.exe.com	118
PID 3508 wrote to memory of 3872	3508	crss.exe.com	118
PID 3872 wrote to memory of 2420	3872	crss.exe.scr	119
PID 3872 wrote to memory of 2420	3872	crss.exe.scr	119
PID 3872 wrote to memory of 2420	3872	crss.exe.scr	119
PID 2420 wrote to memory of 3472	2420	crss.exe.com	120

C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\SysWOW64\crss.exe.scr
  C:\Windows\system32\crss.exe.scr 1404 "C:\Users\Admin\AppData\Local\Temp\ea8e3632cc014498f1ff82398d0a40d1_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\crss.exe.scr
    C:\Windows\system32\crss.exe.scr 1460 "C:\Windows\SysWOW64\crss.exe.scr"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\crss.exe.com
      C:\Windows\system32\crss.exe.com 1328 "C:\Windows\SysWOW64\crss.exe.scr"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1472 "C:\Windows\SysWOW64\crss.exe.com"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1424 "C:\Windows\SysWOW64\crss.exe.scr"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1300 "C:\Windows\SysWOW64\crss.exe.com"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 1432 "C:\Windows\SysWOW64\crss.exe.scr"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1440 "C:\Windows\SysWOW64\crss.exe.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1448 "C:\Windows\SysWOW64\crss.exe.com"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1492 "C:\Windows\SysWOW64\crss.exe.scr"
        11⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1480 "C:\Windows\SysWOW64\crss.exe.scr"
        12⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1500 "C:\Windows\SysWOW64\crss.exe.scr"
        13⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1436 "C:\Windows\SysWOW64\crss.exe.scr"
        14⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 1444 "C:\Windows\SysWOW64\crss.exe.scr"
        15⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1452 "C:\Windows\SysWOW64\crss.exe.exe"
        16⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 1456 "C:\Windows\SysWOW64\crss.exe.com"
        17⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1464 "C:\Windows\SysWOW64\crss.exe.exe"
        18⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1524 "C:\Windows\SysWOW64\crss.exe.com"
        19⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1396 "C:\Windows\SysWOW64\crss.exe.com"
        20⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\crss.exe.scr
        
        C:\Windows\system32\crss.exe.scr 1476 "C:\Windows\SysWOW64\crss.exe.com"
        21⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\crss.exe.com
        
        C:\Windows\system32\crss.exe.com 1484 "C:\Windows\SysWOW64\crss.exe.scr"
        22⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\crss.exe.exe
        
        C:\Windows\system32\crss.exe.exe 1496 "C:\Windows\SysWOW64\crss.exe.com"
        23⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
46d0039f8e923456340430a9ddf334b7

SHA1
b14507973edabddee2a1d63a8fd6c03aa22c8efc

SHA256
de678f29a9433b716c029f31e88a08dd8e7061ad85fbc693fe026891c4a456d7

SHA512
650c7ae633edb9da2e89dbeab1eb830629b4027e808d4836cc4e5f2992390c18384a9f43c48d38ee3ba963c022141212842f52d4e48f3aa1a01d2611eb398e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
6bf2a0e94066af785232256b51feb409

SHA1
f76c00d13c56f3c58f5aeff846a7531cda075bd3

SHA256
c65c2fb3be988473d07ac28ed1237d77ec0ff987ac20933f2cdb925af071372b

SHA512
de54a794c2b59fca310a4917dbe616e67820f1e7cfaae504a8d4960a09c41ecc493fcf2c2971886565b512fa66330be80ac8561d22d98f5877f72a34ce5811c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
c60f6cf452c1d40997e35ec9e0fd27af

SHA1
ffe7f6340e74983bbf062e190e2826ce7d83695c

SHA256
5dd1bb2f949fccd24ea4d421d26780531b58a591dbc68b854092c25833303099

SHA512
64fee189a3a589e9c0fe105fec60a2af625d1a3b722c729ef8dd5827310fe95170f54c0ed30adb0a8076ba65feae5c2e8627b132fa4a7691483fc6232992c1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
39dedb55b749d5630042097a5d6e8a6c

SHA1
6ef56828f2745c78648b16317db18cb2e9c117ab

SHA256
590eede40321fa4cf8ae46d662cd3990ede21ea963c012d1a0aeee065960043f

SHA512
0948b5b2a3eb523fe90276026e7a34200c47ef48aa57033efc46c79e3634cc9481af7ee1d817ec05b1d1db1e03630c111f29f1391c379890a1644f072dfef8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
66042654fb78ffeff86bb2a5f86e25f0

SHA1
d098a34ccaade50872392c81ec623984ede957d5

SHA256
11d1c2ab56a53fcfa95a46441099b1fab793b4000df05c260c542bfb66d7a060

SHA512
044192b3ec46d7015e6f4548324e3cdece6b194104392a85a7583a8774c96bc38fde0b08849aa0bc27e17951a561051d879285ef796a6046f4fa69cb787ad993

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
f0f283614f8a35fe7a086d8a117b93d6

SHA1
28cbdfbd7770ea5a2d58847311da3278149f7765

SHA256
b18993a8fbe3901ee705998f6411f16d4754b647c97adefdea117d29b513433f

SHA512
8e69c1eda8d9e8bc04239fb9136b4662873e9d2eed836a0367699958a80fdd977e5fa7fc6ab75d1a81e0d03462d5ff638d4eb9b87d729c97e3135307b550128c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
8e201d66c07a2f978bd0b585524a53fc

SHA1
5f7313ea7a176c083da189b74a7e97037651dc87

SHA256
e9a0ab6d1a331ecec8eb5614fa7e1ee782ecfe2ac44f2208a4b4d1a4d32ef181

SHA512
425bd0d4c0e895c84a6acd5ef0e96b6f89c3cc8095e577dc9555706b851a23ee5d3b756225010ec144de589e18e22e9e9e9ecf0720d3e907a44fc9a5b6cb8fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
ab6b19aed3e7d0a0c26cbf18455099b6

SHA1
18389b4364b51c4a12cacdda58b8ed0cc81cd924

SHA256
29c974b59c0d3f957f2708308b778d101376c0bd3d60652603a0aa3e395e19b5

SHA512
a36a8e71fc9b8c7f1348d9aa7dad3b2b1a09257ea450280b3d0909819f2ffc89241b256cd8bafaf184bfe69d941724c741a7656dc1604784213d12d0f4858f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
d217aa427fe45129656bb5835402311a

SHA1
3c041ed6de5d35b2641530e34ed657a64aae3c85

SHA256
4d3bf39edb35149b25234f1e905806b7c19b66de2a7da84072ea198b74950fee

SHA512
7e29549d211c844f05fe2b759ade03f85454dad951a54abbe94927fc6803945657ed4eb0548c458db36cce8b92f4536b1e2e85c2f545bdc4124d1412caaaf425

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
5dd0aeecfb87ebc301db073ef6c9e9f3

SHA1
ff3cc11208223d266cf8364aa7ed66e34dc51b86

SHA256
f005a81619421324a25826ef92481a9a7d81c17e00275003df03556623278b12

SHA512
aabdc9021dde6028b739c6a823e13de778a8d7b24816a594a13fd7e50a58fd4f6e1b46176c8973755e9240fc0982abf25f563a48a415c1c3f9fcbe42c8fd8946

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
f3df1e9a89ac7ebd5b2ffaf8c368e738

SHA1
39508989024b8007362dcef39a0de76991e4d221

SHA256
8566fd438a18b3d4a9b466e31c253f7efa71e65f82558e10f4969b0463471436

SHA512
aa7a5cb29b28b41a93dc00c5177a1a4fab24167a22bbaa84f3ad955d92efbb3b309a504d42cb45d75fba1fb589aaa5d1f679ae47ccba6f5654ab198e4d0bf5b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
bf1c06a5f5f77a74acf5cbde37a944cd

SHA1
a6357c2760545e59a806da068e37ab44395d1339

SHA256
82729f77b3fb363c9b35f5f3380259897fc9170f29cc550efbbd0204fdd0ea03

SHA512
3fe321f0962a9a3d68a509c0ba1f11ac27f6d54721771b0607937317910b4f064cd69a249d603945ad1b014c2820a36683f6e0c405a40a1388fadcfd1be77841

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
96a8262af54b7a0a39563a88fab0f6bf

SHA1
af40e907b4191a79a07a3f342f3f5ba0bc064421

SHA256
1ed45816a454499f8f04f426a7cb854e712587fc123bfd0487af34e639d24ff2

SHA512
443627239e400a31fcb76ddac8bbcdf5baad56e944bf432c5cf46798e9d041b85cf2dc9355b17a25c2715726b476e6a969c1c45e1a1a3b5281765d734023952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
2e9cda68b3eccff179455a96ac3bbe54

SHA1
3d6e9752b6afadab6697f4f1c4aa674bae83ef4d

SHA256
16f7ca12b1504b4e83fe653184f3adf4d817a9ca6390ee3ffcf8b193025cd602

SHA512
63b0d2b946ce0fd2b888c903a8210a85fddf4cbdff4b7235afa47ec0aa0c6ba9d10668bed785f48309d8553e57947c34bb0d7cc2b772c9989bd7e5195aede15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
0f55097e726da6fa50d4d452294a702f

SHA1
c03697c9e32ebf70d030285a97fde5a6fe684dd1

SHA256
52b9138aa53f78788b0a333fd0e7388970576b21954d8e6ea0c0ba5c5fe4c811

SHA512
4b4e2fc516cc43a5c5eea07c74e3347b6221af184f5db64cd85a71de5bd5ea199dc2c53a4c939f137b19bc285f5c4e04ceac875824614adea7e9bc60319eb17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
4fd8918d50bcd2fa63eee2ded23d8c9e

SHA1
5804cdb17476e6699e8e79aeca9bafb4904a1f4a

SHA256
e0962dfd6ce57ba8d64a3eeb1c185a1a4ead95e04cbe8878d400ed6a8e10f3e3

SHA512
6654d95faca4239c4d99a7a16f830f995c3e75e25d42bf84953de80d3b7f5e799c60963c72c2fbc5bd60d24dd800de1ac91740635635f32394d04f48f9d488cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
476a80473ef1a84dc2b74d863e109a28

SHA1
2ee2f073a88f327e33286b4493b387ff3f60b3ae

SHA256
12c7026dd5a4b92f4096558c018ab42d49ec82b9e4440974c232eac96244bb0c

SHA512
c5b622babb51410bd2bc2419c5145a8adc643d6b061ed5af92874405a336ead032c4f191697a124a3a82f7f259b859f1d6f2bf22a81857f44036fed492cc0873

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
9c7ddbb11999a0a7979cf45170a07836

SHA1
a5a3de8e02bba0e50fc8080b627641264e42360e

SHA256
a5097910b26481af064761e271c884b111bec035bb87e3c0026e09e17a218c5f

SHA512
33292ef3ec1c2be3ff28bd9da557c07156deffef1bbdd7e8343c22ad7979f68622ae408d03548bf785448d28bfb207a15a8738a73d743d4b63fd68ac82570e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
7d30e8df2e38c20b546b3d93a6ec149c

SHA1
dcbb5777913eed04d34b7e2ec0439424720e6889

SHA256
a3f1a3c464926cf7d834e0298e9face5c396ada8fd5190b15a38ef0f3eb3d54a

SHA512
4334cc3d0f3a212210ac864fb55694dc57a0c01fc7afe43367d76f3fb26591d8136fcf3b22251195eb8fef433c6f3bd3144b6ca09be9f571e4d3c060a3bd30de

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
2d0ed2ae48bf0437f5a95a57498023c7

SHA1
e2417b2accfdf6933303a30743090c1ac9e105e1

SHA256
d3e5e6cb87511638fa0c96344e1fd62a17d2515ad06c71b2c68f1beedab88c07

SHA512
da8d5fe85770ad46e363fe36b67c769b713a1f665a661ca8dc6aa90ed114604e61733a3f0e10b67b186e6dd49aa63dcd0ece026043ee5ad9ce88b8de0f86b7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C2B02EC.TMP

Filesize
37B

MD5
89fef1a631e1e56f82960033d6d7779c

SHA1
338c2a9f28dbda2902bfd880dff82995d9fdcdbe

SHA256
e4c1831a51bcf7b811f349b604469b6644455d6708d019d31962ce19b0484ad3

SHA512
6dcfed119d44ca075ea90984b0522de058869b94983dfc4fe454d7c57cd36da4ea9ac31264b96396aff4a814ad65afcb2d017ec65b324a132efe5199f3fbd376

Download Submit
C:\Windows\SysWOW64\crss.exe.scr

Filesize
444KB

MD5
ea8e3632cc014498f1ff82398d0a40d1

SHA1
a84c99f40e048e61980b2d7a5a987aa8a7894949

SHA256
0e49f713d8428e6fa3cd7d888c26d6ec452cd3537904e8d6cef38b9207fc74fd

SHA512
0245d75b71654ca18b0bea8ebe2d1d725d6bef90755bd818675938525dd73f96006e87bcbd0dead45f4dc81f3dd725952490f85f64a6586dc9de0d62debe9115

Download Submit
memory/468-202-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/784-261-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-45-0x0000000000640000-0x0000000000685000-memory.dmp

Filesize
276KB

Download
memory/1068-77-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-50-0x0000000000640000-0x0000000000685000-memory.dmp

Filesize
276KB

Download
memory/1068-76-0x0000000000640000-0x0000000000685000-memory.dmp

Filesize
276KB

Download
memory/1068-56-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-58-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-60-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-59-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-57-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1068-61-0x0000000000640000-0x0000000000685000-memory.dmp

Filesize
276KB

Download
memory/1068-62-0x0000000000640000-0x0000000000685000-memory.dmp

Filesize
276KB

Download
memory/1328-415-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-35-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-52-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1376-38-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1376-36-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-33-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-40-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-37-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1376-34-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-32-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/1376-26-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1376-21-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1376-42-0x0000000000570000-0x00000000005B5000-memory.dmp

Filesize
276KB

Download
memory/1532-239-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-85-0x0000000000660000-0x00000000006A5000-memory.dmp

Filesize
276KB

Download
memory/2084-84-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-70-0x0000000000660000-0x00000000006A5000-memory.dmp

Filesize
276KB

Download
memory/2084-102-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-86-0x0000000000660000-0x00000000006A5000-memory.dmp

Filesize
276KB

Download
memory/2084-81-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-80-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-83-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2084-82-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/2420-534-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3024-283-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3228-227-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3440-427-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3472-546-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3508-484-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3652-127-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3756-152-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3872-509-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/3992-365-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4288-390-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-0-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-8-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-9-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-11-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-12-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-29-0x00000000006B0000-0x00000000006F5000-memory.dmp

Filesize
276KB

Download
memory/4648-13-0x00000000006B0000-0x00000000006F5000-memory.dmp

Filesize
276KB

Download
memory/4648-2-0x00000000006B0000-0x00000000006F5000-memory.dmp

Filesize
276KB

Download
memory/4648-10-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4648-7-0x00000000006B0000-0x00000000006F5000-memory.dmp

Filesize
276KB

Download
memory/4648-28-0x00000000006B0000-0x00000000006F5000-memory.dmp

Filesize
276KB

Download
memory/4648-30-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4876-177-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/4988-340-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5084-449-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5104-305-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download