79ad5dd9eaae0fde5b1a36b4c9b38ee7cfae82f51e196a1f6b1ff8b35b9cf463

Analysis

max time kernel
125s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Size

2.5MB
MD5

f5bcbb4c735c1e8bc4f68e534d8899da
SHA1

bbde97f7540370acd8925d5de239a3a4a42ea546
SHA256

79ad5dd9eaae0fde5b1a36b4c9b38ee7cfae82f51e196a1f6b1ff8b35b9cf463
SHA512

e19a75c2bcfe4f2e54323376195681e72568f013fce4e13b8861da54a918a9bd135869b7438d3ae3157f89ab5dce722caf3cb795772c398361e97d5e802b0be2
SSDEEP

1536:0KbLAsXjITFpfoOxRysNyyCOyXr5xWNTP/yIry9Ufu7Ps1+beJUrAc/DYhdUoYGe:v

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023510-12.dat	Nirsoft

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

pid	Process
2016	AdvancedRun.exe
1584	AdvancedRun.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
5344	AdvancedRun.exe
5544	AdvancedRun.exe
5512	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
6020	XmDwps.exe
5764	XmDwps.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8 = "C:\\Windows\\Microsoft.NET\\Framework\\x81d6417meYb4x3leNU451U4228ei732K\\svchost.exe"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8 = "C:\\Windows\\Microsoft.NET\\Framework\\x81d6417meYb4x3leNU451U4228ei732K\\svchost.exe"	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs

pid	Process
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4436 set thread context of 6076	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	135
PID 4356 set thread context of 5512	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	139

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5152	4436	WerFault.exe	89
5768	4356	WerFault.exe	109

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2536	timeout.exe
5784	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	AdvancedRun.exe
2016	AdvancedRun.exe
2016	AdvancedRun.exe
2016	AdvancedRun.exe
1584	AdvancedRun.exe
1584	AdvancedRun.exe
1584	AdvancedRun.exe
1584	AdvancedRun.exe
3812	powershell.exe
3812	powershell.exe
2320	powershell.exe
2320	powershell.exe
3460	powershell.exe
3460	powershell.exe
3224	powershell.exe
3224	powershell.exe
4140	powershell.exe
4140	powershell.exe
1388	powershell.exe
1388	powershell.exe
2168	powershell.exe
2168	powershell.exe
3656	powershell.exe
3656	powershell.exe
5344	AdvancedRun.exe
5344	AdvancedRun.exe
5344	AdvancedRun.exe
5344	AdvancedRun.exe
3812	powershell.exe
3460	powershell.exe
3224	powershell.exe
2320	powershell.exe
4140	powershell.exe
2168	powershell.exe
1388	powershell.exe
5544	AdvancedRun.exe
5544	AdvancedRun.exe
5544	AdvancedRun.exe
5544	AdvancedRun.exe
3656	powershell.exe
5816	powershell.exe
5816	powershell.exe
5872	powershell.exe
5872	powershell.exe
5908	powershell.exe
5908	powershell.exe
5940	powershell.exe
5940	powershell.exe
5996	powershell.exe
5996	powershell.exe
5816	powershell.exe
5872	powershell.exe
5908	powershell.exe
5940	powershell.exe
5996	powershell.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	AdvancedRun.exe
Token: SeImpersonatePrivilege	2016	AdvancedRun.exe
Token: SeDebugPrivilege	1584	AdvancedRun.exe
Token: SeImpersonatePrivilege	1584	AdvancedRun.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	5344	AdvancedRun.exe
Token: SeImpersonatePrivilege	5344	AdvancedRun.exe
Token: SeDebugPrivilege	5544	AdvancedRun.exe
Token: SeImpersonatePrivilege	5544	AdvancedRun.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5872	powershell.exe
Token: SeDebugPrivilege	5908	powershell.exe
Token: SeDebugPrivilege	5940	powershell.exe
Token: SeDebugPrivilege	5996	powershell.exe
Token: SeDebugPrivilege	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Token: SeDebugPrivilege	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
Token: SeDebugPrivilege	6020	XmDwps.exe
Token: SeDebugPrivilege	5764	XmDwps.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 2016	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	94
PID 4436 wrote to memory of 2016	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	94
PID 4436 wrote to memory of 2016	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	94
PID 2016 wrote to memory of 1584	2016	AdvancedRun.exe	95
PID 2016 wrote to memory of 1584	2016	AdvancedRun.exe	95
PID 2016 wrote to memory of 1584	2016	AdvancedRun.exe	95
PID 4436 wrote to memory of 3460	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	99
PID 4436 wrote to memory of 3460	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	99
PID 4436 wrote to memory of 3460	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	99
PID 4436 wrote to memory of 2320	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	101
PID 4436 wrote to memory of 2320	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	101
PID 4436 wrote to memory of 2320	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	101
PID 4436 wrote to memory of 3812	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	103
PID 4436 wrote to memory of 3812	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	103
PID 4436 wrote to memory of 3812	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	103
PID 4436 wrote to memory of 4140	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	106
PID 4436 wrote to memory of 4140	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	106
PID 4436 wrote to memory of 4140	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	106
PID 4436 wrote to memory of 3224	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	108
PID 4436 wrote to memory of 3224	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	108
PID 4436 wrote to memory of 3224	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	108
PID 4436 wrote to memory of 4356	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	109
PID 4436 wrote to memory of 4356	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	109
PID 4436 wrote to memory of 4356	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	109
PID 4436 wrote to memory of 2168	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	111
PID 4436 wrote to memory of 2168	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	111
PID 4436 wrote to memory of 2168	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	111
PID 4436 wrote to memory of 1388	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	113
PID 4436 wrote to memory of 1388	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	113
PID 4436 wrote to memory of 1388	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	113
PID 4436 wrote to memory of 3656	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	115
PID 4436 wrote to memory of 3656	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	115
PID 4436 wrote to memory of 3656	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	115
PID 4356 wrote to memory of 5344	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	130
PID 4356 wrote to memory of 5344	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	130
PID 4356 wrote to memory of 5344	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	130
PID 5344 wrote to memory of 5544	5344	AdvancedRun.exe	118
PID 5344 wrote to memory of 5544	5344	AdvancedRun.exe	118
PID 5344 wrote to memory of 5544	5344	AdvancedRun.exe	118
PID 4356 wrote to memory of 5816	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	119
PID 4356 wrote to memory of 5816	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	119
PID 4356 wrote to memory of 5816	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	119
PID 4356 wrote to memory of 5872	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	121
PID 4356 wrote to memory of 5872	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	121
PID 4356 wrote to memory of 5872	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	121
PID 4356 wrote to memory of 5908	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	123
PID 4356 wrote to memory of 5908	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	123
PID 4356 wrote to memory of 5908	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	123
PID 4356 wrote to memory of 5940	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	125
PID 4356 wrote to memory of 5940	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	125
PID 4356 wrote to memory of 5940	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	125
PID 4356 wrote to memory of 5996	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	127
PID 4356 wrote to memory of 5996	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	127
PID 4356 wrote to memory of 5996	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	127
PID 4436 wrote to memory of 5348	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	129
PID 4436 wrote to memory of 5348	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	129
PID 4436 wrote to memory of 5348	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	129
PID 5348 wrote to memory of 2536	5348	cmd.exe	131
PID 5348 wrote to memory of 2536	5348	cmd.exe	131
PID 5348 wrote to memory of 2536	5348	cmd.exe	131
PID 4356 wrote to memory of 4444	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	132
PID 4356 wrote to memory of 4444	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	132
PID 4356 wrote to memory of 4444	4356	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe	132
PID 4436 wrote to memory of 3400	4436	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe	134

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4436
- C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\AdvancedRun.exe" /SpecialRun 4101d8 2016
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\41c50289-af21-4ff3-9ea6-4bc1adb5ffe3\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\41c50289-af21-4ff3-9ea6-4bc1adb5ffe3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\41c50289-af21-4ff3-9ea6-4bc1adb5ffe3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\41c50289-af21-4ff3-9ea6-4bc1adb5ffe3\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\41c50289-af21-4ff3-9ea6-4bc1adb5ffe3\AdvancedRun.exe" /SpecialRun 4101d8 5344
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 1
    3⤵
    PID:4444
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:5784
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:5512
  - - C:\Users\Admin\AppData\Local\Temp\XmDwps.exe
      "C:\Users\Admin\AppData\Local\Temp\XmDwps.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1736
    3⤵
    - Program crash
    PID:5768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\x81d6417meYb4x3leNU451U4228ei732K\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2536
- C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe"
  2⤵
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f5bcbb4c735c1e8bc4f68e534d8899da_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\XmDwps.exe
    "C:\Users\Admin\AppData\Local\Temp\XmDwps.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1780
  2⤵
  - Program crash
  PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4436 -ip 4436
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4356 -ip 4356
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XmDwps.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
047c4e22319e1c7575324504d5a99cf0

SHA1
4b97867017771e8f94f8de4c600946fb9b8a0725

SHA256
3a7ac91bd7b9c2f7efff591fbaa42ba4aaa947c5cb35e797d3c47a2327753d87

SHA512
1f85ccb84c9c946843bcf0ed90fab8c258d0835d4afaa9d251d17531fe70013de64391e4c4574a149a59a5ad0f41d02621e1a124a9ced2d9af31c8e00c6e7e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2ceca281293875b38aec28436452ef5d

SHA1
3563b514b8419f1fe45f1e1813d3f6c6c5056db3

SHA256
dd68f081f22a6c33f069ed4fb420f02057e60a25e09545e0ae2576adc3027351

SHA512
bb02e0717e84aafc27851648d7dd38ed395dee07b700d0f4831c50d1bc27a6ae6c2d904484ce99ca99b23b38784e9547ba87f974c4129de67580eb28302d45b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ea4926f9b9d858957a444d815ec37072

SHA1
ca8f1655d007744308a8d7dab30e0774b1638c2c

SHA256
f60b26a7d06847d18f56571ef795f0ede10633e4e017bee7554196832350487a

SHA512
dd26d26dfd6dd955a0344cc9584bb11d43b90679f36f2008a3bc44d1ccf099f47bbdaf0d52b100bd24c0be182410ac292918233f996220141ca2ecb4ea712cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2ca19092696c11c5811c3dcb357acd79

SHA1
37484e366faa5d0db90c2e3653935d479d41adb4

SHA256
7f174657de7b15ce8a409d264495a333a300784fe1046f7aef14245840b12a82

SHA512
77bb979af3b513439293fc02abaee3d1b17951ad86bccb21fab88ac02cd29e730f164e1a3d390ba59e4d5d94f58c66e00f843b2f344547e2aef7be93364f378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\52d70ab2-a7f3-4f89-935e-62d8322672cf\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XmDwps.exe

Filesize
5KB

MD5
692a863df959ffca30bd0752e1a90ae0

SHA1
39beb2ec5a3fb3ad914f83eafe91974a46d92ba8

SHA256
ca14e3ee993d2b06bc5ea5600d8f2ff3479e0319d56d04fe77ffcefbbc8dfd58

SHA512
9fa16c1e50b6a22c1affda2facdc0201a8248c03339f1b3de1f04093432c8c304ebd11ba05b0c7cd560eb7a6f755556e54e3288b879c3b012d4196659bb31e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_asv323f0.tgc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cado61c93j1b8i711d186da1Q2GWl814e77XfN5exT0c8.exe

Filesize
2.5MB

MD5
f5bcbb4c735c1e8bc4f68e534d8899da

SHA1
bbde97f7540370acd8925d5de239a3a4a42ea546

SHA256
79ad5dd9eaae0fde5b1a36b4c9b38ee7cfae82f51e196a1f6b1ff8b35b9cf463

SHA512
e19a75c2bcfe4f2e54323376195681e72568f013fce4e13b8861da54a918a9bd135869b7438d3ae3157f89ab5dce722caf3cb795772c398361e97d5e802b0be2

Download Submit
memory/1388-83-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1388-86-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/1388-100-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/1388-156-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/2168-82-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2168-87-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/2320-46-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/2320-218-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2320-41-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2320-151-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2320-174-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2320-40-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/3224-71-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/3224-99-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3224-67-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/3224-154-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/3460-81-0x0000000005DA0000-0x00000000060F4000-memory.dmp

Filesize
3.3MB

Download
memory/3460-47-0x00000000053C0000-0x00000000053E2000-memory.dmp

Filesize
136KB

Download
memory/3460-50-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/3460-172-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3460-171-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3460-34-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3460-24-0x0000000005490000-0x0000000005AB8000-memory.dmp

Filesize
6.2MB

Download
memory/3460-25-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3460-23-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3460-66-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/3460-153-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/3460-157-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3460-22-0x0000000002990000-0x00000000029C6000-memory.dmp

Filesize
216KB

Download
memory/3656-126-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3656-88-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/3812-39-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3812-149-0x0000000006820000-0x000000000686C000-memory.dmp

Filesize
304KB

Download
memory/3812-38-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3812-152-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3812-217-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/3812-148-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/3812-44-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/3812-173-0x0000000002B50000-0x0000000002B60000-memory.dmp

Filesize
64KB

Download
memory/4140-42-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4140-49-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4140-175-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4356-48-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4436-45-0x00000000084B0000-0x00000000084BA000-memory.dmp

Filesize
40KB

Download
memory/4436-1-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4436-2-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/4436-3-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4436-4-0x0000000002830000-0x00000000028A2000-memory.dmp

Filesize
456KB

Download
memory/4436-5-0x0000000007A30000-0x0000000007FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4436-6-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/4436-28-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/4436-89-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4436-0-0x00000000002F0000-0x0000000000570000-memory.dmp

Filesize
2.5MB

Download
memory/5764-473-0x000000001B210000-0x000000001B312000-memory.dmp

Filesize
1.0MB

Download
memory/5764-483-0x000000001B210000-0x000000001B312000-memory.dmp

Filesize
1.0MB

Download
memory/5816-159-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/5816-158-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/5816-160-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/5872-176-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/5872-170-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/5908-213-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/5908-219-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/5940-214-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/5940-215-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/5940-220-0x0000000074780000-0x0000000074F30000-memory.dmp

Filesize
7.7MB

Download
memory/5996-216-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/6020-472-0x000000001BBE0000-0x000000001BCE2000-memory.dmp

Filesize
1.0MB

Download
memory/6020-486-0x000000001BBE0000-0x000000001BCE2000-memory.dmp

Filesize
1.0MB

Download
memory/6076-400-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download