3d966ba83a832ae1c76ff14716925e6895777001064d42404fb86494571309ce

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 05:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe
Size

3.6MB
MD5

90c1ca96660786fb2a12b5b07d4c8fd9
SHA1

e692ce97978666380886bb089358238100be84bb
SHA256

3d966ba83a832ae1c76ff14716925e6895777001064d42404fb86494571309ce
SHA512

84d3fdc8b8d3385bf3b271c44d3d97c262f5157ea9cdafd6803b5060040d32b3d0c8ab2868ca83161035813e55061cc13c598fc18ae831088a7ace23abaf86c8
SSDEEP

98304:lAfX4VspnQIzlUicRp7bWNrgTFZKVVjvvvisLf2IQzRRs:lAIRollcfbWNrkZKHt5Q9a

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET1BFF.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET1BFF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\teamviewervpn.sys	DrvInst.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbhubsvc3\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll"	SkypeC0SvcService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SkypeC0SvcService.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk	SkypeC0SvcService.exe

Executes dropped EXE 4 IoCs

pid	Process
2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
5072	SkypeC0SvcService.exe
2900	svpn.exe
5048	svpn.exe

Loads dropped DLL 9 IoCs

pid	Process
2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "\"C:\\Windows\\SysWOW64\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll\" C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\SkypeC0SvcService.exe"	SkypeC0SvcService.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.PNF	svpn.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.inf	DrvInst.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svpn.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svpn.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SkypeC0SvcService.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe
5072	SkypeC0SvcService.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeAuditPrivilege	3724	svchost.exe
Token: SeSecurityPrivilege	3724	svchost.exe
Token: SeLoadDriverPrivilege	2900	svpn.exe
Token: SeRestorePrivilege	1000	DrvInst.exe
Token: SeBackupPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	1000	DrvInst.exe
Token: SeLoadDriverPrivilege	5048	svpn.exe
Token: SeLoadDriverPrivilege	5048	svpn.exe
Token: SeDebugPrivilege	5072	SkypeC0SvcService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2344	1844	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe	91
PID 1844 wrote to memory of 2344	1844	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe	91
PID 1844 wrote to memory of 2344	1844	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe	91
PID 2344 wrote to memory of 5072	2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp	92
PID 2344 wrote to memory of 5072	2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp	92
PID 2344 wrote to memory of 5072	2344	90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp	92
PID 5072 wrote to memory of 2900	5072	SkypeC0SvcService.exe	94
PID 5072 wrote to memory of 2900	5072	SkypeC0SvcService.exe	94
PID 3724 wrote to memory of 3184	3724	svchost.exe	97
PID 3724 wrote to memory of 3184	3724	svchost.exe	97
PID 3724 wrote to memory of 1000	3724	svchost.exe	98
PID 3724 wrote to memory of 1000	3724	svchost.exe	98
PID 5072 wrote to memory of 5048	5072	SkypeC0SvcService.exe	100
PID 5072 wrote to memory of 5048	5072	SkypeC0SvcService.exe	100

C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp" /SL5="$90030,3400720,135680,C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe" /verysilent /password=none
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
    "C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe"
    3⤵
    - Sets DLL path for service in the registry
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
      C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe install C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf teamviewervpn
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
      C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe restart teamviewervpn
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MsHubSvc -svcr C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{47e8e878-4cc8-304f-be08-8b37cf2bb6e9}\teamviewervpn.inf" "9" "4b0706d3f" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\appdata\roaming\abodeupdate"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3184
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:teamviewervpn.ndi:2.10.0.0:teamviewervpn," "4b0706d3f" "0000000000000160"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0RPST.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp

Filesize
1.1MB

MD5
86c17be77f3ea314eb1c43fb46ec2ee9

SHA1
57e664459585cb739e1ee278ff62ac25bd0fe0c0

SHA256
67668d64d65f1f39d37f9f02643ef07e0f1da8599a48796967a9ebbbcee9efa2

SHA512
320c17430584ee127c50ba3d8618dde649f97abea550f3f213a6637d48ffd21ce83103ed34c9ac2e5eb769b839293ddcb6e465d16a8ff876bae3a8bd58b2d787

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\MSIMG32.dll

Filesize
135KB

MD5
7be8e8b6eb0a7b3e4d02bd1e1c0694d3

SHA1
e8eab9de90873e267d63636fd269561ea7fb6d77

SHA256
e89d182578568985c7524f1a0c221a1b46b515ac3036de356f5066d9f7a41b90

SHA512
ed08a7ba3cbd974898577ed9ca9a6eab90dfdd124d0b2321a5e02ed40c3e47c2bd57f2c132ed7cb5b55e8f5b7036e7fa733dbb4049226a8dc4ec5d1154bb9cd4

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe

Filesize
7.7MB

MD5
f5fe906f801d99fafa8a9e0584a37008

SHA1
a80175b91e3f9606e63dd0d9a9271e23bbe10321

SHA256
10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b

SHA512
ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer.ini

Filesize
152B

MD5
8fc2e199aa5721f837d2ce2766a5860d

SHA1
3a09dfa5e28a2044cd99388bf1265927c1444a94

SHA256
044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5

SHA512
a8ca2f66f7b8cfb7ff67cfcec35848c7c2f29bc8b26d1239622a61a779b67d7af829699207f18dab8c9294dd9226943dac47ef8aeedfd90dfb733c13f1f218b5

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf

Filesize
5KB

MD5
447fc733747db11cd4492ae01c5652fe

SHA1
2a70dcd391464cb8d3736322e07e966e105d396e

SHA256
a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3

SHA512
238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Desktop.exe

Filesize
2.2MB

MD5
36738935b6eadbdf570002ee44990360

SHA1
2621f86a0307a6be7032266db868c7af981bc016

SHA256
46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c

SHA512
5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Resource_en.dll

Filesize
285KB

MD5
5850b0e30cb6493170ea8d073f34766c

SHA1
d80b0181edca5be738f8c1c4355c4785d0360d06

SHA256
97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda

SHA512
a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_StaticRes.dll

Filesize
2.5MB

MD5
4202e46ac536822fd7043c38e66d0ec8

SHA1
c8908477b539931168e9437d4e17e7c33fb10141

SHA256
542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4

SHA512
20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe

Filesize
79KB

MD5
112b0c8b6b0c0a6c24f90081cc8a77d0

SHA1
1776a73316baeeb818884196a54f49d1385c06c8

SHA256
f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163

SHA512
1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.dll

Filesize
66KB

MD5
55b4875e6dd84b1a547a91a789515dfb

SHA1
ad598670ced636134f85c744f6283a16e3766d1f

SHA256
a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9

SHA512
d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.exe

Filesize
104KB

MD5
c16719e5c670b7c18aab69dea8ea8c66

SHA1
95c9c3b44dcca278b42cb20b1e27d88ae4006f39

SHA256
c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689

SHA512
9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.dll

Filesize
80KB

MD5
6f68147027ba59a8af86ffe1b8fc6899

SHA1
99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458

SHA256
07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6

SHA512
5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.exe

Filesize
126KB

MD5
8e50a67752bd070fec717216b9376a7f

SHA1
19c776fd0fe89d6cb3f372d89cac4adf65dabe24

SHA256
f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b

SHA512
be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tvr.cfg

Filesize
351B

MD5
c355c34a3f8e355aa20eaaaa9bbdffe5

SHA1
3b13ae21d7cdbe427a9367761b590bfb3a1e04c0

SHA256
5fca1c7124684f5c3a8a2ce9caab53da751c76d0db8b538cc0b812d7f8dda110

SHA512
b665b65c1023b5f9f255388963245f0efa913d5b89024fa2eb03d164eb63d5334addf1a67b9db1a6ad8ef685c3d614d87225db1ec59b9c99459bc5f0b81d29ad

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn64.cab

Filesize
54KB

MD5
d4fe3ae6d05b2d4cb52484e2718ab390

SHA1
8da95d697c578c8d12e02c53fb185cb5825c4f63

SHA256
0fc7396c9eb14f764b18400f95c66fd168ec0626d455b48167119227b3b98c1e

SHA512
03a253bbc1663b7c03632c4a265195e2d668da5a0b3c6144ed2006fdffe50e131bb2a589aa41304e20979fa9a27e2acdbe8860916219d8ee265ebc185ef60fdd

Download Submit
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn86.cab

Filesize
42KB

MD5
c7549d78f082a6cf81ba2c27f6c6a38f

SHA1
ea39fbc80cc62c11ace1ef495c856f3bc6c775a7

SHA256
240b9ee414817f500c18bffaba787c6f7b5e67a0e46d82cbbce02cb956073be3

SHA512
ffa75d64446b227642af964c6d5a8e1a14493b56d598b52cbd842cf22a9396eddde716effc431d25b21a26741bdaf9e2b509821099a5eb3e01bfc2343816fc2f

Download Submit
\??\c:\users\admin\appdata\roaming\ABODEU~1\TEAMVI~1.SYS

Filesize
34KB

MD5
f5520dbb47c60ee83024b38720abda24

SHA1
bc355c14a2b22712b91ff43cd4e046489a91cae5

SHA256
b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0

SHA512
3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

Download Submit
\??\c:\users\admin\appdata\roaming\abodeupdate\teamviewervpn.cat

Filesize
10KB

MD5
5cffe65f36b60bc151486c90382f1627

SHA1
f2a66eae89b4b19d4cab2ac630536af5eeeef121

SHA256
aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851

SHA512
1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b

Download Submit
memory/1844-49-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1844-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1844-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2344-42-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2344-6-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5072-44-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/5072-65-0x0000000075860000-0x0000000075950000-memory.dmp

Filesize
960KB

Download
memory/5072-64-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/5072-51-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/5072-50-0x0000000075880000-0x0000000075881000-memory.dmp

Filesize
4KB

Download
memory/5072-164-0x0000000004850000-0x0000000004877000-memory.dmp

Filesize
156KB

Download
memory/5072-168-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/5072-170-0x0000000075860000-0x0000000075950000-memory.dmp

Filesize
960KB

Download